<p>laforge <strong>submitted</strong> this change.</p><p><a href="https://gerrit.osmocom.org/c/osmo-sgsn/+/20790">View Change</a></p><div style="white-space:pre-wrap">Approvals:
laforge: Looks good to me, approved
Jenkins Builder: Verified
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">Fix crash rx DeactPdpReq while waiting for DeactPdpAck after gtp side is freed<br><br>Scenario:<br>1- For an unknwon reason, sgsn sends DeletePdpCtxReq on GTP towards GGSN.<br>2- GGSN answers with Error Indication to that pdp ctx which calls<br> gtp_freepdp()<br>3- gtp_freepdp() calls libgtp callback cb_delete_context() before freeing the<br> pointer, in osmo-sgsn callback points to cb_delete_context(), which<br> removes pctx->ggsn and tries to drop the pdp on the NS side by sending a<br> DeactPdpReq.<br>4- While waiting for DeactPdpAck, the MS/PCU sends a DeactPdpReq, and<br> code was unconditionalyl trying to release the gtp side without checking<br> if it was alreay released, using pctx->ggsn==NULL and crashing.<br><br>This is basically the same logic already in place in regular path<br>gsm48_rx_gsm_deact_pdp_ack.<br><br>Related: OS#4817<br>Change-Id: I02587a3dc812823d893fc00b904142b75fd190b9<br>---<br>M src/sgsn/gprs_sm.c<br>1 file changed, 5 insertions(+), 1 deletion(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/sgsn/gprs_sm.c b/src/sgsn/gprs_sm.c</span><br><span>index f8019ab..3bdad3b 100644</span><br><span>--- a/src/sgsn/gprs_sm.c</span><br><span>+++ b/src/sgsn/gprs_sm.c</span><br><span>@@ -639,7 +639,11 @@</span><br><span> return _gsm48_tx_gsm_deact_pdp_acc(mm, transaction_id);</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- return sgsn_delete_pdp_ctx(pdp);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (pdp->ggsn)</span><br><span style="color: hsl(120, 100%, 40%);">+ return sgsn_delete_pdp_ctx(pdp);</span><br><span style="color: hsl(120, 100%, 40%);">+ /* GTP side already detached, freeing */</span><br><span style="color: hsl(120, 100%, 40%);">+ sgsn_pdp_ctx_free(pdp);</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span> }</span><br><span> </span><br><span> /* 3GPP TS 24.008 ยง 9.5.9: Deactivate PDP Context Accept */</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/osmo-sgsn/+/20790">change 20790</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/osmo-sgsn/+/20790"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: osmo-sgsn </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: I02587a3dc812823d893fc00b904142b75fd190b9 </div>
<div style="display:none"> Gerrit-Change-Number: 20790 </div>
<div style="display:none"> Gerrit-PatchSet: 2 </div>
<div style="display:none"> Gerrit-Owner: pespin <pespin@sysmocom.de> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins Builder </div>
<div style="display:none"> Gerrit-Reviewer: laforge <laforge@osmocom.org> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>