diff options
author | Ivan Kluchnikov <kluchnikovi@gmail.com> | 2017-05-11 15:19:23 +0300 |
---|---|---|
committer | Ivan Kluchnikov <kluchnikovi@gmail.com> | 2017-09-01 16:49:26 +0300 |
commit | b9759dba9ecd2720aab1c91d6824a18e2c0ffbcd (patch) | |
tree | 404ce0af8a1623fdf5b08f0329d1980a815dfd9d /src/gsm | |
parent | 99377c2daab6e428194c92103a3a7c2d8a8b5551 (diff) |
lapd_core: Fix crash in lapd_est_req() function
lapd_est_req() function could be called on uninitialized lapd link
(before lapd_dl_init() and after lapd_dl_exit() functions) due to
invalid usage on higher levels.
In order to prevent using uninitialized lapd link, we should set
LAPD_STATE_NULL state for lapd_datalink in lapd_dl_exit() function.
So all messages for lapd_datalink in null state will be unhandled by
lapd_recv_dlsap() function and lapd_est_req() function will not be
called before lapd_dl_init() function where lapd link state is changed
to idle.
#0 0x00007f46ecd99aa5 in lapd_est_req (dp=<optimized out>, lctx=0x7f46ed80b8b8) at
lapd_core.c:1769
#1 0x00007f46ecd9dda8 in rslms_rx_rll_est_req (msg=msg@entry=0x7f46eeab4940,
dl=dl@entry=0x7f46ed80b888) at lapdm.c:845
#2 0x00007f46ecd9fc03 in rslms_rx_rll (lc=0x7f46ed80b398, msg=0x7f46eeab4940) at
lapdm.c:1157
#3 lapdm_rslms_recvmsg (msg=0x7f46eeab4940, lc=0x7f46ed80b398) at lapdm.c:1223
#4 0x00007f46ed63773d in rsl_rx_rll (msg=<optimized out>, trx=<optimized out>) at
rsl.c:2178
#5 down_rsl (trx=<optimized out>, msg=<optimized out>) at rsl.c:2541
#6 0x00007f46ed641529 in sign_link_cb (msg=<optimized out>) at abis.c:169
#7 0x00007f46ec54b111 in ipaccess_bts_read_cb (link=0x7f46eeab4940, msg=0x0) at
input/ipaccess.c:807
#8 0x00007f46ec548a8e in ipa_client_read (link=0x7f46ee26ae30) at input/ipa.c:74
#9 ipa_client_fd_cb (ofd=<optimized out>, what=1) at input/ipa.c:137
#10 0x00007f46ecfc726f in osmo_fd_disp_fds (_eset=0x7ffe7a9fcd20, _wset=0x7ffe7a9fcca0,
_rset=0x7ffe7a9fcc20) at select.c:167
#11 osmo_select_main (polling=polling@entry=0) at select.c:207
#12 0x00007f46ed63fc25 in bts_main (argc=5, argv=<optimized out>) at main.c:359
#13 0x00007f46ebd76f45 in __libc_start_main (main=0x7f46ed61b120 <main>, argc=5,
argv=0x7ffe7a9fcf18, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
#14 0x00007f46ed61b14e in _start ()
Related: OS#1982
Change-Id: I306dad9b78e3becaef14c5305ec25c312feefe3c
Diffstat (limited to 'src/gsm')
-rw-r--r-- | src/gsm/lapd_core.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/gsm/lapd_core.c b/src/gsm/lapd_core.c index 166bf9a7..6b580069 100644 --- a/src/gsm/lapd_core.c +++ b/src/gsm/lapd_core.c @@ -326,6 +326,10 @@ void lapd_dl_exit(struct lapd_datalink *dl) { /* free all ressources except history buffer */ lapd_dl_reset(dl); + + /* enter null state */ + lapd_dl_newstate(dl, LAPD_STATE_NULL); + /* free history buffer list */ talloc_free(dl->tx_hist); dl->tx_hist = NULL; |