diff options
authorPhilipp Maier <pmaier@sysmocom.de>2022-08-01 17:24:18 +0200
committerPhilipp Maier <pmaier@sysmocom.de>2022-08-01 17:24:18 +0200
commit890cab2e5b46c540673b5221c811b6ebfdcbcfd5 (patch)
parent960b936b31411c0d192ba4c696f549ca09ec1fbf (diff)
bsc_subscr_conn_fsm: fix use after freepmaier/ci
In cases where the MGCP client endpoint FSM is terminating early the bsc sbscr conn FSM receives the signal GSCON_EV_FORGET_MGW_ENDPOINT, which then calls gscon_forget_mgw_endpoint(). However, this only nulls the conn->user_plane->mgw_endpoint_ci_msc struct pointer, not the others. This causes the assignment FSM to access conn->assignment.created_ci_for_msc whle trying to initiate a DLCX. We must make sure that when the MGCP client endpoint FSM dies, that all other CI pointers that reference the same CI are also set to NULL. Related: OS#5572
1 files changed, 4 insertions, 0 deletions
diff --git a/src/osmo-bsc/bsc_subscr_conn_fsm.c b/src/osmo-bsc/bsc_subscr_conn_fsm.c
index 9af28c787..7c0c7c3a4 100644
--- a/src/osmo-bsc/bsc_subscr_conn_fsm.c
+++ b/src/osmo-bsc/bsc_subscr_conn_fsm.c
@@ -940,6 +940,10 @@ static void gscon_forget_mgw_endpoint(struct gsm_subscriber_connection *conn)
mgcp_client = osmo_mgcpc_ep_client(conn->user_plane.mgw_endpoint);
+ /* Be sure that the endpoint CI we are maintaining in user_plane
+ * is also removed from the other locations as well. */
+ gscon_forget_mgw_endpoint_ci(conn, conn->user_plane.mgw_endpoint_ci_msc);
conn->user_plane.mgw_endpoint = NULL;
conn->user_plane.mgw_endpoint_ci_msc = NULL;
conn->ho.created_ci_for_msc = NULL;