msc_mgcp: to not access higher layers after release
The higher layers (gsm_04_08.c) are informed errors occur. But it
is not checked if the call was already released. If an error occurs
after the call control stack calls msc_mgcp_call_release() then
the higher layers might already have cleaned up and the code
accesses memory that is already freed (trans)
- fix use after free by guarding the call to mncc_tx_to_cc()
Change-Id: I78f1b6a9149488a4ad3f120c1e190a83c07d4b89
Related OS#2881
Related OS#2882
diff --git a/src/libmsc/msc_mgcp.c b/src/libmsc/msc_mgcp.c
index 8e874d8..5c615a9 100644
--- a/src/libmsc/msc_mgcp.c
+++ b/src/libmsc/msc_mgcp.c
@@ -197,10 +197,15 @@
osmo_fsm_inst_dispatch(fi, EV_TEARDOWN_ERROR, mgcp_ctx);
}
- /* Request the higher layers to release the call */
- mncc_set_cause(&mncc, GSM48_CAUSE_LOC_TRANS_NET,
- GSM48_CC_CAUSE_RESOURCE_UNAVAIL);
- mncc_tx_to_cc(mgcp_ctx->trans->net, MNCC_REL_REQ, &mncc);
+ /* Request the higher layers (gsm_04_08.c) to release the call. If the
+ * problem occured after msc_mgcp_call_release() was calls, remain
+ * silent because we already got informed and the higher layers might
+ * already freed their context information (trans). */
+ if (!mgcp_ctx->free_ctx) {
+ mncc_set_cause(&mncc, GSM48_CAUSE_LOC_TRANS_NET,
+ GSM48_CC_CAUSE_RESOURCE_UNAVAIL);
+ mncc_tx_to_cc(mgcp_ctx->trans->net, MNCC_REL_REQ, &mncc);
+ }
}
/* Timer callback to shut down in case of connectivity problems */