matanp submitted this change.

View Change

silent_call: Fix use after free of paging request

Before this change trans->paging_request was not assigned correctly.
In some cases it caused trans_free to not call paging_request_remove.
If the paging timeouts, paging_cb_silent would call trans_free again
with a stale pointer.

Change-Id: I93913d189800d71f82c013b6e946bd63db362f65
---
M src/libmsc/silent_call.c
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/libmsc/silent_call.c b/src/libmsc/silent_call.c
index a59e3af..c450fdc 100644
--- a/src/libmsc/silent_call.c
+++ b/src/libmsc/silent_call.c
@@ -152,8 +152,9 @@
 	}
 	trans->silent_call.from_vty = vty;
 
-	if (!paging_request_start(vsub, PAGING_CAUSE_CALL_BACKGROUND, paging_cb_silent, trans,
-				  "establish silent call")) {
+	trans->paging_request = paging_request_start(vsub, PAGING_CAUSE_CALL_BACKGROUND, paging_cb_silent, trans,
+						     "establish silent call");
+	if (!trans->paging_request) {
 		trans_free(trans);
 		return -ENODEV;
 	}

To view, visit change 40852. To unsubscribe, or for help writing mail filters, visit settings.