matanp has submitted this change. ( https://gerrit.osmocom.org/c/osmo-msc/+/40852?usp=email )
Change subject: silent_call: Fix use after free of paging request ......................................................................
silent_call: Fix use after free of paging request
Before this change trans->paging_request was not assigned correctly. In some cases it caused trans_free to not call paging_request_remove. If the paging timeouts, paging_cb_silent would call trans_free again with a stale pointer.
Change-Id: I93913d189800d71f82c013b6e946bd63db362f65 --- M src/libmsc/silent_call.c 1 file changed, 3 insertions(+), 2 deletions(-)
Approvals: fixeria: Looks good to me, but someone else must approve Jenkins Builder: Verified laforge: Looks good to me, approved
diff --git a/src/libmsc/silent_call.c b/src/libmsc/silent_call.c index a59e3af..c450fdc 100644 --- a/src/libmsc/silent_call.c +++ b/src/libmsc/silent_call.c @@ -152,8 +152,9 @@ } trans->silent_call.from_vty = vty;
- if (!paging_request_start(vsub, PAGING_CAUSE_CALL_BACKGROUND, paging_cb_silent, trans, - "establish silent call")) { + trans->paging_request = paging_request_start(vsub, PAGING_CAUSE_CALL_BACKGROUND, paging_cb_silent, trans, + "establish silent call"); + if (!trans->paging_request) { trans_free(trans); return -ENODEV; }
-
matanp