From e0da446e76f0000fcccb13810e90d34468ab2df4 Mon Sep 17 00:00:00 2001
From: Vadim Yanitskiy <axilirator@gmail.com>
Date: Mon, 17 Jun 2019 21:51:12 +0700
Subject: libmsc/gsm_09_11.c: fix broken reference counting for vsub

In gsm0911_gsup_rx() we do call vlr_subscr_find_by_imsi(), which
increases subscriber's reference count by one using the function
name as the token. However, we never release this token, so the
reference count grows on every received GSUP PROC-SS message.

Change-Id: I5540556b1c75f6873883e46b78656f31fc1ef186
---
 src/libmsc/gsm_09_11.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/libmsc/gsm_09_11.c b/src/libmsc/gsm_09_11.c
index cd5470331..c7b21552e 100644
--- a/src/libmsc/gsm_09_11.c
+++ b/src/libmsc/gsm_09_11.c
@@ -424,8 +424,9 @@ int gsm0911_gsup_rx(struct gsup_client_mux *gcm, void *data, const struct osmo_g
 	struct msgb *ss_msg;
 	bool trans_end;
 	struct msc_a *msc_a;
-	struct vlr_subscr *vsub = vlr_subscr_find_by_imsi(net->vlr, gsup_msg->imsi, __func__);
+	struct vlr_subscr *vsub;
 
+	vsub = vlr_subscr_find_by_imsi(net->vlr, gsup_msg->imsi, __func__);
 	if (!vsub) {
 		LOGP(DSS, LOGL_ERROR, "Rx %s for unknown subscriber, rejecting\n",
 		     osmo_gsup_message_type_name(gsup_msg->message_type));
@@ -445,6 +446,9 @@ int gsm0911_gsup_rx(struct gsup_client_mux *gcm, void *data, const struct osmo_g
 		     osmo_gsup_message_type_name(gsup_msg->message_type),
 		     gsup_msg->cause, gsup_msg->session_id);
 
+		/* We don't need subscriber info anymore */
+		vlr_subscr_put(vsub, __func__);
+
 		if (!trans) {
 			LOGP(DSS, LOGL_ERROR, "No transaction found for "
 			     "sid=0x%x, nothing to abort\n", gsup_msg->session_id);
@@ -477,14 +481,20 @@ int gsm0911_gsup_rx(struct gsup_client_mux *gcm, void *data, const struct osmo_g
 					      "SS/USSD transaction, rejecting %s\n",
 					      osmo_gsup_message_type_name(gsup_msg->message_type));
 			gsup_client_mux_tx_error_reply(gcm, gsup_msg, GMM_CAUSE_NET_FAIL);
+			vlr_subscr_put(vsub, __func__);
 			return -EINVAL;
 		}
 
 		/* Wait for Paging Response */
-		if (trans->paging_request)
+		if (trans->paging_request) {
+			vlr_subscr_put(vsub, __func__);
 			return 0;
+		}
 	}
 
+	/* We don't need subscriber info anymore */
+	vlr_subscr_put(vsub, __func__);
+
 	/* (Re)schedule the inactivity timer */
 	if (net->ncss_guard_timeout > 0) {
 		osmo_timer_schedule(&trans->ss.timer_guard,
-- 
cgit v1.2.3