This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
neels gerrit-no-reply at lists.osmocom.orgneels has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-mgw/+/15839 )
Change subject: fix use-after-free: require new fsm safeguards, check for term
......................................................................
fix use-after-free: require new fsm safeguards, check for term
API doc: require osmo_fsm_set_dealloc_ctx() and
osmo_fsm_set_term_stops_actions().
mgcp_client during delete: do not reparent the FSM when it is already
terminating.
I have recently discovered a vulnerability: if an endpoint FSM deallocates
during event handling of a successful MGCP response, this causes a
use-after-free; and once that is fixed, a state change on the already
terminated FSM causes a pointer corruption by using already cleaned data
structures. osmo_fsm_set_dealloc_ctx() fixes the use-after-free, and
osmo_fsm_set_term_stops_actions() fixes the pointer corruption.
Related: Ib7fce7b7d54dfb87af97544796680919e5929a50 (osmo-bsc),
I08c03946605aa12e0a5ce8b3c773704ef5327a7a (osmo-msc)
Depends: Ief4dba9ea587c9b4aea69993e965fbb20fb80e78 (libosmocore),
I0adc13a1a998e953b6c850efa2761350dd07e03a (libosmocore)
Change-Id: I7df2e9202b04e7ca7366bb0a8ec53cf3bb14faf3
---
M src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c
M src/libosmo-mgcp-client/mgcp_client_fsm.c
2 files changed, 8 insertions(+), 0 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-mgw refs/changes/39/15839/1
diff --git a/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c b/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c
index 2259788..37cf346 100644
--- a/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c
+++ b/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c
@@ -255,6 +255,11 @@
* MGCP messages to set up the endpoint will be sent on the given mgcp_client, as soon as the first
* osmo_mgcpc_ep_ci_request() is invoked.
*
+ * IMPORTANT: To avoid use-after-free problems, using this FSM requires:
+ * - setting osmo_fsm_set_term_stops_actions(true), AND
+ * - use of deferred FSM deallocation using osmo_fsm_set_dealloc_ctx(),
+ * e.g. using osmo_select_main_ctx(OTC_SELECT) with osmo_select_main_ctx() as main loop.
+ *
* A typical sequence of events would be:
*
* ep = osmo_mgcpc_ep_alloc(..., mgcp_client_rtpbridge_wildcard(client));
diff --git a/src/libosmo-mgcp-client/mgcp_client_fsm.c b/src/libosmo-mgcp-client/mgcp_client_fsm.c
index 7565d32..800ae1b 100644
--- a/src/libosmo-mgcp-client/mgcp_client_fsm.c
+++ b/src/libosmo-mgcp-client/mgcp_client_fsm.c
@@ -708,6 +708,9 @@
OSMO_ASSERT(mgcp_ctx);
+ if (fi->proc.terminating)
+ return;
+
/* Unlink FSM from parent */
osmo_fsm_inst_unlink_parent(fi, NULL);
--
To view, visit https://gerrit.osmocom.org/c/osmo-mgw/+/15839
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: osmo-mgw
Gerrit-Branch: master
Gerrit-Change-Id: I7df2e9202b04e7ca7366bb0a8ec53cf3bb14faf3
Gerrit-Change-Number: 15839
Gerrit-PatchSet: 1
Gerrit-Owner: neels <nhofmeyr at sysmocom.de>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20191023/a131a18f/attachment.htm>