use only accepted ran_conns for new transactions
In connection_for_subscriber(), do not return a ran_conn that is not yet
authenticated nor one that is already in release.
Using a ran_conn that is not yet authenticated may cause an auth/ciph
violation.
Using a ran_conn that is already in release may cause a use-after-free, see
OS#3842 for a description.
To be paranoid, upon releasing a conn, go through the transaction freeing
motions again by calling trans_conn_closed(), just in case some odd code path
added another transaction while the conn was already in release.
Related: OS#3842
Change-Id: Id957032e0ae1ff8ba055a75c3523447d3d06cbc3
diff --git a/src/libmsc/ran_conn.c b/src/libmsc/ran_conn.c
index 79709c6..e54e542 100644
--- a/src/libmsc/ran_conn.c
+++ b/src/libmsc/ran_conn.c
@@ -538,8 +538,10 @@
{
struct ran_conn *conn = fi->priv;
- if (ran_conn_fsm_has_active_transactions(fi))
+ if (ran_conn_fsm_has_active_transactions(fi)) {
LOGPFSML(fi, LOGL_ERROR, "Deallocating despite active transactions\n");
+ trans_conn_closed(conn);
+ }
if (!conn) {
LOGP(DRLL, LOGL_ERROR, "Freeing NULL RAN connection\n");