<p>Harald Welte <strong>merged</strong> this change.</p><p><a href="https://gerrit.osmocom.org/11146">View Change</a></p><div style="white-space:pre-wrap">Approvals:
Jenkins Builder: Verified
dexter: Looks good to me, but someone else must approve; Verified
Harald Welte: Looks good to me, approved
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">fix a use-after-free in msc_mgcp.c:_handle_error()<br><br>Move code which needs to test the mgcp_ctx->free_ctx flag upwards<br>such that it runs before we're calling functions which will<br>potentially free mgcp_ctx. The code being moved up takes effect<br>only in case mgcp_ctx won't be freed, so there should be no<br>functional difference.<br><br>Change-Id: I5df17c19e2a68c019f7eaf582b14585caa54b32a<br>Related: OS#2885<br>---<br>M src/libmsc/msc_mgcp.c<br>1 file changed, 10 insertions(+), 10 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/libmsc/msc_mgcp.c b/src/libmsc/msc_mgcp.c</span><br><span>index e58b249..acdb785 100644</span><br><span>--- a/src/libmsc/msc_mgcp.c</span><br><span>+++ b/src/libmsc/msc_mgcp.c</span><br><span>@@ -183,6 +183,16 @@</span><br><span> LOGPFSMLSRC(mgcp_ctx->fsm, LOGL_ERROR, file, line, "%s -- graceful shutdown...\n",</span><br><span> get_value_string(msc_mgcp_cause_codes_names, cause));</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ /* Request the higher layers (gsm_04_08.c) to release the call. If the</span><br><span style="color: hsl(120, 100%, 40%);">+ * problem occured after msc_mgcp_call_release() was calls, remain</span><br><span style="color: hsl(120, 100%, 40%);">+ * silent because we already got informed and the higher layers might</span><br><span style="color: hsl(120, 100%, 40%);">+ * already freed their context information (trans). */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!mgcp_ctx->free_ctx) {</span><br><span style="color: hsl(120, 100%, 40%);">+ mncc_set_cause(&mncc, GSM48_CAUSE_LOC_TRANS_NET,</span><br><span style="color: hsl(120, 100%, 40%);">+ GSM48_CC_CAUSE_RESOURCE_UNAVAIL);</span><br><span style="color: hsl(120, 100%, 40%);">+ mncc_tx_to_cc(mgcp_ctx->trans->net, MNCC_REL_REQ, &mncc);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /* For the shutdown we have two options. Whenever it makes sense to</span><br><span> * send a DLCX to the MGW in order to be sure that the connection is</span><br><span> * properly cleaned up, the dlcx flag should be set. In other cases</span><br><span>@@ -205,16 +215,6 @@</span><br><span> osmo_fsm_inst_state_chg(fi, ST_HALT, 0, 0);</span><br><span> osmo_fsm_inst_dispatch(fi, EV_TEARDOWN_ERROR, mgcp_ctx);</span><br><span> }</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(0, 100%, 40%);">- /* Request the higher layers (gsm_04_08.c) to release the call. If the</span><br><span style="color: hsl(0, 100%, 40%);">- * problem occured after msc_mgcp_call_release() was calls, remain</span><br><span style="color: hsl(0, 100%, 40%);">- * silent because we already got informed and the higher layers might</span><br><span style="color: hsl(0, 100%, 40%);">- * already freed their context information (trans). */</span><br><span style="color: hsl(0, 100%, 40%);">- if (!mgcp_ctx->free_ctx) {</span><br><span style="color: hsl(0, 100%, 40%);">- mncc_set_cause(&mncc, GSM48_CAUSE_LOC_TRANS_NET,</span><br><span style="color: hsl(0, 100%, 40%);">- GSM48_CC_CAUSE_RESOURCE_UNAVAIL);</span><br><span style="color: hsl(0, 100%, 40%);">- mncc_tx_to_cc(mgcp_ctx->trans->net, MNCC_REL_REQ, &mncc);</span><br><span style="color: hsl(0, 100%, 40%);">- }</span><br><span> }</span><br><span> </span><br><span> /* Timer callback to shut down in case of connectivity problems */</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/11146">change 11146</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/11146"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: osmo-msc </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: merged </div>
<div style="display:none"> Gerrit-Change-Id: I5df17c19e2a68c019f7eaf582b14585caa54b32a </div>
<div style="display:none"> Gerrit-Change-Number: 11146 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Stefan Sperling <ssperling@sysmocom.de> </div>
<div style="display:none"> Gerrit-Reviewer: Harald Welte <laforge@gnumonks.org> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins Builder (1000002) </div>
<div style="display:none"> Gerrit-Reviewer: dexter <pmaier@sysmocom.de> </div>