gsm48_tx_release_compl(): Don't use transaction after trans_free()
In commit 39e2eadc99c38876c39700cc2f8fa2a2973c1fdd a bug was introduced
that used the 'trans' after trans_free() had already been called.
This became visible now when the openbsc+lcr combination was calling
an unknown/invalid telephone number in a MO call, resulting in
a segfault.
diff --git a/openbsc/src/gsm_04_08.c b/openbsc/src/gsm_04_08.c
index 65d795a..810115f 100644
--- a/openbsc/src/gsm_04_08.c
+++ b/openbsc/src/gsm_04_08.c
@@ -2321,6 +2321,7 @@
struct gsm_mncc *rel = arg;
struct msgb *msg = gsm48_msgb_alloc();
struct gsm48_hdr *gh = (struct gsm48_hdr *) msgb_put(msg, sizeof(*gh));
+ int ret;
gh->msg_type = GSM48_MT_CC_RELEASE_COMPL;
@@ -2338,9 +2339,11 @@
if (rel->fields & MNCC_F_USERUSER)
gsm48_encode_useruser(msg, 0, &rel->useruser);
+ ret = gsm48_conn_sendmsg(msg, trans->conn, trans);
+
trans_free(trans);
- return gsm48_conn_sendmsg(msg, trans->conn, trans);
+ return ret;
}
static int gsm48_cc_rx_facility(struct gsm_trans *trans, struct msgb *msg)