use only accepted ran_conns for new transactions
In connection_for_subscriber(), do not return a ran_conn that is not yet
authenticated nor one that is already in release.
Using a ran_conn that is not yet authenticated may cause an auth/ciph
violation.
Using a ran_conn that is already in release may cause a use-after-free, see
OS#3842 for a description.
To be paranoid, upon releasing a conn, go through the transaction freeing
motions again by calling trans_conn_closed(), just in case some odd code path
added another transaction while the conn was already in release.
Related: OS#3842
Change-Id: Id957032e0ae1ff8ba055a75c3523447d3d06cbc3
diff --git a/src/libmsc/gsm_subscriber.c b/src/libmsc/gsm_subscriber.c
index e60344f..c4faa94 100644
--- a/src/libmsc/gsm_subscriber.c
+++ b/src/libmsc/gsm_subscriber.c
@@ -200,8 +200,14 @@
struct ran_conn *conn;
llist_for_each_entry(conn, &net->ran_conns, entry) {
- if (conn->vsub == vsub)
- return conn;
+ if (conn->vsub != vsub)
+ continue;
+ /* Found a conn, but is it in a usable state? Must not add transactions to a conn that is in release,
+ * and must not start transactions for an unauthenticated subscriber. There will obviously be only one
+ * conn for this vsub, so return NULL right away. */
+ if (!ran_conn_is_accepted(conn))
+ return NULL;
+ return conn;
}
return NULL;