mgcp: be sure that pending mgcp transactions are canceled before free
When the FSM reaches ST_HALT it frees itsself and all context
information but it is not ensured that there are still pending
MGW transactions that might hit late and eventually cause a use after
free situation.
- if an MGW transaction is still pending, cancel it.
Change-Id: I8ff55e48a95cc4c556a97ad2593bad1cc1aa69bd
diff --git a/src/libmsc/msc_mgcp.c b/src/libmsc/msc_mgcp.c
index 738d1b8..0790b2b 100644
--- a/src/libmsc/msc_mgcp.c
+++ b/src/libmsc/msc_mgcp.c
@@ -781,8 +781,11 @@
static void fsm_halt_cb(struct osmo_fsm_inst *fi, uint32_t event, void *data)
{
struct mgcp_ctx *mgcp_ctx = data;
+ struct mgcp_client *mgcp;
OSMO_ASSERT(mgcp_ctx);
+ mgcp = mgcp_ctx->mgcp;
+ OSMO_ASSERT(mgcp);
/* NOTE: We must not free the context information now, we have to
* wait until msc_mgcp_call_release() is called. Then we are sure
@@ -792,6 +795,10 @@
* so lets keep the context info until we are explicitly asked for
* throwing it away. */
if (mgcp_ctx->free_ctx) {
+ /* Be sure that there is no pending MGW transaction */
+ mgcp_client_cancel(mgcp, mgcp_ctx->mgw_pending_trans);
+
+ /* Free FSM and its context information */
osmo_fsm_inst_free(mgcp_ctx->fsm);
talloc_free(mgcp_ctx);
return;