pespin has submitted this change. ( https://gerrit.osmocom.org/c/libosmo-abis/+/38969?usp=email )

Change subject: e1_input: Guard against crash by users calling reentrant e1inp_sign_link_destroy() ......................................................................

e1_input: Guard against crash by users calling reentrant e1inp_sign_link_destroy()

Related: osmo-bsc.git Change-Id Ice71b3143f167482e4a23759012b58e9ee13bfc0 Related: osmo-bts.git Change-Id Ibc06cdc2d2cd2028b7676fa0c3211ae251cca587 Change-Id: Ib761cece68f1d809e27194bc5cc2eb15ad2ae4eb --- M src/e1_input.c 1 file changed, 11 insertions(+), 1 deletion(-)

Approvals: osmith: Looks good to me, but someone else must approve Jenkins Builder: Verified laforge: Looks good to me, but someone else must approve fixeria: Looks good to me, approved

diff --git a/src/e1_input.c b/src/e1_input.c index 76adbd9..066a572 100644 --- a/src/e1_input.c +++ b/src/e1_input.c @@ -810,7 +810,17 @@ { struct msgb *msg;

- llist_del(&link->list); + /* Catch upper layers behaving wrongly, calling e1inp_sign_link_destroy() + * and then during the driver->close() callback below ending up calling + * this function again deeper in the call stack in the same code path. */ + if (llist_empty(&link->list)) { + LOGP(DLINP, LOGL_ERROR, "Fix your application, " + "caught reentrant e1inp_sign_link_destroy(%p)!\n", link); + return; + } + /* Use llist_del_init() to catch double destroy above: */ + llist_del_init(&link->list); + while (!llist_empty(&link->tx_list)) { msg = msgb_dequeue(&link->tx_list); msgb_free(msg);