This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
laforge gerrit-no-reply at lists.osmocom.orglaforge has submitted this change. ( https://gerrit.osmocom.org/c/libosmocore/+/26199 )
Change subject: ns2: Avoid use-after-free when SGSN-side non-persistent SNS-NSE fails
......................................................................
ns2: Avoid use-after-free when SGSN-side non-persistent SNS-NSE fails
alive_timeout_handler() changes the state to RECOVERING which calls
ns2_st_alive_onenter()->ns2_nse_notify_unblocked(unblocked=false)->
ns2_sns_notify_alive(unblocked=false)
When all (signalling) NSVCs have failed and gss->role is SGSN and not
persistent sns_failed() calls gprs_ns2_free_nse() which talloc_free()s
the nse before returning.
The next line in ns2_nse_notify_unblocked() tries to read nse->alive which then causes the
use-after-free.
Change-Id: I0486a77fd3e21fd3904bd19e4e0225ffbf654935
Related: OS#5302
---
M src/gb/gprs_ns2.c
1 file changed, 6 insertions(+), 1 deletion(-)
Approvals:
Jenkins Builder: Verified
pespin: Looks good to me, but someone else must approve
osmith: Looks good to me, but someone else must approve
laforge: Looks good to me, approved
diff --git a/src/gb/gprs_ns2.c b/src/gb/gprs_ns2.c
index 3bb04ae..02d2266 100644
--- a/src/gb/gprs_ns2.c
+++ b/src/gb/gprs_ns2.c
@@ -1392,11 +1392,16 @@
void ns2_nse_notify_unblocked(struct gprs_ns2_vc *nsvc, bool unblocked)
{
struct gprs_ns2_nse *nse = nsvc->nse;
+ struct gprs_ns2_inst *nsi = nse->nsi;
+ uint16_t nsei = nse->nsei;
ns2_nse_data_sum(nse);
ns2_sns_notify_alive(nse, nsvc, unblocked);
- if (unblocked == nse->alive)
+ /* NSE could have been freed, try to get it again */
+ nse = gprs_ns2_nse_by_nsei(nsi, nsei);
+
+ if (!nse || unblocked == nse->alive)
return;
/* wait until both data_weight and sig_weight are != 0 before declaring NSE as alive */
--
To view, visit https://gerrit.osmocom.org/c/libosmocore/+/26199
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Change-Id: I0486a77fd3e21fd3904bd19e4e0225ffbf654935
Gerrit-Change-Number: 26199
Gerrit-PatchSet: 3
Gerrit-Owner: daniel <dwillmann at sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <laforge at osmocom.org>
Gerrit-Reviewer: lynxis lazus <lynxis at fe80.eu>
Gerrit-Reviewer: osmith <osmith at sysmocom.de>
Gerrit-Reviewer: pespin <pespin at sysmocom.de>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20211111/4ddc930b/attachment.htm>