From a61c709ef0dbce982059b725eb4e613409dd22f7 Mon Sep 17 00:00:00 2001 From: Holger Hans Peter Freyther Date: Thu, 27 Jan 2011 15:05:45 +0100 Subject: [PATCH] mncc: Fix a crash in the call release code When the remote subscriber has not responded yet we could end up with a crash in the MNCC code. It was enough to dial the number, then hang up and bsc_hack would end up with a segfault due the list poisining of linux_list. --- openbsc/src/mncc_builtin.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/openbsc/src/mncc_builtin.c b/openbsc/src/mncc_builtin.c index 640a286bc..0226b2748 100644 --- a/openbsc/src/mncc_builtin.c +++ b/openbsc/src/mncc_builtin.c @@ -238,12 +238,18 @@ static int mncc_rel_ind(struct gsm_call *call, int msg_type, struct gsm_mncc *re free_call(call); return 0; } + rel->callref = remote->callref; DEBUGP(DMNCC, "(call %x) Releasing remote with cause %d\n", call->callref, rel->cause.value); - mncc_tx_to_cc(remote->net, MNCC_REL_REQ, rel); + /* + * Release this side of the call right now. Otherwise we end up + * in this method for the other call and will also try to release + * it and then we will end up with a double free and a crash + */ free_call(call); + mncc_tx_to_cc(remote->net, MNCC_REL_REQ, rel); return 0; }