This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
Harald Welte gerrit-no-reply at lists.osmocom.orgHarald Welte has submitted this change and it was merged. ( https://gerrit.osmocom.org/9749 )
Change subject: bsc-nat: Avoid heap-use-after-free on USSD conn lost
......................................................................
bsc-nat: Avoid heap-use-after-free on USSD conn lost
When ussd_read_cb calls bsc_nat_ussd_destroy the osmo_fd struct is
freed, so we need to indicate to osmo_wqueue_bfd_cb that it should not
continue using the fd pointer after we return.
Fixes following AddressSanitizer report:
<0015> osmo-bsc_nat/bsc_ussd.c:273 USSD Connection on 13 with IP: 1.2.3.4
<0015> osmo-bsc_nat/bsc_ussd.c:132 USSD Connection was lost.
=================================================================
==18118==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200047c4b4 at pc 0x7ffff6067540 bp 0x7fffffffe170 sp 0x7fffffffe168
READ of size 4 at 0x61200047c4b4 thread T0
#0 0x7ffff606753f in osmo_wqueue_bfd_cb libosmocore/src/write_queue.c:65
#1 0x7ffff605206b in osmo_fd_disp_fds libosmocore/src/select.c:217
#2 0x7ffff6052305 in osmo_select_main libosmocore/src/select.c:257
#3 0x421dfa in main osmo-bsc_nat/bsc_nat.c:1718
#4 0x7ffff47ffb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#5 0x406438 (/bin/osmo-bsc_nat+0x406438)
Change-Id: I35854c43524714d07f31d71c775ac1cd0a57d22e
---
M openbsc/src/osmo-bsc_nat/bsc_ussd.c
1 file changed, 7 insertions(+), 4 deletions(-)
Approvals:
Jenkins Builder: Verified
Vadim Yanitskiy: Looks good to me, but someone else must approve
Harald Welte: Looks good to me, approved
diff --git a/openbsc/src/osmo-bsc_nat/bsc_ussd.c b/openbsc/src/osmo-bsc_nat/bsc_ussd.c
index 0ba6327..ee0b085 100644
--- a/openbsc/src/osmo-bsc_nat/bsc_ussd.c
+++ b/openbsc/src/osmo-bsc_nat/bsc_ussd.c
@@ -126,12 +126,11 @@
int ret;
ret = ipa_msg_recv_buffered(bfd->fd, &msg, &conn->pending_msg);
+ if (ret == -EAGAIN)
+ return 0;
if (ret <= 0) {
- if (ret == -EAGAIN)
- return 0;
LOGP(DNAT, LOGL_ERROR, "USSD Connection was lost.\n");
- bsc_nat_ussd_destroy(conn);
- return -1;
+ goto close_fd;
}
LOGP(DNAT, LOGL_NOTICE, "MSG from USSD: %s proto: %d\n",
@@ -168,6 +167,10 @@
}
return 0;
+
+close_fd:
+ bsc_nat_ussd_destroy(conn);
+ return -EBADF;
}
static void ussd_auth_cb(void *_data)
--
To view, visit https://gerrit.osmocom.org/9749
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: openbsc
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I35854c43524714d07f31d71c775ac1cd0a57d22e
Gerrit-Change-Number: 9749
Gerrit-PatchSet: 1
Gerrit-Owner: Pau Espin Pedrol <pespin at sysmocom.de>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Vadim Yanitskiy <axilirator at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20180627/cab7ac3e/attachment.htm>