This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/OpenBSC@lists.osmocom.org/.
Holger Freyther zecke at selfish.orgOn Monday 16 November 2009 18:52:31 Andreas.Eversberg wrote: > this patch fixes double free of paging request. > > the function paging_T3113_expired() must call paging_remove_request() > first. then the cbfn may be called. the cbfn function cannot eventually > remove the paging request again, because it is not in the list anymore. > > the result of paging timeout was a crash. > > diff --git a/openbsc/src/paging.c b/openbsc/src/paging.c > index 5a9643c..164a08b 100644 > --- a/openbsc/src/paging.c > +++ b/openbsc/src/paging.c > @@ -224,11 +243,13 @@ static void paging_T3113_expired(void *data) > sig_data.bts = req->bts; > sig_data.lchan = NULL; > > + /* must be destroyed before calling cbfn, to prevent double free > */ > + paging_remove_request(&req->bts->paging, req); > + > dispatch_signal(SS_PAGING, S_PAGING_COMPLETED, &sig_data); > if (req->cbfn) > req->cbfn(GSM_HOOK_RR_PAGING, GSM_PAGING_EXPIRED, NULL, > NULL, > req->cbfn_param); Ack, this has one issue though... "req" now points to freed memory. We will need to put a copy of the callback and the data somewhere before calling the callback. I'm doing this right now. z.