From ad4ea3b10e66bbd5cad27d16532b0c5fc239946a Mon Sep 17 00:00:00 2001 From: Alexander Couzens Date: Tue, 24 Jul 2018 19:04:47 +0200 Subject: hnbgw: remove close_cb() to fix a crash when releasing a hnbgw The read callback should catch all errors already. Previous when a read fails it: * hnb_context_release() -> osmo_stream_srv_destroy() -> hnb_context_release() On the second hnb_context_release() the hnbgw will crash because calling llist_del() twice on the same object. Fixes: OS#3416 Change-Id: Ic84b2184b7fc850c0de2acacf179e86771e17510 --- include/osmocom/iuh/hnbgw.h | 2 +- src/hnbgw.c | 21 +++++---------------- src/hnbgw_hnbap.c | 4 ++-- 3 files changed, 8 insertions(+), 19 deletions(-) diff --git a/include/osmocom/iuh/hnbgw.h b/include/osmocom/iuh/hnbgw.h index b79bcc1..db49dc1 100644 --- a/include/osmocom/iuh/hnbgw.h +++ b/include/osmocom/iuh/hnbgw.h @@ -161,7 +161,7 @@ struct ue_context *ue_context_alloc(struct hnb_context *hnb, const char *imsi, void ue_context_free(struct ue_context *ue); struct hnb_context *hnb_context_alloc(struct hnb_gw *gw, struct osmo_stream_srv_link *link, int new_fd); -void hnb_context_release(struct hnb_context *ctx, bool destroy_conn); +void hnb_context_release(struct hnb_context *ctx); void hnbgw_vty_init(struct hnb_gw *gw, void *tall_ctx); int hnbgw_vty_go_parent(struct vty *vty); diff --git a/src/hnbgw.c b/src/hnbgw.c index 94d8fb9..91e551b 100644 --- a/src/hnbgw.c +++ b/src/hnbgw.c @@ -202,16 +202,6 @@ void ue_context_free(struct ue_context *ue) llist_del(&ue->list); talloc_free(ue); } -static int hnb_close_cb(struct osmo_stream_srv *conn) -{ - struct hnb_context *hnb = osmo_stream_srv_get_data(conn); - - /* This connection is about to be closed. Destroy the HNB context now. */ - if (hnb) - hnb_context_release(hnb, false); - - return 0; -} static int hnb_read_cb(struct osmo_stream_srv *conn) { @@ -234,10 +224,10 @@ static int hnb_read_cb(struct osmo_stream_srv *conn) } else if (rc < 0) { LOGP(DMAIN, LOGL_ERROR, "Error during sctp_recvmsg()\n"); /* FIXME: clean up after disappeared HNB */ - hnb_context_release(hnb, true); + hnb_context_release(hnb); goto out; } else if (rc == 0) { - hnb_context_release(hnb, true); + hnb_context_release(hnb); rc = -1; goto out; @@ -283,7 +273,7 @@ struct hnb_context *hnb_context_alloc(struct hnb_gw *gw, struct osmo_stream_srv_ INIT_LLIST_HEAD(&ctx->map_list); ctx->gw = gw; - ctx->conn = osmo_stream_srv_create(tall_hnb_ctx, link, new_fd, hnb_read_cb, hnb_close_cb, ctx); + ctx->conn = osmo_stream_srv_create(tall_hnb_ctx, link, new_fd, hnb_read_cb, NULL, ctx); if (!ctx->conn) { LOGP(DMAIN, LOGL_INFO, "error while creating connection\n"); talloc_free(ctx); @@ -294,7 +284,7 @@ struct hnb_context *hnb_context_alloc(struct hnb_gw *gw, struct osmo_stream_srv_ return ctx; } -void hnb_context_release(struct hnb_context *ctx, bool destroy_conn) +void hnb_context_release(struct hnb_context *ctx) { struct hnbgw_context_map *map, *map2; @@ -312,8 +302,7 @@ void hnb_context_release(struct hnb_context *ctx, bool destroy_conn) } ue_context_free_by_hnb(ctx->gw, ctx); - if (destroy_conn) - osmo_stream_srv_destroy(ctx->conn); + osmo_stream_srv_destroy(ctx->conn); talloc_free(ctx); } diff --git a/src/hnbgw_hnbap.c b/src/hnbgw_hnbap.c index acc5aff..2a19dda 100644 --- a/src/hnbgw_hnbap.c +++ b/src/hnbgw_hnbap.c @@ -84,7 +84,7 @@ static int hnbgw_tx_hnb_register_rej(struct hnb_context *ctx) osmo_stream_srv_set_flush_and_destroy(ctx->conn); } else { /* The message was not queued. Destroy the connection right away. */ - hnb_context_release(ctx, true); + hnb_context_release(ctx); } } @@ -401,7 +401,7 @@ static int hnbgw_rx_hnb_deregister(struct hnb_context *ctx, ANY_t *in) hnbap_cause_str(&ies.cause)); hnbap_free_hnbde_registeries(&ies); - hnb_context_release(ctx, true); + hnb_context_release(ctx); return 0; } -- cgit v1.2.3