fixeria has uploaded this change for review.
sgsn_libgtp: fix NULL dereference in cb_delete_context()
sgsn_pdp_ctx_free() contains an abnormal path (with a backtrace log)
for the case where a PDP context is freed while its libgtp handle is
still attached. In that path, lib->priv is set to NULL to prevent
other callbacks (e.g. cb_data_ind()) from dereferencing the already-
freed sgsn_pdp_ctx.
When libgtp subsequently calls cb_delete_context() as part of its own
teardown, pdp->priv is NULL, causing an immediate NULL dereference at
the pctx->lib = NULL assignment.
Guard against this by returning early when priv is NULL: the SGSN-side
context is already gone, so there is nothing left for the callback to do.
Change-Id: I7d800766b08d87b6f2b23a0cd45435925f9998ff
---
M src/sgsn/sgsn_libgtp.c
1 file changed, 6 insertions(+), 0 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-sgsn refs/changes/02/42602/1
diff --git a/src/sgsn/sgsn_libgtp.c b/src/sgsn/sgsn_libgtp.c
index 4021bbc..e4fc9fd 100644
--- a/src/sgsn/sgsn_libgtp.c
+++ b/src/sgsn/sgsn_libgtp.c
@@ -702,6 +702,12 @@
LOGPDPX(DGPRS, LOGL_INFO, pdp, "Context %p was deleted\n", pdp);
+ /* sgsn_pdp_ctx_free() clears pdp->priv when it has to release a context
+ * that still has a libgtp handle attached (the "shouldn't happen" path).
+ * In that case the SGSN side is already gone; nothing to do here. */
+ if (!pctx)
+ return 0;
+
/* unlink the now non-existing library handle from the pdp context.
This way we avoid calling pdp_freepdp() on it, since after returning
from cb_delete_context callback, libgtp is already doing so. */
To view, visit change 42602. To unsubscribe, or for help writing mail filters, visit settings.