On Thu, Dec 13, 2012 at 10:14:27PM +0100, Tobias Engel wrote:
It was, but not in msc_compl_l3. It was/is also
accessed in
msc_release_connection, but before calling gsm0808_clear, so that is not
a problem.
Sorry, I didn't read it carefully enough. I prepared a very simple
testcase and it is crashing the the NITB. I will apply a patch like
the one below and the rule would be that msc_release_connection may
only be called from a timer or from the trans_free command.
The test case is attached to this email.
diff --git a/openbsc/src/libmsc/gsm_04_08.c b/openbsc/src/libmsc/gsm_04_08.c
index 9816174..fd482e0 100644
--- a/openbsc/src/libmsc/gsm_04_08.c
+++ b/openbsc/src/libmsc/gsm_04_08.c
@@ -965,7 +965,6 @@ static int gsm48_rx_mm_imsi_detach_ind(struct
gsm_subscriber_connection *co
* imagine an IMSI DETACH happening during an active call! */
release_anchor(conn);
- msc_release_connection(conn);
return 0;
}