From 4ce159c9eb930843c3478a51b6981f4898939990 Mon Sep 17 00:00:00 2001
From: Neels Hofmeyr <nhofmeyr@sysmocom.de>
Date: Sat, 4 Mar 2023 23:48:28 +0100
Subject: [PATCH] mncc: prevent duplicate release in two cases

After MNCC_REL_IND, set callref=0, the common way to indicate that a
call has already been released.

Change-Id: Idd782f0cb6a25bc2c93e63fd323a90828f2fd549
---
 src/libmsc/gsm_04_08_cc.c           |  2 ++
 tests/msc_vlr/msc_vlr_test_call.err | 20 ++++++++++----------
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/src/libmsc/gsm_04_08_cc.c b/src/libmsc/gsm_04_08_cc.c
index 59dd8e7bf..70ddbb8c7 100644
--- a/src/libmsc/gsm_04_08_cc.c
+++ b/src/libmsc/gsm_04_08_cc.c
@@ -284,6 +284,7 @@ void _gsm48_cc_trans_free(struct gsm_trans *trans)
 					 (trans->cc.state == GSM_CSTATE_CALL_RECEIVED) ?
 					 GSM48_CC_CAUSE_USER_NOTRESPOND :
 					 GSM48_CC_CAUSE_RESOURCE_UNAVAIL);
+			trans->callref = 0;
 		}
 
 		/* FIXME: currently, a CC trans that would not yet be in state GSM_CSTATE_RELEASE_REQ fails to send a
@@ -457,6 +458,7 @@ static void gsm48_cc_timeout(void *arg)
 		/* process disconnect towards layer 4 */
 		mncc_set_cause(&l4_rel, l4_location, l4_cause);
 		mncc_recvmsg(trans->net, trans, MNCC_DISC_IND, &l4_rel);
+		trans->callref = 0;
 	}
 
 	/* process disconnect towards mobile station */
diff --git a/tests/msc_vlr/msc_vlr_test_call.err b/tests/msc_vlr/msc_vlr_test_call.err
index 5a22109d9..23da3e7af 100644
--- a/tests/msc_vlr/msc_vlr_test_call.err
+++ b/tests/msc_vlr/msc_vlr_test_call.err
@@ -1438,15 +1438,15 @@ DCC trans(CC:CALL_RECEIVED IMSI-901700000010650:MSISDN-42342:TMSI-0x03020100:UTR
 DMNCC trans(CC:CALL_RECEIVED IMSI-901700000010650:MSISDN-42342:TMSI-0x03020100:UTRAN-Iu:PAGING_RESP callref-0x423 tid-0) tx MNCC_REL_IND
   MSC --> MNCC: callref 0x423: MNCC_REL_IND
 
-DCC trans(CC:CALL_RECEIVED IMSI-901700000010650:MSISDN-42342:TMSI-0x03020100:UTRAN-Iu:PAGING_RESP callref-0x423 tid-0) starting timer T308 with 10 seconds
-DCC trans(CC:CALL_RECEIVED IMSI-901700000010650:MSISDN-42342:TMSI-0x03020100:UTRAN-Iu:PAGING_RESP callref-0x423 tid-0) new state CALL_RECEIVED -> RELEASE_REQ
+DCC trans(CC:CALL_RECEIVED IMSI-901700000010650:MSISDN-42342:TMSI-0x03020100:UTRAN-Iu:PAGING_RESP callref-0x0 tid-0) starting timer T308 with 10 seconds
+DCC trans(CC:CALL_RECEIVED IMSI-901700000010650:MSISDN-42342:TMSI-0x03020100:UTRAN-Iu:PAGING_RESP callref-0x0 tid-0) new state CALL_RECEIVED -> RELEASE_REQ
 DIUCS msc_a(IMSI-901700000010650:MSISDN-42342:TMSI-0x03020100:UTRAN-Iu:PAGING_RESP){MSC_A_ST_RELEASING}: Sending DTAP: CC GSM48_MT_CC_RELEASE
 DMSC msc_a(IMSI-901700000010650:MSISDN-42342:TMSI-0x03020100:UTRAN-Iu:PAGING_RESP){MSC_A_ST_RELEASING}: RAN encode: DTAP on UTRAN-Iu
 - DTAP --UTRAN-Iu--> MS: GSM48_MT_CC_RELEASE: 032d0802e1af
 - DTAP matches expected message
 DMSC dummy_msc_i(IMSI-901700000010650:MSISDN-42342:TMSI-0x03020100:UTRAN-Iu:PAGING_RESP){0}: Received Event MSC_I_EV_FROM_A_FORWARD_ACCESS_SIGNALLING_REQUEST
-DCC trans(CC:RELEASE_REQ IMSI-901700000010650:MSISDN-42342:TMSI-0x03020100:UTRAN-Iu:PAGING_RESP callref-0x423 tid-0) stopping pending timer T308
-DCC trans(CC:RELEASE_REQ IMSI-901700000010650:MSISDN-42342:TMSI-0x03020100:UTRAN-Iu:PAGING_RESP callref-0x423 tid-0) new state RELEASE_REQ -> NULL
+DCC trans(CC:RELEASE_REQ IMSI-901700000010650:MSISDN-42342:TMSI-0x03020100:UTRAN-Iu:PAGING_RESP callref-0x0 tid-0) stopping pending timer T308
+DCC trans(CC:RELEASE_REQ IMSI-901700000010650:MSISDN-42342:TMSI-0x03020100:UTRAN-Iu:PAGING_RESP callref-0x0 tid-0) new state RELEASE_REQ -> NULL
 DREF VLR subscr IMSI-901700000010650:MSISDN-42342:TMSI-0x03020100 - CC: now used by 3 (attached,active-conn,msc_a_fsm_releasing_onenter)
 DREF msc_a(IMSI-901700000010650:MSISDN-42342:TMSI-0x03020100:UTRAN-Iu:PAGING_RESP){MSC_A_ST_RELEASING}: - cc: now used by 0 (-)
 DMSC msc_a(IMSI-901700000010650:MSISDN-42342:TMSI-0x03020100:UTRAN-Iu:PAGING_RESP){MSC_A_ST_RELEASING}: Received Event MSC_A_EV_UNUSED
@@ -2346,8 +2346,8 @@ DCC trans(CC:RELEASE_REQ IMSI-901700000010650:MSISDN-42342:TMSI-0x03020100:UTRAN
 DMNCC trans(CC:RELEASE_REQ IMSI-901700000010650:MSISDN-42342:TMSI-0x03020100:UTRAN-Iu:CM_SERVICE_REQ callref-0x80000003 tid-8) tx MNCC_REL_CNF
   MSC --> MNCC: callref 0x80000003: MNCC_REL_CNF
 
-DCC trans(CC:RELEASE_REQ IMSI-901700000010650:MSISDN-42342:TMSI-0x03020100:UTRAN-Iu:CM_SERVICE_REQ callref-0x80000003 tid-8) new state RELEASE_REQ -> NULL
-DCC trans(CC:NULL IMSI-901700000010650:MSISDN-42342:TMSI-0x03020100:UTRAN-Iu:CM_SERVICE_REQ callref-0x80000003 tid-8) stopping pending guard timer
+DCC trans(CC:RELEASE_REQ IMSI-901700000010650:MSISDN-42342:TMSI-0x03020100:UTRAN-Iu:CM_SERVICE_REQ callref-0x0 tid-8) new state RELEASE_REQ -> NULL
+DCC trans(CC:NULL IMSI-901700000010650:MSISDN-42342:TMSI-0x03020100:UTRAN-Iu:CM_SERVICE_REQ callref-0x0 tid-8) stopping pending guard timer
 DREF VLR subscr IMSI-901700000010650:MSISDN-42342:TMSI-0x03020100 - CC: now used by 2 (attached,active-conn)
 DREF msc_a(IMSI-901700000010650:MSISDN-42342:TMSI-0x03020100:UTRAN-Iu:CM_SERVICE_REQ){MSC_A_ST_COMMUNICATING}: - cc: now used by 0 (-)
 DMSC msc_a(IMSI-901700000010650:MSISDN-42342:TMSI-0x03020100:UTRAN-Iu:CM_SERVICE_REQ){MSC_A_ST_COMMUNICATING}: Received Event MSC_A_EV_UNUSED
@@ -5156,15 +5156,15 @@ DCC trans(CC:MO_TERM_CALL_CONF IMSI-901700000010650:MSISDN-46071:GERAN-A:PAGING_
 DMNCC trans(CC:MO_TERM_CALL_CONF IMSI-901700000010650:MSISDN-46071:GERAN-A:PAGING_RESP callref-0x423 tid-0) tx MNCC_REL_IND
   MSC --> MNCC: callref 0x423: MNCC_REL_IND
 
-DCC trans(CC:MO_TERM_CALL_CONF IMSI-901700000010650:MSISDN-46071:GERAN-A:PAGING_RESP callref-0x423 tid-0) starting timer T308 with 10 seconds
-DCC trans(CC:MO_TERM_CALL_CONF IMSI-901700000010650:MSISDN-46071:GERAN-A:PAGING_RESP callref-0x423 tid-0) new state MO_TERM_CALL_CONF -> RELEASE_REQ
+DCC trans(CC:MO_TERM_CALL_CONF IMSI-901700000010650:MSISDN-46071:GERAN-A:PAGING_RESP callref-0x0 tid-0) starting timer T308 with 10 seconds
+DCC trans(CC:MO_TERM_CALL_CONF IMSI-901700000010650:MSISDN-46071:GERAN-A:PAGING_RESP callref-0x0 tid-0) new state MO_TERM_CALL_CONF -> RELEASE_REQ
 DBSSAP msc_a(IMSI-901700000010650:MSISDN-46071:GERAN-A:PAGING_RESP){MSC_A_ST_COMMUNICATING}: Sending DTAP: CC GSM48_MT_CC_RELEASE
 DMSC msc_a(IMSI-901700000010650:MSISDN-46071:GERAN-A:PAGING_RESP){MSC_A_ST_COMMUNICATING}: RAN encode: DTAP on GERAN-A
 - DTAP --GERAN-A--> MS: GSM48_MT_CC_RELEASE: 032d0802e1af
 - DTAP matches expected message
 DMSC dummy_msc_i(IMSI-901700000010650:MSISDN-46071:GERAN-A:PAGING_RESP){0}: Received Event MSC_I_EV_FROM_A_FORWARD_ACCESS_SIGNALLING_REQUEST
-DCC trans(CC:RELEASE_REQ IMSI-901700000010650:MSISDN-46071:GERAN-A:PAGING_RESP callref-0x423 tid-0) stopping pending timer T308
-DCC trans(CC:RELEASE_REQ IMSI-901700000010650:MSISDN-46071:GERAN-A:PAGING_RESP callref-0x423 tid-0) new state RELEASE_REQ -> NULL
+DCC trans(CC:RELEASE_REQ IMSI-901700000010650:MSISDN-46071:GERAN-A:PAGING_RESP callref-0x0 tid-0) stopping pending timer T308
+DCC trans(CC:RELEASE_REQ IMSI-901700000010650:MSISDN-46071:GERAN-A:PAGING_RESP callref-0x0 tid-0) new state RELEASE_REQ -> NULL
 DREF VLR subscr IMSI-901700000010650:MSISDN-46071 - CC: now used by 2 (attached,active-conn)
 DREF msc_a(IMSI-901700000010650:MSISDN-46071:GERAN-A:PAGING_RESP){MSC_A_ST_COMMUNICATING}: - cc: now used by 1 (msc_a_fsm_communicating)
 DREF msc_a(IMSI-901700000010650:MSISDN-46071:GERAN-A:PAGING_RESP){MSC_A_ST_COMMUNICATING}: - msc_a_fsm_communicating: now used by 0 (-)