From 605f62a16a98ad25e98d3032e771e369839092a1 Mon Sep 17 00:00:00 2001 From: Holger Hans Peter Freyther Date: Sun, 16 May 2010 16:30:42 +0800 Subject: [PATCH] [nat] Do not access the con after the removal In case of a RLC message we will destroy the SCCP connection. This means that accessing the con and con->bsc will access old memory. Keep the status local and move the con into an inner scope. --- openbsc/src/nat/bsc_nat.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/openbsc/src/nat/bsc_nat.c b/openbsc/src/nat/bsc_nat.c index 9e6bd2b84..3ee537473 100644 --- a/openbsc/src/nat/bsc_nat.c +++ b/openbsc/src/nat/bsc_nat.c @@ -608,8 +608,9 @@ static void ipaccess_auth_bsc(struct tlv_parsed *tvp, struct bsc_connection *bsc static int forward_sccp_to_msc(struct bsc_connection *bsc, struct msgb *msg) { + int con_found = 0; + struct bsc_connection *con_bsc = NULL; int con_type; - struct sccp_connections *con; struct bsc_nat_parsed *parsed; /* Parse and filter messages */ @@ -637,6 +638,7 @@ static int forward_sccp_to_msc(struct bsc_connection *bsc, struct msgb *msg) /* modify the SCCP entries */ if (parsed->ipa_proto == IPAC_PROTO_SCCP) { + struct sccp_connections *con; switch (parsed->sccp_type) { case SCCP_MSG_TYPE_CR: if (bsc_nat_filter_sccp_cr(bsc, msg, parsed, &con_type) != 0) @@ -645,6 +647,8 @@ static int forward_sccp_to_msc(struct bsc_connection *bsc, struct msgb *msg) goto exit2; con = patch_sccp_src_ref_to_msc(msg, parsed, bsc); con->con_type = con_type; + con_found = 1; + con_bsc = con->bsc; break; case SCCP_MSG_TYPE_RLSD: case SCCP_MSG_TYPE_CREF: @@ -652,9 +656,17 @@ static int forward_sccp_to_msc(struct bsc_connection *bsc, struct msgb *msg) case SCCP_MSG_TYPE_CC: case SCCP_MSG_TYPE_IT: con = patch_sccp_src_ref_to_msc(msg, parsed, bsc); + if (con) { + con_found = 1; + con_bsc = con->bsc; + } break; case SCCP_MSG_TYPE_RLC: con = patch_sccp_src_ref_to_msc(msg, parsed, bsc); + if (con) { + con_found = 1; + con_bsc = con->bsc; + } remove_sccp_src_ref(bsc, msg, parsed); break; case SCCP_MSG_TYPE_UDT: @@ -675,9 +687,9 @@ static int forward_sccp_to_msc(struct bsc_connection *bsc, struct msgb *msg) goto exit2; } - if (con && con->bsc != bsc) { + if (con_found && con_bsc != bsc) { LOGP(DNAT, LOGL_ERROR, "The connection belongs to a different BTS: input: %d con: %d\n", - bsc->cfg->nr, con->bsc->cfg->nr); + bsc->cfg->nr, con_bsc->cfg->nr); goto exit2; }