Change in libosmo-sccp[master]: osmo_ss7: remove use-after-free of stream_server after close_cb

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

laforge gerrit-no-reply at lists.osmocom.org
Thu Jun 25 11:17:59 UTC 2020 

laforge has uploaded this change for review. ( https://gerrit.osmocom.org/c/libosmo-sccp/+/19004 )


Change subject: osmo_ss7: remove use-after-free of stream_server after close_cb
......................................................................

osmo_ss7: remove use-after-free of stream_server after close_cb

In I9b3ae6dfcf6efeabb7fb6c33503d1d7924fec2fa we fixed some problems
regarding rapid open/close cycles of inbound M3UA client connections.
Unfortunately the fix now triggered another bug.

xua_srv_conn_closed_cb() is called by libosmo-netif stream code whenever
a connection (socket) is closed.  As the stream_server is de-allocated
right after this call-back, the call-back must make sure to remove
any pending references to the stream_server.

Change-Id: I2464cf524f1f91bfad10ff1861a03bf1461dfed8
Related: OS#4625
---
M src/osmo_ss7.c
1 file changed, 2 insertions(+), 1 deletion(-)



  git pull ssh://gerrit.osmocom.org:29418/libosmo-sccp refs/changes/04/19004/1

diff --git a/src/osmo_ss7.c b/src/osmo_ss7.c
index 9aeed9b..cdac27a 100644
--- a/src/osmo_ss7.c
+++ b/src/osmo_ss7.c
@@ -1786,12 +1786,13 @@
 	/* send M-SCTP_RELEASE.ind to Layer Manager */
 	xua_asp_send_xlm_prim_simple(asp, OSMO_XLM_PRIM_M_SCTP_RELEASE, PRIM_OP_INDICATION);
 
+	asp->server = NULL;
+
 	/* if we were dynamically allocated at accept_cb() time, let's
 	 * self-destruct now.  A new connection will re-create the ASP. */
 	if (asp->dyn_allocated) {
 		/* avoid re-entrance via osmo_stream_srv_destroy() which
 		 * called us */
-		asp->server = NULL;
 		osmo_ss7_asp_destroy(asp);
 	}
 

-- 
To view, visit https://gerrit.osmocom.org/c/libosmo-sccp/+/19004
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: libosmo-sccp
Gerrit-Branch: master
Gerrit-Change-Id: I2464cf524f1f91bfad10ff1861a03bf1461dfed8
Gerrit-Change-Number: 19004
Gerrit-PatchSet: 1
Gerrit-Owner: laforge <laforge at osmocom.org>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20200625/fc79a08b/attachment.htm>

More information about the gerrit-log mailing list