diff options
| author | Neels Hofmeyr <neels@hofmeyr.de> | 2018-12-21 01:35:21 +0100 |
|---|---|---|
| committer | Neels Hofmeyr <nhofmeyr@sysmocom.de> | 2019-01-03 00:34:53 +0000 |
| commit | 3350bf9f78253eb9f647c8377b6446a4fc7b26e8 (patch) | |
| tree | 61a30a07793f9e3e4b8ea1bb2d667f5357490f0b /src | |
| parent | c43b966d32da71aab2e51425256ed00333169314 (diff) | |
release RTP stream only for matching CC transaction
Do not break the currently ongoing call when rejecting a second incoming
caller.
There may be multiple (up to seven) simultaneous CC transactions, and there is
one mgcp_ctx for the currently active RTP stream.
Release the MGCP context only when the active CC transaction is releasing.
Before this patch, any CC transaction release would destroy the single MGCP
context, possibly breaking the currently ongoing call (another CC trans).
This also fixes a possible use-after-free if there were pending MGCP message
responses for the MGCP context; they are canceled properly for a released
transaction, but since one transaction would free the other transaction's MGCP
state, the clean up did not take place and possibly caused an mgcp client
response handling to access a freed mgcp_ctx.
Related: OS#3735
Change-Id: I1f8746e7babfcd3028a4d2c0ba260c608c686c76
Diffstat (limited to 'src')
| -rw-r--r-- | src/libmsc/msc_mgcp.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/libmsc/msc_mgcp.c b/src/libmsc/msc_mgcp.c index 6170c108c..23e68e7b4 100644 --- a/src/libmsc/msc_mgcp.c +++ b/src/libmsc/msc_mgcp.c @@ -1164,6 +1164,12 @@ int msc_mgcp_call_release(struct gsm_trans *trans) return -EINVAL; } + if (mgcp_ctx->trans != trans) { + LOGP(DMGCP, LOGL_DEBUG, "(ti %02x %s) call release for background CC transaction\n", + trans->transaction_id, vlr_subscr_name(trans->vsub)); + return 0; + } + LOGP(DMGCP, LOGL_DEBUG, "(ti %02x %s) Call release: tearing down MGW endpoint\n", trans->transaction_id, vlr_subscr_name(trans->vsub)); |