On Thu, Dec 13, 2012 at 10:14:27PM +0100, Tobias Engel wrote:
It was, but not in msc_compl_l3. It was/is also accessed in msc_release_connection, but before calling gsm0808_clear, so that is not a problem.
Sorry, I didn't read it carefully enough. I prepared a very simple testcase and it is crashing the the NITB. I will apply a patch like the one below and the rule would be that msc_release_connection may only be called from a timer or from the trans_free command.
The test case is attached to this email.
diff --git a/openbsc/src/libmsc/gsm_04_08.c b/openbsc/src/libmsc/gsm_04_08.c index 9816174..fd482e0 100644 --- a/openbsc/src/libmsc/gsm_04_08.c +++ b/openbsc/src/libmsc/gsm_04_08.c @@ -965,7 +965,6 @@ static int gsm48_rx_mm_imsi_detach_ind(struct gsm_subscriber_connection *co * imagine an IMSI DETACH happening during an active call! */
release_anchor(conn); - msc_release_connection(conn); return 0; }