laforge has submitted this change. ( https://gerrit.osmocom.org/c/osmo-msc/+/28125 )

Change subject: smpp: Fix use-after-free bug when ESME disconnects but has write pending ......................................................................

smpp: Fix use-after-free bug when ESME disconnects but has write pending

When the SMPP code free's an ESME it also free's the related write_queue and the osmo_fd contained therein. So if this happens while we are in esme_link_read_cb(), we must return -EBADF to make osmo_wqueue_bfd_cb() of libosmocore avoid further accessing related memory.

Change-Id: I441d3b05c2f2556c530783a7f66c73adf6d845a1 Closes: OS#5565 --- M src/libmsc/smpp_smsc.c 1 file changed, 1 insertion(+), 1 deletion(-)

Approvals: pespin: Looks good to me, but someone else must approve fixeria: Looks good to me, approved Jenkins Builder: Verified

diff --git a/src/libmsc/smpp_smsc.c b/src/libmsc/smpp_smsc.c index 4581865..6712032 100644 --- a/src/libmsc/smpp_smsc.c +++ b/src/libmsc/smpp_smsc.c @@ -888,7 +888,7 @@ esme->acl->esme = NULL; smpp_esme_put(esme);

- return 0; + return -EBADF; }

/* call-back of write queue once it wishes to write a message to the socket */