paulmataruso/osmo-mgw
1
0
Fork 0
mirror of https://gitea.osmocom.org/cellular-infrastructure/osmo-mgw.git synced 2025-10-23 08:12:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

[nat] Do not access the con after the removal

Browse Source 
In case of a RLC message we will destroy the SCCP connection. This means
that accessing the con and con->bsc will access old memory. Keep the status
local and move the con into an inner scope.
This commit is contained in:
Holger Hans Peter Freyther
2010-05-16 16:30:42 +08:00
parent ed775e4c1d
commit 605f62a16a
1 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
openbsc/src/nat/bsc_nat.c
View File

@@ -608,8 +608,9 @@ static void ipaccess_auth_bsc(struct tlv_parsed *tvp, struct bsc_connection *bsc
static int forward_sccp_to_msc(struct bsc_connection *bsc, struct msgb *msg)
{
int con_found = 0;
struct bsc_connection *con_bsc = NULL;
int con_type;
struct sccp_connections *con;
struct bsc_nat_parsed *parsed;
/* Parse and filter messages */
@@ -637,6 +638,7 @@ static int forward_sccp_to_msc(struct bsc_connection *bsc, struct msgb *msg)
/* modify the SCCP entries */
if (parsed->ipa_proto == IPAC_PROTO_SCCP) {
struct sccp_connections *con;
switch (parsed->sccp_type) {
case SCCP_MSG_TYPE_CR:
if (bsc_nat_filter_sccp_cr(bsc, msg, parsed, &con_type) != 0)
@@ -645,6 +647,8 @@ static int forward_sccp_to_msc(struct bsc_connection *bsc, struct msgb *msg)
goto exit2;
con = patch_sccp_src_ref_to_msc(msg, parsed, bsc);
con->con_type = con_type;
con_found = 1;
con_bsc = con->bsc;
break;
case SCCP_MSG_TYPE_RLSD:
case SCCP_MSG_TYPE_CREF:
@@ -652,9 +656,17 @@ static int forward_sccp_to_msc(struct bsc_connection *bsc, struct msgb *msg)
case SCCP_MSG_TYPE_CC:
case SCCP_MSG_TYPE_IT:
con = patch_sccp_src_ref_to_msc(msg, parsed, bsc);
if (con) {
con_found = 1;
con_bsc = con->bsc;
}
break;
case SCCP_MSG_TYPE_RLC:
con = patch_sccp_src_ref_to_msc(msg, parsed, bsc);
if (con) {
con_found = 1;
con_bsc = con->bsc;
}
remove_sccp_src_ref(bsc, msg, parsed);
break;
case SCCP_MSG_TYPE_UDT:
@@ -675,9 +687,9 @@ static int forward_sccp_to_msc(struct bsc_connection *bsc, struct msgb *msg)
goto exit2;
}
if (con && con->bsc != bsc) {
if (con_found && con_bsc != bsc) {
LOGP(DNAT, LOGL_ERROR, "The connection belongs to a different BTS: input: %d con: %d\n",
bsc->cfg->nr, con->bsc->cfg->nr);
bsc->cfg->nr, con_bsc->cfg->nr);
goto exit2;
}