cellular-infrastructure
/
osmo-iuh
mirror of https://gerrit.osmocom.org/osmo-iuh
9
0
Fork 0
Code Issues Releases Wiki Activity

hnbgw: remove close_cb() to fix a crash when releasing a hnbgw 

The read callback should catch all errors already.
Previous when a read fails it:

* hnb_context_release() -> osmo_stream_srv_destroy() -> hnb_context_release()
On the second hnb_context_release() the hnbgw will crash because calling
llist_del() twice on the same object.

Fixes: OS#3416
Change-Id: Ic84b2184b7fc850c0de2acacf179e86771e17510
This commit is contained in:
Alexander Couzens 2018-07-24 19:04:47 +02:00
parent 7a97fcafed
commit ad4ea3b10e
3 changed files with 8 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/osmocom/iuh/hnbgw.h
View File

@ -161,7 +161,7 @@ struct ue_context *ue_context_alloc(struct hnb_context *hnb, const char *imsi,
void ue_context_free(struct ue_context *ue);
struct hnb_context *hnb_context_alloc(struct hnb_gw *gw, struct osmo_stream_srv_link *link, int new_fd);
void hnb_context_release(struct hnb_context *ctx, bool destroy_conn);
void hnb_context_release(struct hnb_context *ctx);
void hnbgw_vty_init(struct hnb_gw *gw, void *tall_ctx);
int hnbgw_vty_go_parent(struct vty *vty);

21
src/hnbgw.c
View File

@ -202,16 +202,6 @@ void ue_context_free(struct ue_context *ue)
llist_del(&ue->list);
talloc_free(ue);
}
static int hnb_close_cb(struct osmo_stream_srv *conn)
{
struct hnb_context *hnb = osmo_stream_srv_get_data(conn);
/* This connection is about to be closed. Destroy the HNB context now. */
if (hnb)
hnb_context_release(hnb, false);
return 0;
}
static int hnb_read_cb(struct osmo_stream_srv *conn)
{
@ -234,10 +224,10 @@ static int hnb_read_cb(struct osmo_stream_srv *conn)
} else if (rc < 0) {
LOGP(DMAIN, LOGL_ERROR, "Error during sctp_recvmsg()\n");
/* FIXME: clean up after disappeared HNB */
hnb_context_release(hnb, true);
hnb_context_release(hnb);
goto out;
} else if (rc == 0) {
hnb_context_release(hnb, true);
hnb_context_release(hnb);
rc = -1;
goto out;
@ -283,7 +273,7 @@ struct hnb_context *hnb_context_alloc(struct hnb_gw *gw, struct osmo_stream_srv_
INIT_LLIST_HEAD(&ctx->map_list);
ctx->gw = gw;
ctx->conn = osmo_stream_srv_create(tall_hnb_ctx, link, new_fd, hnb_read_cb, hnb_close_cb, ctx);
ctx->conn = osmo_stream_srv_create(tall_hnb_ctx, link, new_fd, hnb_read_cb, NULL, ctx);
if (!ctx->conn) {
LOGP(DMAIN, LOGL_INFO, "error while creating connection\n");
talloc_free(ctx);
@ -294,7 +284,7 @@ struct hnb_context *hnb_context_alloc(struct hnb_gw *gw, struct osmo_stream_srv_
return ctx;
}
void hnb_context_release(struct hnb_context *ctx, bool destroy_conn)
void hnb_context_release(struct hnb_context *ctx)
{
struct hnbgw_context_map *map, *map2;
@ -312,8 +302,7 @@ void hnb_context_release(struct hnb_context *ctx, bool destroy_conn)
}
ue_context_free_by_hnb(ctx->gw, ctx);
if (destroy_conn)
osmo_stream_srv_destroy(ctx->conn);
osmo_stream_srv_destroy(ctx->conn);
talloc_free(ctx);
}

4
src/hnbgw_hnbap.c
View File

@ -84,7 +84,7 @@ static int hnbgw_tx_hnb_register_rej(struct hnb_context *ctx)
osmo_stream_srv_set_flush_and_destroy(ctx->conn);
} else {
/* The message was not queued. Destroy the connection right away. */
hnb_context_release(ctx, true);
hnb_context_release(ctx);
}
}
@ -401,7 +401,7 @@ static int hnbgw_rx_hnb_deregister(struct hnb_context *ctx, ANY_t *in)
hnbap_cause_str(&ies.cause));
hnbap_free_hnbde_registeries(&ies);
hnb_context_release(ctx, true);
hnb_context_release(ctx);
return 0;
}