mncc: Fix a crash in the call release code

When the remote subscriber has not responded yet we could end up with a crash in the MNCC code. It was enough to dial the number, then hang up and bsc_hack would end up with a segfault due the list poisining of linux_list.
author: Holger Hans Peter Freyther <zecke@selfish.org> 2011-01-27 15:05:45 +0100
committer: Holger Hans Peter Freyther <zecke@selfish.org> 2011-01-27 15:05:45 +0100
commit: a61c709ef0dbce982059b725eb4e613409dd22f7 (patch)
tree: 71dbee59d32ba29a7b3b5f6564c12243db9bd439 /openbsc/src
parent: 6e94d6d10d94c9d68d9e31251376f78ce8782ca1 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/openbsc/src/mncc_builtin.c b/openbsc/src/mncc_builtin.c
index 640a286bc..0226b2748 100644
--- a/openbsc/src/mncc_builtin.c
+++ b/openbsc/src/mncc_builtin.c
@@ -238,12 +238,18 @@ static int mncc_rel_ind(struct gsm_call *call, int msg_type, struct gsm_mncc *re
 		free_call(call);
 		return 0;
 	}
+
 	rel->callref = remote->callref;
 	DEBUGP(DMNCC, "(call %x) Releasing remote with cause %d\n",
 		call->callref, rel->cause.value);
-	mncc_tx_to_cc(remote->net, MNCC_REL_REQ, rel);
 
+	/*
+	 * Release this side of the call right now. Otherwise we end up
+	 * in this method for the other call and will also try to release
+	 * it and then we will end up with a double free and a crash
+	 */
 	free_call(call);
+	mncc_tx_to_cc(remote->net, MNCC_REL_REQ, rel);
 
 	return 0;
 }
author	Holger Hans Peter Freyther <zecke@selfish.org>	2011-01-27 15:05:45 +0100
committer	Holger Hans Peter Freyther <zecke@selfish.org>	2011-01-27 15:05:45 +0100
commit	a61c709ef0dbce982059b725eb4e613409dd22f7 (patch)
tree	71dbee59d32ba29a7b3b5f6564c12243db9bd439 /openbsc/src
parent	6e94d6d10d94c9d68d9e31251376f78ce8782ca1 (diff)