laforge has submitted this change. ( https://gerrit.osmocom.org/c/osmo-bsc/+/28884 ) Change subject: bsc_subscr_conn_fsm: fix use after free ...................................................................... bsc_subscr_conn_fsm: fix use after free In cases where the MGCP client endpoint FSM is terminating early the bsc sbscr conn FSM receives the signal GSCON_EV_FORGET_MGW_ENDPOINT, which then calls gscon_forget_mgw_endpoint(). However, this only nulls the conn->user_plane->mgw_endpoint_ci_msc struct pointer, not the others. This causes the assignment FSM to access conn->assignment.created_ci_for_msc whle trying to initiate a DLCX. We must make sure that when the MGCP client endpoint FSM dies, that all other CI pointers that reference the same CI are also set to NULL. Change-Id: Ia857e3af6c17282b7e8178b6d249eb0f99ed98e3 Related: OS#5572 --- M src/osmo-bsc/bsc_subscr_conn_fsm.c 1 file changed, 4 insertions(+), 0 deletions(-) Approvals: Jenkins Builder: Verified fixeria: Looks good to me, but someone else must approve laforge: Looks good to me, approved diff --git a/src/osmo-bsc/bsc_subscr_conn_fsm.c b/src/osmo-bsc/bsc_subscr_conn_fsm.c index 9af28c7..7c0c7c3 100644 --- a/src/osmo-bsc/bsc_subscr_conn_fsm.c +++ b/src/osmo-bsc/bsc_subscr_conn_fsm.c @@ -940,6 +940,10 @@ mgcp_client = osmo_mgcpc_ep_client(conn->user_plane.mgw_endpoint); mgcp_client_pool_put(mgcp_client); + /* Be sure that the endpoint CI we are maintaining in user_plane + * is also removed from the other locations as well. */ + gscon_forget_mgw_endpoint_ci(conn, conn->user_plane.mgw_endpoint_ci_msc); + conn->user_plane.mgw_endpoint = NULL; conn->user_plane.mgw_endpoint_ci_msc = NULL; conn->ho.created_ci_for_msc = NULL; -- To view, visit https://gerrit.osmocom.org/c/osmo-bsc/+/28884 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-bsc Gerrit-Branch: master Gerrit-Change-Id: Ia857e3af6c17282b7e8178b6d249eb0f99ed98e3 Gerrit-Change-Number: 28884 Gerrit-PatchSet: 1 Gerrit-Owner: dexter <pmaier(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-Reviewer: neels <nhofmeyr(a)sysmocom.de> Gerrit-Reviewer: pespin <pespin(a)sysmocom.de> Gerrit-MessageType: merged