This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/OpenBSC@lists.osmocom.org/.
Andreas.Eversberg Andreas.Eversberg at versatel.dethis patch fixes double free of paging request. the function paging_T3113_expired() must call paging_remove_request() first. then the cbfn may be called. the cbfn function cannot eventually remove the paging request again, because it is not in the list anymore. the result of paging timeout was a crash. diff --git a/openbsc/src/paging.c b/openbsc/src/paging.c index 5a9643c..164a08b 100644 --- a/openbsc/src/paging.c +++ b/openbsc/src/paging.c @@ -224,11 +243,13 @@ static void paging_T3113_expired(void *data) sig_data.bts = req->bts; sig_data.lchan = NULL; + /* must be destroyed before calling cbfn, to prevent double free */ + paging_remove_request(&req->bts->paging, req); + dispatch_signal(SS_PAGING, S_PAGING_COMPLETED, &sig_data); if (req->cbfn) req->cbfn(GSM_HOOK_RR_PAGING, GSM_PAGING_EXPIRED, NULL, NULL, req->cbfn_param); - paging_remove_request(&req->bts->paging, req); } static int _paging_request(struct gsm_bts *bts, struct gsm_subscriber *subscr,