avoid use-after-free: on MGW endpoint dealloc, also forget it in conn->ho.*

With the FORGET_MGW_ENDPOINT event, the MGW endpoint FSM notifies the gscon
that it has deallocated and that hence the gscon should forget all references
to it (to avoid a use-after-free).

Also do this for the endpoint FSM and endpoint ci pointers in the conn->ho.*
sub struct.

I saw a use-after-free after a Handover Failure message tears down the lchan
and MGW endpoint before triggering the handover_fsm.c cleanup code, which also
tries to clean up an endpoint CI if it was created for the failed Handover.

Change-Id: I6702ccd0df44bea5eb8b26d471d7903c24e6e30b

1 files changed, 6 insertions, 3 deletions

diff --git a/src/osmo-bsc/bsc_subscr_conn_fsm.c b/src/osmo-bsc/bsc_subscr_conn_fsm.c
index 13a573021..1cc0c78b4 100644
--- a/src/osmo-bsc/bsc_subscr_conn_fsm.c
+++ b/src/osmo-bsc/bsc_subscr_conn_fsm.c
@@ -699,6 +699,7 @@ static void gscon_forget_mgw_endpoint(struct gsm_subscriber_connection *conn)
 {
 	conn->user_plane.mgw_endpoint = NULL;
 	conn->user_plane.mgw_endpoint_ci_msc = NULL;
+	conn->ho.created_ci_for_msc = NULL;
 	lchan_forget_mgw_endpoint(conn->lchan);
 	lchan_forget_mgw_endpoint(conn->assignment.new_lchan);
 	lchan_forget_mgw_endpoint(conn->ho.new_lchan);
@@ -706,9 +707,11 @@ static void gscon_forget_mgw_endpoint(struct gsm_subscriber_connection *conn)
 
 void gscon_forget_mgw_endpoint_ci(struct gsm_subscriber_connection *conn, struct mgwep_ci *ci)
 {
-	if (ci != conn->user_plane.mgw_endpoint_ci_msc)
-		return;
-	conn->user_plane.mgw_endpoint_ci_msc = NULL;
+	if (conn->ho.created_ci_for_msc == ci)
+		conn->ho.created_ci_for_msc = NULL;
+
+	if (conn->user_plane.mgw_endpoint_ci_msc == ci)
+		conn->user_plane.mgw_endpoint_ci_msc = NULL;
 }
 
 static void gscon_fsm_allstate(struct osmo_fsm_inst *fi, uint32_t event, void *data)