This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
Neels Hofmeyr gerrit-no-reply at lists.osmocom.orgNeels Hofmeyr has submitted this change and it was merged. ( https://gerrit.osmocom.org/13258 ) Change subject: avoid use-after-free: on MGW endpoint dealloc, also forget it in conn->ho.* ...................................................................... avoid use-after-free: on MGW endpoint dealloc, also forget it in conn->ho.* With the FORGET_MGW_ENDPOINT event, the MGW endpoint FSM notifies the gscon that it has deallocated and that hence the gscon should forget all references to it (to avoid a use-after-free). Also do this for the endpoint FSM and endpoint ci pointers in the conn->ho.* sub struct. I saw a use-after-free after a Handover Failure message tears down the lchan and MGW endpoint before triggering the handover_fsm.c cleanup code, which also tries to clean up an endpoint CI if it was created for the failed Handover. Change-Id: I6702ccd0df44bea5eb8b26d471d7903c24e6e30b --- M src/osmo-bsc/bsc_subscr_conn_fsm.c 1 file changed, 6 insertions(+), 3 deletions(-) Approvals: Harald Welte: Looks good to me, approved Jenkins Builder: Verified diff --git a/src/osmo-bsc/bsc_subscr_conn_fsm.c b/src/osmo-bsc/bsc_subscr_conn_fsm.c index 13a5730..1cc0c78 100644 --- a/src/osmo-bsc/bsc_subscr_conn_fsm.c +++ b/src/osmo-bsc/bsc_subscr_conn_fsm.c @@ -699,6 +699,7 @@ { conn->user_plane.mgw_endpoint = NULL; conn->user_plane.mgw_endpoint_ci_msc = NULL; + conn->ho.created_ci_for_msc = NULL; lchan_forget_mgw_endpoint(conn->lchan); lchan_forget_mgw_endpoint(conn->assignment.new_lchan); lchan_forget_mgw_endpoint(conn->ho.new_lchan); @@ -706,9 +707,11 @@ void gscon_forget_mgw_endpoint_ci(struct gsm_subscriber_connection *conn, struct mgwep_ci *ci) { - if (ci != conn->user_plane.mgw_endpoint_ci_msc) - return; - conn->user_plane.mgw_endpoint_ci_msc = NULL; + if (conn->ho.created_ci_for_msc == ci) + conn->ho.created_ci_for_msc = NULL; + + if (conn->user_plane.mgw_endpoint_ci_msc == ci) + conn->user_plane.mgw_endpoint_ci_msc = NULL; } static void gscon_fsm_allstate(struct osmo_fsm_inst *fi, uint32_t event, void *data) -- To view, visit https://gerrit.osmocom.org/13258 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-bsc Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: I6702ccd0df44bea5eb8b26d471d7903c24e6e30b Gerrit-Change-Number: 13258 Gerrit-PatchSet: 2 Gerrit-Owner: Neels Hofmeyr <nhofmeyr at sysmocom.de> Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org> Gerrit-Reviewer: Jenkins Builder (1000002) Gerrit-Reviewer: Neels Hofmeyr <nhofmeyr at sysmocom.de> -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190324/8c762cbb/attachment.htm>