fix rare segfault in MGCP client handling
Add missing conn->assignment.created_ci_for_msc to gscon_forget_mgw_endpoint_ci(). Before this patch, when assignment.created_ci_for_msc lingers after a DLCX, it can cause a use-after-free on assignment_reset(). Possible scenario is rx BSSMAP Clear Cmd during ongoing Assignment. In assignment_reset(), locally cache the ci pointer, because gscon_forget_mgw_endpoint_ci() now NULLs created_ci_for_msc. Related: OS#5572 Change-Id: If89610020f47fd6517081dd11b83911b043bd0f1
This commit is contained in:
parent
58ac749424
commit
aae8c2513d
|
@ -128,10 +128,13 @@ void assignment_reset(struct gsm_subscriber_connection *conn)
|
|||
}
|
||||
|
||||
if (conn->assignment.created_ci_for_msc) {
|
||||
gscon_forget_mgw_endpoint_ci(conn, conn->assignment.created_ci_for_msc);
|
||||
/* Store ci pointer locally, because gscon_forget_mgw_endpoint_ci() NULLs
|
||||
* conn->assignment.created_ci_for_msc. */
|
||||
struct osmo_mgcpc_ep_ci *ci = conn->assignment.created_ci_for_msc;
|
||||
gscon_forget_mgw_endpoint_ci(conn, ci);
|
||||
/* If this is the last endpoint released, the mgw_endpoint_fsm will terminate and tell
|
||||
* the gscon about it. */
|
||||
osmo_mgcpc_ep_ci_dlcx(conn->assignment.created_ci_for_msc);
|
||||
osmo_mgcpc_ep_ci_dlcx(ci);
|
||||
}
|
||||
|
||||
conn->assignment = (struct assignment_fsm_data){
|
||||
|
|
|
@ -955,6 +955,9 @@ void gscon_forget_mgw_endpoint_ci(struct gsm_subscriber_connection *conn, struct
|
|||
|
||||
if (conn->user_plane.mgw_endpoint_ci_msc == ci)
|
||||
conn->user_plane.mgw_endpoint_ci_msc = NULL;
|
||||
|
||||
if (conn->assignment.created_ci_for_msc == ci)
|
||||
conn->assignment.created_ci_for_msc = NULL;
|
||||
}
|
||||
|
||||
static void gscon_fsm_allstate(struct osmo_fsm_inst *fi, uint32_t event, void *data)
|
||||
|
|
Loading…
Reference in New Issue