From eb76c7a93fe0866256cb44b7e0e47bc82506d896 Mon Sep 17 00:00:00 2001
From: Harald Welte <laforge@gnumonks.org>
Date: Thu, 23 Dec 2010 02:47:53 +0100
Subject: [PATCH] mncc_sock: Fix potential segfault in case MNCC app dies

We create a loop by not setting trans->callref = 0 before calling
trans_free(), as the latter would again send a MNCC_REL_IND up
the stack.

Also: Fix memory leak in case we try to read from mncc_sock
but socket is just gone.
---
 openbsc/src/gsm_04_08.c | 4 +++-
 openbsc/src/mncc_sock.c | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/openbsc/src/gsm_04_08.c b/openbsc/src/gsm_04_08.c
index 9ab8840db..138cdfc6c 100644
--- a/openbsc/src/gsm_04_08.c
+++ b/openbsc/src/gsm_04_08.c
@@ -336,8 +336,10 @@ void gsm0408_clear_all_trans(struct gsm_network *net, int protocol)
 	LOGP(DCC, LOGL_NOTICE, "Clearing all currently active transactions!!!\n");
 
 	llist_for_each_entry_safe(trans, temp, &net->trans_list, entry) {
-		if (trans->protocol == protocol)
+		if (trans->protocol == protocol) {
+			trans->callref = 0;
 			trans_free(trans);
+		}
 	}
 }
 
diff --git a/openbsc/src/mncc_sock.c b/openbsc/src/mncc_sock.c
index 30520091e..e9e62769c 100644
--- a/openbsc/src/mncc_sock.c
+++ b/openbsc/src/mncc_sock.c
@@ -144,6 +144,7 @@ static int mncc_sock_read(struct bsc_fd *bfd)
 	return rc;
 
 close:
+	msgb_free(msg);
 	mncc_sock_close(state);
 	return -1;
 }