From 1db394f22b3184607d8c8392b2bdf7b0279fbeec Mon Sep 17 00:00:00 2001
From: Neels Hofmeyr <neels@hofmeyr.de>
Date: Fri, 9 Mar 2018 17:04:53 +0100
Subject: fix: clear vlr_subscr->msc_conn_ref when the conn is discarded

Before this, it was for example possible to crash the MSC by the vty 'show
subscriber' command, which would dereference a potentially stale
vsub->msc_conn_ref pointer.

Related: OS#3050
Change-Id: Ia4105d9f135ba3216ad3c86157be7658b1d568fb
---
 src/libmsc/osmo_msc.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src/libmsc/osmo_msc.c')

diff --git a/src/libmsc/osmo_msc.c b/src/libmsc/osmo_msc.c
index 1478c191e..f6df0d201 100644
--- a/src/libmsc/osmo_msc.c
+++ b/src/libmsc/osmo_msc.c
@@ -228,6 +228,7 @@ void msc_subscr_con_cleanup(struct gsm_subscriber_connection *conn)
 		DEBUGP(DRLL, "subscr %s: Freeing subscriber connection\n",
 		       vlr_subscr_name(conn->vsub));
 		msc_subscr_cleanup(conn->vsub);
+		conn->vsub->msc_conn_ref = NULL;
 		vlr_subscr_put(conn->vsub);
 		conn->vsub = NULL;
 	} else
-- 
cgit v1.2.3