authorHarald Welte <>2020-06-25 13:15:09 +0200
committerHarald Welte <>2020-06-25 13:15:09 +0200
commite80adc70397913c1dfda204225095ee9e54284cf (patch)
parent5c48fb8e8dc8e20f8409154aeffe1574e370beb5 (diff)
osmo_ss7: remove use-after-free of stream_server after close_cb
In I9b3ae6dfcf6efeabb7fb6c33503d1d7924fec2fa we fixed some problems regarding rapid open/close cycles of inbound M3UA client connections. Unfortunately the fix now triggered another bug. xua_srv_conn_closed_cb() is called by libosmo-netif stream code whenever a connection (socket) is closed. As the stream_server is de-allocated right after this call-back, the call-back must make sure to remove any pending references to the stream_server. Change-Id: I2464cf524f1f91bfad10ff1861a03bf1461dfed8 Related: OS#4625
1 files changed, 2 insertions, 1 deletions
diff --git a/src/osmo_ss7.c b/src/osmo_ss7.c
index 9aeed9b..cdac27a 100644
--- a/src/osmo_ss7.c
+++ b/src/osmo_ss7.c
@@ -1786,12 +1786,13 @@ static int xua_srv_conn_closed_cb(struct osmo_stream_srv *srv)
/* send M-SCTP_RELEASE.ind to Layer Manager */
xua_asp_send_xlm_prim_simple(asp, OSMO_XLM_PRIM_M_SCTP_RELEASE, PRIM_OP_INDICATION);
+ asp->server = NULL;
/* if we were dynamically allocated at accept_cb() time, let's
* self-destruct now. A new connection will re-create the ASP. */
if (asp->dyn_allocated) {
/* avoid re-entrance via osmo_stream_srv_destroy() which
* called us */
- asp->server = NULL;