dexter has uploaded this change for review. ( https://gerrit.osmocom.org/10334
Change subject: GSCON: fix segfault after gscon timout
......................................................................
GSCON: fix segfault after gscon timout
The gscon timeout callback function gscon_timer_cb() may call
a_reset_conn_fail(). When doing so it dereferences conn->sccp.msc.
However, there may be situations where sccp.msc is not populated. This
is the case when the subscriber connection is just created but no SCCP
connection is present yet.
For example, When the connection between BSC and MSC is down, then we
never get an SCCP connection and the timeout function executes. Then
the call to a_reset_conn_fail() leads into a null pointer dereference.
- Check if conn->sccp.msc is populated before calling
a_reset_conn_fail()
Change-Id: I0802aaadf0af4e58e41c98999e8c6823838adb61
Related: OS#3447
---
M src/osmo-bsc/bsc_subscr_conn_fsm.c
1 file changed, 2 insertions(+), 1 deletion(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-bsc refs/changes/34/10334/1
diff --git a/src/osmo-bsc/bsc_subscr_conn_fsm.c
b/src/osmo-bsc/bsc_subscr_conn_fsm.c
index bc7539b..20cd53a 100644
--- a/src/osmo-bsc/bsc_subscr_conn_fsm.c
+++ b/src/osmo-bsc/bsc_subscr_conn_fsm.c
@@ -784,7 +784,8 @@
* disconnected. */
LOGPFSML(fi, LOGL_ERROR, "Long after a BSSMAP Clear Command,
the conn is still not"
" released. For sanity, discarding this conn now.\n");
- a_reset_conn_fail(conn->sccp.msc->a.reset_fsm);
+ if (conn->sccp.msc)
+ a_reset_conn_fail(conn->sccp.msc->a.reset_fsm);
osmo_fsm_inst_term(fi, OSMO_FSM_TERM_ERROR, NULL);
break;
default:
--
To view, visit https://gerrit.osmocom.org/10334
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings
Gerrit-Project: osmo-bsc
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I0802aaadf0af4e58e41c98999e8c6823838adb61
Gerrit-Change-Number: 10334
Gerrit-PatchSet: 1
Gerrit-Owner: dexter <[email protected]>
