diff options
author | Philipp Maier <pmaier@sysmocom.de> | 2018-03-16 18:01:21 +0100 |
---|---|---|
committer | Harald Welte <laforge@gnumonks.org> | 2018-03-16 18:51:27 +0000 |
commit | 04d6ddb299130f521574ce796beedc978acba50f (patch) | |
tree | 5055a2bbdec741d83f5a35a6667f5ee9dd33e859 /src | |
parent | eb1cfdb263d25debf7da685d4afad757f69dc8b2 (diff) |
msc_mgcp: to not access higher layers after release
The higher layers (gsm_04_08.c) are informed errors occur. But it
is not checked if the call was already released. If an error occurs
after the call control stack calls msc_mgcp_call_release() then
the higher layers might already have cleaned up and the code
accesses memory that is already freed (trans)
- fix use after free by guarding the call to mncc_tx_to_cc()
Change-Id: I78f1b6a9149488a4ad3f120c1e190a83c07d4b89
Related OS#2881
Related OS#2882
Diffstat (limited to 'src')
-rw-r--r-- | src/libmsc/msc_mgcp.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/src/libmsc/msc_mgcp.c b/src/libmsc/msc_mgcp.c index 8e874d8ca..5c615a952 100644 --- a/src/libmsc/msc_mgcp.c +++ b/src/libmsc/msc_mgcp.c @@ -197,10 +197,15 @@ static void _handle_error(struct mgcp_ctx *mgcp_ctx, enum msc_mgcp_cause_code ca osmo_fsm_inst_dispatch(fi, EV_TEARDOWN_ERROR, mgcp_ctx); } - /* Request the higher layers to release the call */ - mncc_set_cause(&mncc, GSM48_CAUSE_LOC_TRANS_NET, - GSM48_CC_CAUSE_RESOURCE_UNAVAIL); - mncc_tx_to_cc(mgcp_ctx->trans->net, MNCC_REL_REQ, &mncc); + /* Request the higher layers (gsm_04_08.c) to release the call. If the + * problem occured after msc_mgcp_call_release() was calls, remain + * silent because we already got informed and the higher layers might + * already freed their context information (trans). */ + if (!mgcp_ctx->free_ctx) { + mncc_set_cause(&mncc, GSM48_CAUSE_LOC_TRANS_NET, + GSM48_CC_CAUSE_RESOURCE_UNAVAIL); + mncc_tx_to_cc(mgcp_ctx->trans->net, MNCC_REL_REQ, &mncc); + } } /* Timer callback to shut down in case of connectivity problems */ |