this patch fixes double free of paging request.
the function paging_T3113_expired() must call paging_remove_request() first. then the cbfn may be called. the cbfn function cannot eventually remove the paging request again, because it is not in the list anymore.
the result of paging timeout was a crash.
diff --git a/openbsc/src/paging.c b/openbsc/src/paging.c index 5a9643c..164a08b 100644 --- a/openbsc/src/paging.c +++ b/openbsc/src/paging.c @@ -224,11 +243,13 @@ static void paging_T3113_expired(void *data) sig_data.bts = req->bts; sig_data.lchan = NULL;
+ /* must be destroyed before calling cbfn, to prevent double free */ + paging_remove_request(&req->bts->paging, req); + dispatch_signal(SS_PAGING, S_PAGING_COMPLETED, &sig_data); if (req->cbfn) req->cbfn(GSM_HOOK_RR_PAGING, GSM_PAGING_EXPIRED, NULL, NULL, req->cbfn_param); - paging_remove_request(&req->bts->paging, req); }
static int _paging_request(struct gsm_bts *bts, struct gsm_subscriber *subscr,
On Monday 16 November 2009 18:52:31 Andreas.Eversberg wrote:
this patch fixes double free of paging request.
the function paging_T3113_expired() must call paging_remove_request() first. then the cbfn may be called. the cbfn function cannot eventually remove the paging request again, because it is not in the list anymore.
the result of paging timeout was a crash.
diff --git a/openbsc/src/paging.c b/openbsc/src/paging.c index 5a9643c..164a08b 100644 --- a/openbsc/src/paging.c +++ b/openbsc/src/paging.c @@ -224,11 +243,13 @@ static void paging_T3113_expired(void *data) sig_data.bts = req->bts; sig_data.lchan = NULL;
- /* must be destroyed before calling cbfn, to prevent double free
*/
- paging_remove_request(&req->bts->paging, req);
- dispatch_signal(SS_PAGING, S_PAGING_COMPLETED, &sig_data); if (req->cbfn) req->cbfn(GSM_HOOK_RR_PAGING, GSM_PAGING_EXPIRED, NULL,
NULL, req->cbfn_param);
Ack, this has one issue though... "req" now points to freed memory. We will need to put a copy of the callback and the data somewhere before calling the callback. I'm doing this right now.
z.
On Mon, Nov 16, 2009 at 06:52:31PM +0100, Andreas.Eversberg wrote:
this patch fixes double free of paging request.
thanks for your patch, seems like it was already applied...