[MERGED] osmo-msc[master]: smpp: Unset esme->acl on socket close

[Harald Welte]

Harald Welte has submitted this change and it was merged.

Change subject: smpp: Unset esme->acl on socket close
......................................................................


smpp: Unset esme->acl on socket close

We set acl->esme during _process_bind(), but we don't clear it
in case the TCP connection for the ESME is dead.  This leads to
a stale acl->esme pointer, which we will attempt to dereference
the next time a SMS is delivered to a route pointing to this acl,
where it will be a heap use-after-free.

This was discovered using AddressSanitizer and MSC_Tests.ttcn

Closes: OS#3168
Change-Id: I1f140d7f9c7d89f200ddbcd81a8df66de69fb3e4
---
M src/libmsc/smpp_smsc.c
1 file changed, 6 insertions(+), 0 deletions(-)

Approvals:
  Harald Welte: Looks good to me, approved
  Jenkins Builder: Verified



diff --git a/src/libmsc/smpp_smsc.c b/src/libmsc/smpp_smsc.c
index b889b52..7bbb0a4 100644
--- a/src/libmsc/smpp_smsc.c
+++ b/src/libmsc/smpp_smsc.c
@@ -249,6 +249,8 @@
 	}
 	smpp_cmd_flush_pending(esme);
 	llist_del(&esme->list);
+	if (esme->acl)
+		esme->acl->esme = NULL;
 	talloc_free(esme);
 }
 
@@ -875,6 +877,8 @@
 	osmo_fd_unregister(&esme->wqueue.bfd);
 	close(esme->wqueue.bfd.fd);
 	esme->wqueue.bfd.fd = -1;
+	if (esme->acl)
+		esme->acl->esme = NULL;
 	smpp_esme_put(esme);
 
 	return 0;
@@ -891,6 +895,8 @@
 		osmo_fd_unregister(&esme->wqueue.bfd);
 		close(esme->wqueue.bfd.fd);
 		esme->wqueue.bfd.fd = -1;
+		if (esme->acl)
+			esme->acl->esme = NULL;
 		smpp_esme_put(esme);
 	} else if (rc < msgb_length(msg)) {
 		LOGP(DSMPP, LOGL_ERROR, "[%s] Short write\n", esme->system_id);

-- 
To view, visit https://gerrit.osmocom.org/7795
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I1f140d7f9c7d89f200ddbcd81a8df66de69fb3e4
Gerrit-PatchSet: 1
Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Owner: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder