From 722f2b4161b01aceb37ab0b2c41ab09b92c4e93f Mon Sep 17 00:00:00 2001 From: Stefan Sperling Date: Fri, 28 Sep 2018 14:26:35 +0200 Subject: fix a use-after-free in msc_mgcp.c:_handle_error() Move code which needs to test the mgcp_ctx->free_ctx flag upwards such that it runs before we're calling functions which will potentially free mgcp_ctx. The code being moved up takes effect only in case mgcp_ctx won't be freed, so there should be no functional difference. Change-Id: I5df17c19e2a68c019f7eaf582b14585caa54b32a Related: OS#2885 --- src/libmsc/msc_mgcp.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/libmsc/msc_mgcp.c b/src/libmsc/msc_mgcp.c index e58b24903..acdb7859e 100644 --- a/src/libmsc/msc_mgcp.c +++ b/src/libmsc/msc_mgcp.c @@ -183,6 +183,16 @@ static void _handle_error(struct mgcp_ctx *mgcp_ctx, enum msc_mgcp_cause_code ca LOGPFSMLSRC(mgcp_ctx->fsm, LOGL_ERROR, file, line, "%s -- graceful shutdown...\n", get_value_string(msc_mgcp_cause_codes_names, cause)); + /* Request the higher layers (gsm_04_08.c) to release the call. If the + * problem occured after msc_mgcp_call_release() was calls, remain + * silent because we already got informed and the higher layers might + * already freed their context information (trans). */ + if (!mgcp_ctx->free_ctx) { + mncc_set_cause(&mncc, GSM48_CAUSE_LOC_TRANS_NET, + GSM48_CC_CAUSE_RESOURCE_UNAVAIL); + mncc_tx_to_cc(mgcp_ctx->trans->net, MNCC_REL_REQ, &mncc); + } + /* For the shutdown we have two options. Whenever it makes sense to * send a DLCX to the MGW in order to be sure that the connection is * properly cleaned up, the dlcx flag should be set. In other cases @@ -205,16 +215,6 @@ static void _handle_error(struct mgcp_ctx *mgcp_ctx, enum msc_mgcp_cause_code ca osmo_fsm_inst_state_chg(fi, ST_HALT, 0, 0); osmo_fsm_inst_dispatch(fi, EV_TEARDOWN_ERROR, mgcp_ctx); } - - /* Request the higher layers (gsm_04_08.c) to release the call. If the - * problem occured after msc_mgcp_call_release() was calls, remain - * silent because we already got informed and the higher layers might - * already freed their context information (trans). */ - if (!mgcp_ctx->free_ctx) { - mncc_set_cause(&mncc, GSM48_CAUSE_LOC_TRANS_NET, - GSM48_CC_CAUSE_RESOURCE_UNAVAIL); - mncc_tx_to_cc(mgcp_ctx->trans->net, MNCC_REL_REQ, &mncc); - } } /* Timer callback to shut down in case of connectivity problems */ -- cgit v1.2.3