Change in osmo-ggsn[master]: ggsn: Fix heap-use-after-free during Recovery without associated PDP

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

laforge gerrit-no-reply at lists.osmocom.org
Fri Jun 11 21:50:27 UTC 2021 

laforge has submitted this change. ( https://gerrit.osmocom.org/c/osmo-ggsn/+/24642 )

Change subject: ggsn: Fix heap-use-after-free during Recovery without associated PDP
......................................................................

ggsn: Fix heap-use-after-free during Recovery without associated PDP

Related: OS#4641
Change-Id: Ib4dca2e30e723a196084b0fa0040fbceca835359
---
M ggsn/sgsn.c
1 file changed, 10 insertions(+), 2 deletions(-)

Approvals:
  Jenkins Builder: Verified
  laforge: Looks good to me, approved



diff --git a/ggsn/sgsn.c b/ggsn/sgsn.c
index 8360439..15548ef 100644
--- a/ggsn/sgsn.c
+++ b/ggsn/sgsn.c
@@ -116,6 +116,7 @@
 {
 	unsigned int num = 0;
 	char buf[INET_ADDRSTRLEN];
+	unsigned int count = llist_count(&sgsn->pdp_list);
 
 	inet_ntop(AF_INET, &sgsn->addr, buf, sizeof(buf));
 
@@ -125,10 +126,17 @@
 			continue;
 		ggsn_close_one_pdp(pdp->lib);
 		num++;
+		if (num == count) {
+			/* Note: if except is NULL, all pdp contexts are freed and sgsn
+			 * is most probably already freed at this point.
+			 * As a result, last access to sgsn->pdp_list before exiting
+			 * loop would access already freed memory. Avoid it by exiting
+			 * the loop without the last check, and make sure sgsn is not
+			 * accessed after this loop. */
+			 break;
+		}
 	}
 
-	/* Note: if except is NULL, all pdp contexts are freed and sgsn is
-	   already freed at this point */
 	LOGP(DGGSN, LOGL_INFO, "SGSN(%s) Dropped %u PDP contexts\n", buf, num);
 
 	return num;

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-ggsn/+/24642
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-ggsn
Gerrit-Branch: master
Gerrit-Change-Id: Ib4dca2e30e723a196084b0fa0040fbceca835359
Gerrit-Change-Number: 24642
Gerrit-PatchSet: 1
Gerrit-Owner: pespin <pespin at sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <laforge at osmocom.org>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20210611/18dcb725/attachment.htm>

More information about the gerrit-log mailing list