cellular-infrastructure
/
osmo-bsc
mirror of https://gerrit.osmocom.org/osmo-bsc
9
0
Fork 0
Code Issues Releases Wiki Activity

bsc_subscr_conn_fsm: fix use after free 

In cases where the MGCP client endpoint FSM is terminating early the bsc
sbscr conn FSM receives the signal GSCON_EV_FORGET_MGW_ENDPOINT, which
then calls gscon_forget_mgw_endpoint(). However, this only nulls the
conn->user_plane->mgw_endpoint_ci_msc struct pointer, not the others.
This causes the assignment FSM to access
conn->assignment.created_ci_for_msc whle trying to initiate a DLCX. We
must make sure that when the MGCP client endpoint FSM dies, that all
other CI pointers that reference the same CI are also set to NULL.

Change-Id: Ia857e3af6c17282b7e8178b6d249eb0f99ed98e3
Related: OS#5572
This commit is contained in:
Philipp Maier 2022-08-01 17:24:18 +02:00
parent 960b936b31
commit b46c62a8b7
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/osmo-bsc/bsc_subscr_conn_fsm.c
View File

@ -940,6 +940,10 @@ static void gscon_forget_mgw_endpoint(struct gsm_subscriber_connection *conn)
mgcp_client = osmo_mgcpc_ep_client(conn->user_plane.mgw_endpoint);
mgcp_client_pool_put(mgcp_client);
/* Be sure that the endpoint CI we are maintaining in user_plane
* is also removed from the other locations as well. */
gscon_forget_mgw_endpoint_ci(conn, conn->user_plane.mgw_endpoint_ci_msc);
conn->user_plane.mgw_endpoint = NULL;
conn->user_plane.mgw_endpoint_ci_msc = NULL;
conn->ho.created_ci_for_msc = NULL;