diff options
author | Holger Hans Peter Freyther <zecke@selfish.org> | 2011-01-27 15:05:45 +0100 |
---|---|---|
committer | Holger Hans Peter Freyther <zecke@selfish.org> | 2011-01-27 15:05:45 +0100 |
commit | a61c709ef0dbce982059b725eb4e613409dd22f7 (patch) | |
tree | 71dbee59d32ba29a7b3b5f6564c12243db9bd439 /openbsc/src | |
parent | 6e94d6d10d94c9d68d9e31251376f78ce8782ca1 (diff) |
mncc: Fix a crash in the call release code
When the remote subscriber has not responded yet we could
end up with a crash in the MNCC code. It was enough to dial
the number, then hang up and bsc_hack would end up with a
segfault due the list poisining of linux_list.
Diffstat (limited to 'openbsc/src')
-rw-r--r-- | openbsc/src/mncc_builtin.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/openbsc/src/mncc_builtin.c b/openbsc/src/mncc_builtin.c index 640a286bc..0226b2748 100644 --- a/openbsc/src/mncc_builtin.c +++ b/openbsc/src/mncc_builtin.c @@ -238,12 +238,18 @@ static int mncc_rel_ind(struct gsm_call *call, int msg_type, struct gsm_mncc *re free_call(call); return 0; } + rel->callref = remote->callref; DEBUGP(DMNCC, "(call %x) Releasing remote with cause %d\n", call->callref, rel->cause.value); - mncc_tx_to_cc(remote->net, MNCC_REL_REQ, rel); + /* + * Release this side of the call right now. Otherwise we end up + * in this method for the other call and will also try to release + * it and then we will end up with a double free and a crash + */ free_call(call); + mncc_tx_to_cc(remote->net, MNCC_REL_REQ, rel); return 0; } |