bsc_api: Fix a use after free error in the Clear Request path
The implementation of bsc_hack would call subscr_con_free before
the BSC API has had the chance to call gsm0808_clear to try to
release other channels. Fix that by adding a return value.
diff --git a/openbsc/src/bsc_api.c b/openbsc/src/bsc_api.c
index 21d0ae7..e8f42d2 100644
--- a/openbsc/src/bsc_api.c
+++ b/openbsc/src/bsc_api.c
@@ -241,6 +241,7 @@
struct bsc_api *bsc;
struct gsm_lchan *lchan;
struct gsm_subscriber_connection *conn;
+ int destruct = 1;
if (subsys != SS_LCHAN || signal != S_LCHAN_UNEXPECTED_RELEASE)
return 0;
@@ -255,7 +256,7 @@
conn = lchan->conn;
if (bsc->clear_request)
- bsc->clear_request(conn, 0);
+ destruct = bsc->clear_request(conn, 0);
/* now give up all channels */
if (conn->lchan == lchan)
@@ -264,6 +265,9 @@
conn->ho_lchan = NULL;
gsm0808_clear(conn);
+ if (destruct)
+ subscr_con_free(conn);
+
return 0;
}