From e80adc70397913c1dfda204225095ee9e54284cf Mon Sep 17 00:00:00 2001
From: Harald Welte <laforge@osmocom.org>
Date: Thu, 25 Jun 2020 13:15:09 +0200
Subject: osmo_ss7: remove use-after-free of stream_server after close_cb

In I9b3ae6dfcf6efeabb7fb6c33503d1d7924fec2fa we fixed some problems
regarding rapid open/close cycles of inbound M3UA client connections.
Unfortunately the fix now triggered another bug.

xua_srv_conn_closed_cb() is called by libosmo-netif stream code whenever
a connection (socket) is closed.  As the stream_server is de-allocated
right after this call-back, the call-back must make sure to remove
any pending references to the stream_server.

Change-Id: I2464cf524f1f91bfad10ff1861a03bf1461dfed8
Related: OS#4625
---
 src/osmo_ss7.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/osmo_ss7.c b/src/osmo_ss7.c
index 9aeed9b..cdac27a 100644
--- a/src/osmo_ss7.c
+++ b/src/osmo_ss7.c
@@ -1786,12 +1786,13 @@ static int xua_srv_conn_closed_cb(struct osmo_stream_srv *srv)
 	/* send M-SCTP_RELEASE.ind to Layer Manager */
 	xua_asp_send_xlm_prim_simple(asp, OSMO_XLM_PRIM_M_SCTP_RELEASE, PRIM_OP_INDICATION);
 
+	asp->server = NULL;
+
 	/* if we were dynamically allocated at accept_cb() time, let's
 	 * self-destruct now.  A new connection will re-create the ASP. */
 	if (asp->dyn_allocated) {
 		/* avoid re-entrance via osmo_stream_srv_destroy() which
 		 * called us */
-		asp->server = NULL;
 		osmo_ss7_asp_destroy(asp);
 	}
 
-- 
cgit v1.2.3