Change in libosmocore[master]: ns2: Avoid use-after-free when SGSN-side non-persistent SNS-NSE fails

historical

Hello Jenkins Builder, laforge, pespin, lynxis lazus, 

I'd like you to reexamine a change. Please visit

    https://gerrit.osmocom.org/c/libosmocore/+/26199

to look at the new patch set (#3).

Change subject: ns2: Avoid use-after-free when SGSN-side non-persistent SNS-NSE fails
......................................................................

ns2: Avoid use-after-free when SGSN-side non-persistent SNS-NSE fails

alive_timeout_handler() changes the state to RECOVERING which calls
ns2_st_alive_onenter()->ns2_nse_notify_unblocked(unblocked=false)->
ns2_sns_notify_alive(unblocked=false)

When all (signalling) NSVCs have failed and gss->role is SGSN and not
persistent sns_failed() calls gprs_ns2_free_nse() which talloc_free()s
the nse before returning.

The next line in ns2_nse_notify_unblocked() tries to read nse->alive which then causes the
use-after-free.

Change-Id: I0486a77fd3e21fd3904bd19e4e0225ffbf654935
Related: OS#5302
---
M src/gb/gprs_ns2.c
1 file changed, 6 insertions(+), 1 deletion(-)

  git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/99/26199/3
-- 
To view, visit https://gerrit.osmocom.org/c/libosmocore/+/26199
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Change-Id: I0486a77fd3e21fd3904bd19e4e0225ffbf654935
Gerrit-Change-Number: 26199
Gerrit-PatchSet: 3
Gerrit-Owner: daniel <dwillmann at sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <laforge at osmocom.org>
Gerrit-Reviewer: lynxis lazus <lynxis at fe80.eu>
Gerrit-Reviewer: pespin <pespin at sysmocom.de>
Gerrit-MessageType: newpatchset
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20211111/a2a2fceb/attachment.htm>