cellular-infrastructure
/
osmo-msc
mirror of https://gerrit.osmocom.org/osmo-msc
9
0
Fork 0
Code Issues Releases Wiki Activity

gsm_subscriber_base: Take a ref on the subscriber to avoid use after free 

On expired paging we might access a GSM Subscriber that has already
been deleted. To avoid this we will add a subscr_get/subscr_put for
the subscriber to the allocation and release path of the request.

Reported-by: Richard Zahoransky
This commit is contained in:
Holger Hans Peter Freyther 2010-06-30 09:22:31 +08:00
parent 93d50e69d3
commit 66efcbce65
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
openbsc/src/gsm_subscriber_base.c
View File

@ -1,7 +1,8 @@
/* The concept of a subscriber as seen by the BSC */
/* (C) 2008 by Harald Welte <laforge@gnumonks.org>
* (C) 2009 by Holger Hans Peter Freyther <zecke@selfish.org>
* (C) 2009-2010 by Holger Hans Peter Freyther <zecke@selfish.org>
* (C) 2010 by On Waves
*
* All Rights Reserved
*
@ -88,6 +89,7 @@ static int subscr_paging_cb(unsigned int hooknum, unsigned int event,
request->cbfn(hooknum, event, msg, data, request->param);
subscr->in_callback = 0;
subscr_put(subscr);
talloc_free(request);
return 0;
}
@ -165,7 +167,7 @@ void subscr_get_channel(struct gsm_subscriber *subscr,
}
memset(request, 0, sizeof(*request));
request->subscr = subscr;
request->subscr = subscr_get(subscr);
request->channel_type = type;
request->cbfn = cbfn;
request->param = param;