diff options
| author | Philipp Maier <pmaier@sysmocom.de> | 2022-08-01 17:24:18 +0200 |
|---|---|---|
| committer | Philipp Maier <pmaier@sysmocom.de> | 2022-08-01 17:36:13 +0200 |
| commit | b46c62a8b737fe99e62f4b0e547743a5eb81abc2 (patch) | |
| tree | 985699dbb29efbe6cb4bd4bb579986e1bf155406 /src | |
| parent | 960b936b31411c0d192ba4c696f549ca09ec1fbf (diff) | |
bsc_subscr_conn_fsm: fix use after free
In cases where the MGCP client endpoint FSM is terminating early the bsc
sbscr conn FSM receives the signal GSCON_EV_FORGET_MGW_ENDPOINT, which
then calls gscon_forget_mgw_endpoint(). However, this only nulls the
conn->user_plane->mgw_endpoint_ci_msc struct pointer, not the others.
This causes the assignment FSM to access
conn->assignment.created_ci_for_msc whle trying to initiate a DLCX. We
must make sure that when the MGCP client endpoint FSM dies, that all
other CI pointers that reference the same CI are also set to NULL.
Change-Id: Ia857e3af6c17282b7e8178b6d249eb0f99ed98e3
Related: OS#5572
Diffstat (limited to 'src')
| -rw-r--r-- | src/osmo-bsc/bsc_subscr_conn_fsm.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/osmo-bsc/bsc_subscr_conn_fsm.c b/src/osmo-bsc/bsc_subscr_conn_fsm.c index 9af28c787..7c0c7c3a4 100644 --- a/src/osmo-bsc/bsc_subscr_conn_fsm.c +++ b/src/osmo-bsc/bsc_subscr_conn_fsm.c @@ -940,6 +940,10 @@ static void gscon_forget_mgw_endpoint(struct gsm_subscriber_connection *conn) mgcp_client = osmo_mgcpc_ep_client(conn->user_plane.mgw_endpoint); mgcp_client_pool_put(mgcp_client); + /* Be sure that the endpoint CI we are maintaining in user_plane + * is also removed from the other locations as well. */ + gscon_forget_mgw_endpoint_ci(conn, conn->user_plane.mgw_endpoint_ci_msc); + conn->user_plane.mgw_endpoint = NULL; conn->user_plane.mgw_endpoint_ci_msc = NULL; conn->ho.created_ci_for_msc = NULL; |