[MERGED] openbsc[master]: smpp_smsc_conf: Fix heap-use-after-free

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Harald Welte gerrit-no-reply at lists.osmocom.org
Tue Apr 17 14:37:47 UTC 2018 

Harald Welte has submitted this change and it was merged.

Change subject: smpp_smsc_conf: Fix heap-use-after-free
......................................................................


smpp_smsc_conf: Fix heap-use-after-free

Backport from osmo-msc Change-Id Iaf0d251c8d2912266a087ada4d20905146e08592.

Fixes following error catched by enabling address sanitizer:
==20792==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000122610 at pc 0x7f9c9c3fe063 bp 0x7ffd2e68f600 sp 0x7ffd2e68edb0
READ of size 11 at 0x60b000122610 thread T0
	#0 0x7f9c9c3fe062  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062)
	#1 0x7f9c9beb8ee4 in talloc_strdup (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x6ee4)
	#2 0x56096a7cf75b in smpp_smsc_conf src/libmsc/smpp_smsc.c:983
	#3 0x56096a7cf9df in smpp_smsc_start src/libmsc/smpp_smsc.c:1015
	#4 0x56096a7d4935 in smpp_openbsc_start src/libmsc/smpp_openbsc.c:785
	#5 0x56096a755ad0 in main src/osmo-msc/msc_main.c:598
	#6 0x7f9c9927b2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
	#7 0x56096a756979 in _start (/home/jenkins/workspace/osmo-gsm-tester_run-prod/trial-805/inst/osmo-msc/bin/osmo-msc+0xf0979)

Related: OS#3181

Change-Id: Ifce107dc5f0971d7580b7adc09f05e334792bace
---
M openbsc/src/libmsc/smpp_smsc.c
1 file changed, 7 insertions(+), 2 deletions(-)

Approvals:
  Harald Welte: Looks good to me, approved
  Jenkins Builder: Verified



diff --git a/openbsc/src/libmsc/smpp_smsc.c b/openbsc/src/libmsc/smpp_smsc.c
index 83c29f6..e4acd3a 100644
--- a/openbsc/src/libmsc/smpp_smsc.c
+++ b/openbsc/src/libmsc/smpp_smsc.c
@@ -972,14 +972,19 @@
 /*! \brief Set the SMPP address and port without binding. */
 int smpp_smsc_conf(struct smsc *smsc, const char *bind_addr, uint16_t port)
 {
+	smsc->listen_port = port;
+
+	/* Avoid use-after-free if bind_addr == smsc->bind_addr */
+	if (smsc->bind_addr == bind_addr)
+		return 0;
+
 	talloc_free((void*)smsc->bind_addr);
 	smsc->bind_addr = NULL;
 	if (bind_addr) {
-		smsc->bind_addr = talloc_strdup(smsc, bind_addr);
+		smsc->bind_addr = bind_addr ? talloc_strdup(smsc, bind_addr) : NULL;
 		if (!smsc->bind_addr)
 			return -ENOMEM;
 	}
-	smsc->listen_port = port;
 	return 0;
 }
 

-- 
To view, visit https://gerrit.osmocom.org/7859
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ifce107dc5f0971d7580b7adc09f05e334792bace
Gerrit-PatchSet: 1
Gerrit-Project: openbsc
Gerrit-Branch: master
Gerrit-Owner: Pau Espin Pedrol <pespin at sysmocom.de>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder

More information about the gerrit-log mailing list