From 3350bf9f78253eb9f647c8377b6446a4fc7b26e8 Mon Sep 17 00:00:00 2001 From: Neels Hofmeyr Date: Fri, 21 Dec 2018 01:35:21 +0100 Subject: [PATCH] release RTP stream only for matching CC transaction Do not break the currently ongoing call when rejecting a second incoming caller. There may be multiple (up to seven) simultaneous CC transactions, and there is one mgcp_ctx for the currently active RTP stream. Release the MGCP context only when the active CC transaction is releasing. Before this patch, any CC transaction release would destroy the single MGCP context, possibly breaking the currently ongoing call (another CC trans). This also fixes a possible use-after-free if there were pending MGCP message responses for the MGCP context; they are canceled properly for a released transaction, but since one transaction would free the other transaction's MGCP state, the clean up did not take place and possibly caused an mgcp client response handling to access a freed mgcp_ctx. Related: OS#3735 Change-Id: I1f8746e7babfcd3028a4d2c0ba260c608c686c76 --- src/libmsc/msc_mgcp.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/libmsc/msc_mgcp.c b/src/libmsc/msc_mgcp.c index 6170c108c..23e68e7b4 100644 --- a/src/libmsc/msc_mgcp.c +++ b/src/libmsc/msc_mgcp.c @@ -1164,6 +1164,12 @@ int msc_mgcp_call_release(struct gsm_trans *trans) return -EINVAL; } + if (mgcp_ctx->trans != trans) { + LOGP(DMGCP, LOGL_DEBUG, "(ti %02x %s) call release for background CC transaction\n", + trans->transaction_id, vlr_subscr_name(trans->vsub)); + return 0; + } + LOGP(DMGCP, LOGL_DEBUG, "(ti %02x %s) Call release: tearing down MGW endpoint\n", trans->transaction_id, vlr_subscr_name(trans->vsub));