Change in osmo-bsc[master]: avoid use-after-free: on MGW endpoint dealloc, also forget it in conn...

Neels Hofmeyr gerrit-no-reply at lists.osmocom.org
Sun Mar 24 16:41:57 UTC 2019


Neels Hofmeyr has submitted this change and it was merged. ( https://gerrit.osmocom.org/13258 )

Change subject: avoid use-after-free: on MGW endpoint dealloc, also forget it in conn->ho.*
......................................................................

avoid use-after-free: on MGW endpoint dealloc, also forget it in conn->ho.*

With the FORGET_MGW_ENDPOINT event, the MGW endpoint FSM notifies the gscon
that it has deallocated and that hence the gscon should forget all references
to it (to avoid a use-after-free).

Also do this for the endpoint FSM and endpoint ci pointers in the conn->ho.*
sub struct.

I saw a use-after-free after a Handover Failure message tears down the lchan
and MGW endpoint before triggering the handover_fsm.c cleanup code, which also
tries to clean up an endpoint CI if it was created for the failed Handover.

Change-Id: I6702ccd0df44bea5eb8b26d471d7903c24e6e30b
---
M src/osmo-bsc/bsc_subscr_conn_fsm.c
1 file changed, 6 insertions(+), 3 deletions(-)

Approvals:
  Harald Welte: Looks good to me, approved
  Jenkins Builder: Verified



diff --git a/src/osmo-bsc/bsc_subscr_conn_fsm.c b/src/osmo-bsc/bsc_subscr_conn_fsm.c
index 13a5730..1cc0c78 100644
--- a/src/osmo-bsc/bsc_subscr_conn_fsm.c
+++ b/src/osmo-bsc/bsc_subscr_conn_fsm.c
@@ -699,6 +699,7 @@
 {
 	conn->user_plane.mgw_endpoint = NULL;
 	conn->user_plane.mgw_endpoint_ci_msc = NULL;
+	conn->ho.created_ci_for_msc = NULL;
 	lchan_forget_mgw_endpoint(conn->lchan);
 	lchan_forget_mgw_endpoint(conn->assignment.new_lchan);
 	lchan_forget_mgw_endpoint(conn->ho.new_lchan);
@@ -706,9 +707,11 @@
 
 void gscon_forget_mgw_endpoint_ci(struct gsm_subscriber_connection *conn, struct mgwep_ci *ci)
 {
-	if (ci != conn->user_plane.mgw_endpoint_ci_msc)
-		return;
-	conn->user_plane.mgw_endpoint_ci_msc = NULL;
+	if (conn->ho.created_ci_for_msc == ci)
+		conn->ho.created_ci_for_msc = NULL;
+
+	if (conn->user_plane.mgw_endpoint_ci_msc == ci)
+		conn->user_plane.mgw_endpoint_ci_msc = NULL;
 }
 
 static void gscon_fsm_allstate(struct osmo_fsm_inst *fi, uint32_t event, void *data)

-- 
To view, visit https://gerrit.osmocom.org/13258
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-bsc
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I6702ccd0df44bea5eb8b26d471d7903c24e6e30b
Gerrit-Change-Number: 13258
Gerrit-PatchSet: 2
Gerrit-Owner: Neels Hofmeyr <nhofmeyr at sysmocom.de>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder (1000002)
Gerrit-Reviewer: Neels Hofmeyr <nhofmeyr at sysmocom.de>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190324/8bbec726/attachment.html>


More information about the gerrit-log mailing list