Change in osmo-iuh[master]: hnbgw: remove close_cb() to fix a crash when releasing a hnbgw

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Harald Welte gerrit-no-reply at lists.osmocom.org
Wed Jul 25 18:50:54 UTC 2018 

Harald Welte has submitted this change and it was merged. ( https://gerrit.osmocom.org/10151 )

Change subject: hnbgw: remove close_cb() to fix a crash when releasing a hnbgw
......................................................................

hnbgw: remove close_cb() to fix a crash when releasing a hnbgw

The read callback should catch all errors already.
Previous when a read fails it:

* hnb_context_release() -> osmo_stream_srv_destroy() -> hnb_context_release()
On the second hnb_context_release() the hnbgw will crash because calling
llist_del() twice on the same object.

Fixes: OS#3416
Change-Id: Ic84b2184b7fc850c0de2acacf179e86771e17510
---
M include/osmocom/iuh/hnbgw.h
M src/hnbgw.c
M src/hnbgw_hnbap.c
3 files changed, 8 insertions(+), 19 deletions(-)

Approvals:
  Jenkins Builder: Verified
  Harald Welte: Looks good to me, approved



diff --git a/include/osmocom/iuh/hnbgw.h b/include/osmocom/iuh/hnbgw.h
index b79bcc1..db49dc1 100644
--- a/include/osmocom/iuh/hnbgw.h
+++ b/include/osmocom/iuh/hnbgw.h
@@ -161,7 +161,7 @@
 void ue_context_free(struct ue_context *ue);
 
 struct hnb_context *hnb_context_alloc(struct hnb_gw *gw, struct osmo_stream_srv_link *link, int new_fd);
-void hnb_context_release(struct hnb_context *ctx, bool destroy_conn);
+void hnb_context_release(struct hnb_context *ctx);
 
 void hnbgw_vty_init(struct hnb_gw *gw, void *tall_ctx);
 int hnbgw_vty_go_parent(struct vty *vty);
diff --git a/src/hnbgw.c b/src/hnbgw.c
index 94d8fb9..91e551b 100644
--- a/src/hnbgw.c
+++ b/src/hnbgw.c
@@ -202,16 +202,6 @@
 	llist_del(&ue->list);
 	talloc_free(ue);
 }
-static int hnb_close_cb(struct osmo_stream_srv *conn)
-{
-	struct hnb_context *hnb = osmo_stream_srv_get_data(conn);
-
-	/* This connection is about to be closed. Destroy the HNB context now. */
-	if (hnb)
-		hnb_context_release(hnb, false);
-
-	return 0;
-}
 
 static int hnb_read_cb(struct osmo_stream_srv *conn)
 {
@@ -234,10 +224,10 @@
 	} else if (rc < 0) {
 		LOGP(DMAIN, LOGL_ERROR, "Error during sctp_recvmsg()\n");
 		/* FIXME: clean up after disappeared HNB */
-		hnb_context_release(hnb, true);
+		hnb_context_release(hnb);
 		goto out;
 	} else if (rc == 0) {
-		hnb_context_release(hnb, true);
+		hnb_context_release(hnb);
 		rc = -1;
 
 		goto out;
@@ -283,7 +273,7 @@
 	INIT_LLIST_HEAD(&ctx->map_list);
 
 	ctx->gw = gw;
-	ctx->conn = osmo_stream_srv_create(tall_hnb_ctx, link, new_fd, hnb_read_cb, hnb_close_cb, ctx);
+	ctx->conn = osmo_stream_srv_create(tall_hnb_ctx, link, new_fd, hnb_read_cb, NULL, ctx);
 	if (!ctx->conn) {
 		LOGP(DMAIN, LOGL_INFO, "error while creating connection\n");
 		talloc_free(ctx);
@@ -294,7 +284,7 @@
 	return ctx;
 }
 
-void hnb_context_release(struct hnb_context *ctx, bool destroy_conn)
+void hnb_context_release(struct hnb_context *ctx)
 {
 	struct hnbgw_context_map *map, *map2;
 
@@ -312,8 +302,7 @@
 	}
 	ue_context_free_by_hnb(ctx->gw, ctx);
 
-	if (destroy_conn)
-		osmo_stream_srv_destroy(ctx->conn);
+	osmo_stream_srv_destroy(ctx->conn);
 
 	talloc_free(ctx);
 }
diff --git a/src/hnbgw_hnbap.c b/src/hnbgw_hnbap.c
index acc5aff..2a19dda 100644
--- a/src/hnbgw_hnbap.c
+++ b/src/hnbgw_hnbap.c
@@ -84,7 +84,7 @@
 		osmo_stream_srv_set_flush_and_destroy(ctx->conn);
 	} else {
 		/* The message was not queued. Destroy the connection right away. */
-		hnb_context_release(ctx, true);
+		hnb_context_release(ctx);
 	}
 }
 
@@ -401,7 +401,7 @@
 		hnbap_cause_str(&ies.cause));
 
 	hnbap_free_hnbde_registeries(&ies);
-	hnb_context_release(ctx, true);
+	hnb_context_release(ctx);
 
 	return 0;
 }

-- 
To view, visit https://gerrit.osmocom.org/10151
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-iuh
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: Ic84b2184b7fc850c0de2acacf179e86771e17510
Gerrit-Change-Number: 10151
Gerrit-PatchSet: 1
Gerrit-Owner: lynxis lazus <lynxis at fe80.eu>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: lynxis lazus <lynxis at fe80.eu>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20180725/e4be0ea4/attachment.htm>

More information about the gerrit-log mailing list