bsc: Fix crash that can occur on RF Failure

When we got a clear request we did not clear the internal
association between the gsm_subscriber_connection and the SCCP
part. When we got a DTAP message before the CLEAR COMMAND we
will end up in a crash as the ->bts pointer of the connection
has been cleared.

 #0  bsc_scan_msc_msg (conn=0xde178, msg=<value optimized out>) at osmo_bsc_filter.c:258
 #1  0x000112c8 in bsc_handle_dt1 (conn=0xdebd8, msg=0xd1f58, len=<value optimized out>) at osmo_bsc_bssap.c:507
 #2  0x00010208 in msc_outgoing_sccp_data (conn=<value optimized out>, msg=0xdfacc, len=858696) at osmo_bsc_sccp.c:73
 #3  0x0003c110 in sccp_system_incoming (msgb=0xd1f58) at sccp.c:1064

openbsc/src/osmo-bsc/osmo_bsc_api.c

@@ -281,19 +281,28 @@ static void bsc_assign_fail(struct gsm_subscriber_connection *conn,
 
 static int bsc_clear_request(struct gsm_subscriber_connection *conn, uint32_t cause)
 {
+	struct osmo_bsc_sccp_con *sccp;
 	struct msgb *resp;
 	return_when_not_connected_val(conn, 1);
 
 	LOGP(DMSC, LOGL_INFO, "Tx MSC CLEAR REQUEST\n");
 
+	/*
+	 * Remove the connection from BSC<->SCCP part, the SCCP part
+	 * will either be cleared by channel release or MSC disconnect
+	 */
+	sccp = conn->sccp_con;
+	sccp->conn = NULL;
+	conn->sccp_con = NULL;
+
 	resp = gsm0808_create_clear_rqst(GSM0808_CAUSE_RADIO_INTERFACE_FAILURE);
 	if (!resp) {
 		LOGP(DMSC, LOGL_ERROR, "Failed to allocate response.\n");
-		return 0;
+		return 1;
 	}
 
-	bsc_queue_for_msc(conn->sccp_con, resp);
-	return 0;
+	bsc_queue_for_msc(sccp, resp);
+	return 1;
 }
 
 static void bsc_mr_config(struct gsm_subscriber_connection *conn,