<p>Vadim Yanitskiy <strong>merged</strong> this change.</p><p><a href="https://gerrit.osmocom.org/13450">View Change</a></p><div style="white-space:pre-wrap">Approvals:
Harald Welte: Looks good to me, approved
Neels Hofmeyr: Looks good to me, but someone else must approve
Jenkins Builder: Verified
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">libmsc/sms_queue.c: fix memleak in smsq_take_next_sms()<br><br>A memleak has been noticed after executing some of TTCN-3 test<br>cases. For example, the following ones:<br><br> - MSC_Tests.TC_lu_and_mo_sms,<br> - MSC_Tests.TC_lu_and_mt_sms.<br><br>The key point is that MSC_Tests.TC_lu_and_mo_sms basically sends<br>a MO SMS to a non-attached subscriber with MSISDN 12345, so this<br>message is getting stored in the SMSC's database.<br><br>As soon as the SMSC's queue is triggered, sms_submit_pending() would<br>retrieve pending messages from the database by calling function<br>smsq_take_next_sms() in loop and attempt to deliver them.<br><br>This function in it's turn checks whether the subscriber is attached<br>or not. If not, the allocated 'gsm_sms' structure would not be<br>free()ed! Therefore, every time smsq_take_next_sms() is called,<br>one 'gsm_sms' structure for an unattached subscriber is leaked.<br><br>Furthermore, there is a unit test called 'sms_queue_test', that<br>actually does cover smsq_take_next_sms() and was designed to<br>catch some potential memory leaks, but...<br><br>In order to avoid emulating the low-level SQLite API, the unit<br>test by design overwrites some functions of libmsc, including<br>db_sms_get_next_unsent_rr_msisdn(), that is being called by<br>smsq_take_next_sms().<br><br>The problem is that the original function in libmsc does<br>allocate a 'gsm_sms' structure on heap (using talloc), while<br>the overwriting function did this statically, returning a<br>pointer to stack. This critical difference made it impossible<br>to spot the memleak in smsq_take_next_sms() during the<br>unit test execution.<br><br>Let's refactor 'sms_queue_test' to use dynamic memory allocation,<br>and finally fix the evil memleak in smsq_take_next_sms().<br><br>Change-Id: Iad5e4d84d8d410ea43d5907e9ddf6e5fdb55bc7a<br>Closes: OS#3860<br>---<br>M src/libmsc/sms_queue.c<br>M tests/sms_queue/sms_queue_test.c<br>2 files changed, 37 insertions(+), 9 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/libmsc/sms_queue.c b/src/libmsc/sms_queue.c</span><br><span>index c924dde..274c712 100644</span><br><span>--- a/src/libmsc/sms_queue.c</span><br><span>+++ b/src/libmsc/sms_queue.c</span><br><span>@@ -226,8 +226,13 @@</span><br><span> osmo_strlcpy(last_msisdn, sms->dst.addr, last_msisdn_buflen);</span><br><span> </span><br><span> /* Is the subscriber attached? If not, go to next SMS */</span><br><span style="color: hsl(0, 100%, 40%);">- if (!sms->receiver || !sms->receiver->lu_complete)</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!sms->receiver || !sms->receiver->lu_complete) {</span><br><span style="color: hsl(120, 100%, 40%);">+ LOGP(DLSMS, LOGL_DEBUG,</span><br><span style="color: hsl(120, 100%, 40%);">+ "Subscriber %s is not attached, skipping SMS %llu\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ vlr_subscr_msisdn_or_name(sms->receiver), sms->id);</span><br><span style="color: hsl(120, 100%, 40%);">+ sms_free(sms);</span><br><span> continue;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> </span><br><span> return sms;</span><br><span> }</span><br><span>diff --git a/tests/sms_queue/sms_queue_test.c b/tests/sms_queue/sms_queue_test.c</span><br><span>index e426377..f64f715 100644</span><br><span>--- a/tests/sms_queue/sms_queue_test.c</span><br><span>+++ b/tests/sms_queue/sms_queue_test.c</span><br><span>@@ -26,8 +26,10 @@</span><br><span> #include <osmocom/msc/debug.h></span><br><span> #include <osmocom/msc/vlr.h></span><br><span> #include <osmocom/msc/gsm_data.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <osmocom/msc/gsm_04_11.h></span><br><span> </span><br><span> static void *talloc_ctx = NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+extern void *tall_gsms_ctx;</span><br><span> </span><br><span> struct gsm_sms *smsq_take_next_sms(struct gsm_network *net,</span><br><span> char *last_msisdn,</span><br><span>@@ -45,8 +47,6 @@</span><br><span> printf(" (last_msisdn='%s')\n", last_msisdn? last_msisdn : "NULL");</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-static struct gsm_sms fake_sms = { 0 };</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span> struct {</span><br><span> const char *msisdn;</span><br><span> int nr_of_sms;</span><br><span>@@ -91,11 +91,19 @@</span><br><span> const char *last_msisdn,</span><br><span> unsigned int max_failed)</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- static struct vlr_subscr arbitrary_vsub = { .lu_complete = true };</span><br><span style="color: hsl(120, 100%, 40%);">+ static struct vlr_subscr arbitrary_vsub;</span><br><span style="color: hsl(120, 100%, 40%);">+ struct gsm_sms *sms;</span><br><span> int i;</span><br><span> printf(" hitting database: looking for MSISDN > '%s', failed_attempts <= %d\n",</span><br><span> last_msisdn, max_failed);</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ /* Every time we call sms_free(), the internal logic of libmsc</span><br><span style="color: hsl(120, 100%, 40%);">+ * may call vlr_subscr_put() on our arbitrary_vsub, what would</span><br><span style="color: hsl(120, 100%, 40%);">+ * lead to a segfault if its use_count <= 0. To prevent this,</span><br><span style="color: hsl(120, 100%, 40%);">+ * let's ensure a big enough initial value. */</span><br><span style="color: hsl(120, 100%, 40%);">+ arbitrary_vsub.use_count = 1000;</span><br><span style="color: hsl(120, 100%, 40%);">+ arbitrary_vsub.lu_complete = true;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> for (i = 0; i < ARRAY_SIZE(fake_sms_db); i++) {</span><br><span> if (!fake_sms_db[i].nr_of_sms)</span><br><span> continue;</span><br><span>@@ -103,14 +111,19 @@</span><br><span> continue;</span><br><span> if (fake_sms_db[i].failed_attempts > max_failed)</span><br><span> continue;</span><br><span style="color: hsl(0, 100%, 40%);">- osmo_strlcpy(fake_sms.dst.addr, fake_sms_db[i].msisdn,</span><br><span style="color: hsl(0, 100%, 40%);">- sizeof(fake_sms.dst.addr));</span><br><span style="color: hsl(0, 100%, 40%);">- fake_sms.receiver = fake_sms_db[i].vsub_attached? &arbitrary_vsub : NULL;</span><br><span style="color: hsl(0, 100%, 40%);">- osmo_strlcpy(fake_sms.text, fake_sms_db[i].msisdn, sizeof(fake_sms.text));</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ sms = sms_alloc();</span><br><span style="color: hsl(120, 100%, 40%);">+ OSMO_ASSERT(sms);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ osmo_strlcpy(sms->dst.addr, fake_sms_db[i].msisdn,</span><br><span style="color: hsl(120, 100%, 40%);">+ sizeof(sms->dst.addr));</span><br><span style="color: hsl(120, 100%, 40%);">+ sms->receiver = fake_sms_db[i].vsub_attached? &arbitrary_vsub : NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ osmo_strlcpy(sms->text, fake_sms_db[i].msisdn, sizeof(sms->text));</span><br><span> if (fake_sms_db[i].vsub_attached)</span><br><span> fake_sms_db[i].nr_of_sms--;</span><br><span style="color: hsl(0, 100%, 40%);">- return &fake_sms;</span><br><span style="color: hsl(120, 100%, 40%);">+ return sms;</span><br><span> }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> return NULL;</span><br><span> }</span><br><span> </span><br><span>@@ -127,6 +140,10 @@</span><br><span> printf("-->\n");</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+/* sms_free() is not safe against NULL */</span><br><span style="color: hsl(120, 100%, 40%);">+#define sms_free_safe(sms) \</span><br><span style="color: hsl(120, 100%, 40%);">+ if (sms != NULL) sms_free(sms)</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> static void test_next_sms()</span><br><span> {</span><br><span> int i;</span><br><span>@@ -141,6 +158,7 @@</span><br><span> struct gsm_sms *sms = smsq_take_next_sms(NULL, last_msisdn, sizeof(last_msisdn));</span><br><span> _test_take_next_sms_print(i, sms, last_msisdn);</span><br><span> OSMO_ASSERT(i >= 4 || sms);</span><br><span style="color: hsl(120, 100%, 40%);">+ sms_free_safe(sms);</span><br><span> }</span><br><span> </span><br><span> printf("\n- SMS are pending at various nr failed attempts (cutoff at >= 10)\n");</span><br><span>@@ -156,6 +174,7 @@</span><br><span> struct gsm_sms *sms = smsq_take_next_sms(NULL, last_msisdn, sizeof(last_msisdn));</span><br><span> _test_take_next_sms_print(i, sms, last_msisdn);</span><br><span> OSMO_ASSERT(i >= 2 || sms);</span><br><span style="color: hsl(120, 100%, 40%);">+ sms_free_safe(sms);</span><br><span> }</span><br><span> </span><br><span> printf("\n- iterate the SMS DB at most once\n");</span><br><span>@@ -206,6 +225,10 @@</span><br><span> logging_ctx = talloc_named_const(talloc_ctx, 0, "logging");</span><br><span> osmo_init_logging2(logging_ctx, &info);</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ /* Share our talloc context with libmsc's GSM 04.11 code,</span><br><span style="color: hsl(120, 100%, 40%);">+ * so sms_alloc() would use it instead of NULL. */</span><br><span style="color: hsl(120, 100%, 40%);">+ tall_gsms_ctx = talloc_ctx;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> OSMO_ASSERT(osmo_stderr_target);</span><br><span> log_set_use_color(osmo_stderr_target, 0);</span><br><span> log_set_print_timestamp(osmo_stderr_target, 0);</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/13450">change 13450</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/13450"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: osmo-msc </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: merged </div>
<div style="display:none"> Gerrit-Change-Id: Iad5e4d84d8d410ea43d5907e9ddf6e5fdb55bc7a </div>
<div style="display:none"> Gerrit-Change-Number: 13450 </div>
<div style="display:none"> Gerrit-PatchSet: 5 </div>
<div style="display:none"> Gerrit-Owner: Vadim Yanitskiy <axilirator@gmail.com> </div>
<div style="display:none"> Gerrit-Reviewer: Harald Welte <laforge@gnumonks.org> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins Builder (1000002) </div>
<div style="display:none"> Gerrit-Reviewer: Neels Hofmeyr <nhofmeyr@sysmocom.de> </div>
<div style="display:none"> Gerrit-Reviewer: Pau Espin Pedrol <pespin@sysmocom.de> </div>
<div style="display:none"> Gerrit-Reviewer: Vadim Yanitskiy <axilirator@gmail.com> </div>