use only accepted ran_conns for new transactions In connection_for_subscriber(), do not return a ran_conn that is not yet authenticated nor one that is already in release. Using a ran_conn that is not yet authenticated may cause an auth/ciph violation. Using a ran_conn that is already in release may cause a use-after-free, see OS#3842 for a description. To be paranoid, upon releasing a conn, go through the transaction freeing motions again by calling trans_conn_closed(), just in case some odd code path added another transaction while the conn was already in release. Related: OS#3842 Change-Id: Id957032e0ae1ff8ba055a75c3523447d3d06cbc3

commit: 8e2c6a31c1401b5a6980866ef35d47eb3d8d5ca3 [log] [tgz]
author: Neels Hofmeyr <neels@hofmeyr.de> Thu Mar 07 03:06:16 2019 +0100
committer: Neels Hofmeyr <neels@hofmeyr.de> Thu Mar 07 03:58:29 2019 +0100
tree: 6cf0ebc7634f2d2cfef58c001122d6ebd63cbe5d
parent: a3a8821167b7b62c17a3002ddbd992eb05e92ab2 [diff] [blame]
diff --git a/src/libmsc/ran_conn.c b/src/libmsc/ran_conn.c
index 79709c6..e54e542 100644
--- a/src/libmsc/ran_conn.c
+++ b/src/libmsc/ran_conn.c

@@ -538,8 +538,10 @@
 {
 	struct ran_conn *conn = fi->priv;
 
-	if (ran_conn_fsm_has_active_transactions(fi))
+	if (ran_conn_fsm_has_active_transactions(fi)) {
 		LOGPFSML(fi, LOGL_ERROR, "Deallocating despite active transactions\n");
+		trans_conn_closed(conn);
+	}
 
 	if (!conn) {
 		LOGP(DRLL, LOGL_ERROR, "Freeing NULL RAN connection\n");
commit	8e2c6a31c1401b5a6980866ef35d47eb3d8d5ca3	[log] [tgz]
author	Neels Hofmeyr <neels@hofmeyr.de>	Thu Mar 07 03:06:16 2019 +0100
committer	Neels Hofmeyr <neels@hofmeyr.de>	Thu Mar 07 03:58:29 2019 +0100
tree	6cf0ebc7634f2d2cfef58c001122d6ebd63cbe5d
parent	a3a8821167b7b62c17a3002ddbd992eb05e92ab2 [diff] [blame]