From 022193da73230fba5c65599fedcba606b71f9928 Mon Sep 17 00:00:00 2001
From: Harald Welte <laforge@osmocom.org>
Date: Mon, 16 May 2022 17:31:36 +0200
Subject: [PATCH] smpp: Fix use-after-free bug when ESME disconnects but has
 write pending

When the SMPP code free's an ESME it also free's the related write_queue
and the osmo_fd contained therein.  So if this happens while we are
in esme_link_read_cb(), we must return -EBADF to make
osmo_wqueue_bfd_cb() of libosmocore avoid further accessing related
memory.

Change-Id: I441d3b05c2f2556c530783a7f66c73adf6d845a1
Closes: OS#5565
---
 src/libmsc/smpp_smsc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libmsc/smpp_smsc.c b/src/libmsc/smpp_smsc.c
index 4581865b9..6712032f3 100644
--- a/src/libmsc/smpp_smsc.c
+++ b/src/libmsc/smpp_smsc.c
@@ -888,7 +888,7 @@ dead_socket:
 		esme->acl->esme = NULL;
 	smpp_esme_put(esme);
 
-	return 0;
+	return -EBADF;
 }
 
 /* call-back of write queue once it wishes to write a message to the socket */