libmsc/gsm_09_11.c: fix broken reference counting for vsub
In gsm0911_gsup_rx() we do call vlr_subscr_find_by_imsi(), which
increases subscriber's reference count by one using the function
name as the token. However, we never release this token, so the
reference count grows on every received GSUP PROC-SS message.
Change-Id: I5540556b1c75f6873883e46b78656f31fc1ef186
diff --git a/src/libmsc/gsm_09_11.c b/src/libmsc/gsm_09_11.c
index cd54703..c7b2155 100644
--- a/src/libmsc/gsm_09_11.c
+++ b/src/libmsc/gsm_09_11.c
@@ -424,8 +424,9 @@
struct msgb *ss_msg;
bool trans_end;
struct msc_a *msc_a;
- struct vlr_subscr *vsub = vlr_subscr_find_by_imsi(net->vlr, gsup_msg->imsi, __func__);
+ struct vlr_subscr *vsub;
+ vsub = vlr_subscr_find_by_imsi(net->vlr, gsup_msg->imsi, __func__);
if (!vsub) {
LOGP(DSS, LOGL_ERROR, "Rx %s for unknown subscriber, rejecting\n",
osmo_gsup_message_type_name(gsup_msg->message_type));
@@ -445,6 +446,9 @@
osmo_gsup_message_type_name(gsup_msg->message_type),
gsup_msg->cause, gsup_msg->session_id);
+ /* We don't need subscriber info anymore */
+ vlr_subscr_put(vsub, __func__);
+
if (!trans) {
LOGP(DSS, LOGL_ERROR, "No transaction found for "
"sid=0x%x, nothing to abort\n", gsup_msg->session_id);
@@ -477,14 +481,20 @@
"SS/USSD transaction, rejecting %s\n",
osmo_gsup_message_type_name(gsup_msg->message_type));
gsup_client_mux_tx_error_reply(gcm, gsup_msg, GMM_CAUSE_NET_FAIL);
+ vlr_subscr_put(vsub, __func__);
return -EINVAL;
}
/* Wait for Paging Response */
- if (trans->paging_request)
+ if (trans->paging_request) {
+ vlr_subscr_put(vsub, __func__);
return 0;
+ }
}
+ /* We don't need subscriber info anymore */
+ vlr_subscr_put(vsub, __func__);
+
/* (Re)schedule the inactivity timer */
if (net->ncss_guard_timeout > 0) {
osmo_timer_schedule(&trans->ss.timer_guard,