[PATCH] osmo-msc[master]: msc_mgcp: to not access higher layers after release

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Harald Welte gerrit-no-reply at lists.osmocom.org
Fri Mar 16 18:51:37 UTC 2018


Hello Jenkins Builder,

I'd like you to reexamine a change.  Please visit

    https://gerrit.osmocom.org/7325

to look at the new patch set (#2).

msc_mgcp: to not access higher layers after release

The higher layers (gsm_04_08.c) are informed errors occur. But it
is not checked if the call was already released. If an error occurs
after the call control stack calls msc_mgcp_call_release() then
the higher layers might already have cleaned up and the code
accesses memory that is already freed (trans)

- fix use after free by guarding the call to mncc_tx_to_cc()

Change-Id: I78f1b6a9149488a4ad3f120c1e190a83c07d4b89
Related OS#2881
Related OS#2882
---
M src/libmsc/msc_mgcp.c
1 file changed, 9 insertions(+), 4 deletions(-)


  git pull ssh://gerrit.osmocom.org:29418/osmo-msc refs/changes/25/7325/2

diff --git a/src/libmsc/msc_mgcp.c b/src/libmsc/msc_mgcp.c
index 8e874d8..5c615a9 100644
--- a/src/libmsc/msc_mgcp.c
+++ b/src/libmsc/msc_mgcp.c
@@ -197,10 +197,15 @@
 		osmo_fsm_inst_dispatch(fi, EV_TEARDOWN_ERROR, mgcp_ctx);
 	}
 
-	/* Request the higher layers to release the call */
-	mncc_set_cause(&mncc, GSM48_CAUSE_LOC_TRANS_NET,
-		       GSM48_CC_CAUSE_RESOURCE_UNAVAIL);
-	mncc_tx_to_cc(mgcp_ctx->trans->net, MNCC_REL_REQ, &mncc);
+	/* Request the higher layers (gsm_04_08.c) to release the call. If the
+	 * problem occured after msc_mgcp_call_release() was calls, remain
+	 * silent because we already got informed and the higher layers might
+	 * already freed their context information (trans). */
+	if (!mgcp_ctx->free_ctx) {
+		mncc_set_cause(&mncc, GSM48_CAUSE_LOC_TRANS_NET,
+			       GSM48_CC_CAUSE_RESOURCE_UNAVAIL);
+		mncc_tx_to_cc(mgcp_ctx->trans->net, MNCC_REL_REQ, &mncc);
+	}
 }
 
 /* Timer callback to shut down in case of connectivity problems */

-- 
To view, visit https://gerrit.osmocom.org/7325
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I78f1b6a9149488a4ad3f120c1e190a83c07d4b89
Gerrit-PatchSet: 2
Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Owner: dexter <pmaier at sysmocom.de>
Gerrit-Reviewer: Jenkins Builder



More information about the gerrit-log mailing list