This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
Harald Welte gerrit-no-reply at lists.osmocom.orgHarald Welte has submitted this change and it was merged. ( https://gerrit.osmocom.org/11146 )
Change subject: fix a use-after-free in msc_mgcp.c:_handle_error()
......................................................................
fix a use-after-free in msc_mgcp.c:_handle_error()
Move code which needs to test the mgcp_ctx->free_ctx flag upwards
such that it runs before we're calling functions which will
potentially free mgcp_ctx. The code being moved up takes effect
only in case mgcp_ctx won't be freed, so there should be no
functional difference.
Change-Id: I5df17c19e2a68c019f7eaf582b14585caa54b32a
Related: OS#2885
---
M src/libmsc/msc_mgcp.c
1 file changed, 10 insertions(+), 10 deletions(-)
Approvals:
Jenkins Builder: Verified
dexter: Looks good to me, but someone else must approve; Verified
Harald Welte: Looks good to me, approved
diff --git a/src/libmsc/msc_mgcp.c b/src/libmsc/msc_mgcp.c
index e58b249..acdb785 100644
--- a/src/libmsc/msc_mgcp.c
+++ b/src/libmsc/msc_mgcp.c
@@ -183,6 +183,16 @@
LOGPFSMLSRC(mgcp_ctx->fsm, LOGL_ERROR, file, line, "%s -- graceful shutdown...\n",
get_value_string(msc_mgcp_cause_codes_names, cause));
+ /* Request the higher layers (gsm_04_08.c) to release the call. If the
+ * problem occured after msc_mgcp_call_release() was calls, remain
+ * silent because we already got informed and the higher layers might
+ * already freed their context information (trans). */
+ if (!mgcp_ctx->free_ctx) {
+ mncc_set_cause(&mncc, GSM48_CAUSE_LOC_TRANS_NET,
+ GSM48_CC_CAUSE_RESOURCE_UNAVAIL);
+ mncc_tx_to_cc(mgcp_ctx->trans->net, MNCC_REL_REQ, &mncc);
+ }
+
/* For the shutdown we have two options. Whenever it makes sense to
* send a DLCX to the MGW in order to be sure that the connection is
* properly cleaned up, the dlcx flag should be set. In other cases
@@ -205,16 +215,6 @@
osmo_fsm_inst_state_chg(fi, ST_HALT, 0, 0);
osmo_fsm_inst_dispatch(fi, EV_TEARDOWN_ERROR, mgcp_ctx);
}
-
- /* Request the higher layers (gsm_04_08.c) to release the call. If the
- * problem occured after msc_mgcp_call_release() was calls, remain
- * silent because we already got informed and the higher layers might
- * already freed their context information (trans). */
- if (!mgcp_ctx->free_ctx) {
- mncc_set_cause(&mncc, GSM48_CAUSE_LOC_TRANS_NET,
- GSM48_CC_CAUSE_RESOURCE_UNAVAIL);
- mncc_tx_to_cc(mgcp_ctx->trans->net, MNCC_REL_REQ, &mncc);
- }
}
/* Timer callback to shut down in case of connectivity problems */
--
To view, visit https://gerrit.osmocom.org/11146
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I5df17c19e2a68c019f7eaf582b14585caa54b32a
Gerrit-Change-Number: 11146
Gerrit-PatchSet: 1
Gerrit-Owner: Stefan Sperling <ssperling at sysmocom.de>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder (1000002)
Gerrit-Reviewer: dexter <pmaier at sysmocom.de>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20180928/c01f6eda/attachment.htm>