This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
Harald Welte gerrit-no-reply at lists.osmocom.orgReview at https://gerrit.osmocom.org/6359 a_iface: Fix heap-use-after-free in a_clear_all() We cannot use conn->a.conn_id after conn has been free'd inside msc_clear_request(). Let's store conn_id before that call to ensure we avoid an use-after-free situation. A more elegant (but more intrusive) solution would be to move the SCCP connection clearing into the FSM itself. Change-Id: Ibe41aa503e9f7cbeb05dce4b1a20b3eac85e619f Closes: OS#2922 --- M src/libmsc/a_iface.c 1 file changed, 5 insertions(+), 3 deletions(-) git pull ssh://gerrit.osmocom.org:29418/osmo-msc refs/changes/59/6359/1 diff --git a/src/libmsc/a_iface.c b/src/libmsc/a_iface.c index b769b0a..3983ede 100644 --- a/src/libmsc/a_iface.c +++ b/src/libmsc/a_iface.c @@ -605,14 +605,16 @@ /* Clear only A connections and connections that actually * belong to the specified BSC */ if (conn->via_ran == RAN_GERAN_A && memcmp(bsc_addr, &conn->a.bsc_addr, sizeof(conn->a.bsc_addr)) == 0) { + uint32_t conn_id = conn->a.conn_id; LOGPCONN(conn, LOGL_NOTICE, "Dropping orphaned subscriber connection\n"); + /* This call will/may talloc_free(conn), so we must save conn_id above */ msc_clear_request(conn, GSM48_CC_CAUSE_SWITCH_CONG); /* If there is still an SCCP connection active, remove it now */ - if (check_connection_active(conn->a.conn_id)) { - osmo_sccp_tx_disconn(scu, conn->a.conn_id, bsc_addr, + if (check_connection_active(conn_id)) { + osmo_sccp_tx_disconn(scu, conn_id, bsc_addr, SCCP_RELEASE_CAUSE_END_USER_ORIGINATED); - a_delete_bsc_con(conn->a.conn_id); + a_delete_bsc_con(conn_id); } } } -- To view, visit https://gerrit.osmocom.org/6359 To unsubscribe, visit https://gerrit.osmocom.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ibe41aa503e9f7cbeb05dce4b1a20b3eac85e619f Gerrit-PatchSet: 1 Gerrit-Project: osmo-msc Gerrit-Branch: master Gerrit-Owner: Harald Welte <laforge at gnumonks.org>