<p>neels has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.osmocom.org/c/osmo-mgw/+/15838">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">endpoint FSM: allow cancelling a notify event<br><br>There is a use-after-free problem if a 'notify' FSM as passed to<br>osmo_mgcpc_ep_ci_request() deallocates before the notify event has been<br>dispatched. To avoid that, add API to allow cancelling a notify.<br><br>Change-Id: I41687d7f3a808587ab7f7520f46dcc3c29cff92d<br>---<br>M include/osmocom/mgcp_client/mgcp_client_endpoint_fsm.h<br>M src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c<br>2 files changed, 82 insertions(+), 20 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.osmocom.org:29418/osmo-mgw refs/changes/38/15838/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/include/osmocom/mgcp_client/mgcp_client_endpoint_fsm.h b/include/osmocom/mgcp_client/mgcp_client_endpoint_fsm.h</span><br><span>index d77371a..736da22 100644</span><br><span>--- a/include/osmocom/mgcp_client/mgcp_client_endpoint_fsm.h</span><br><span>+++ b/include/osmocom/mgcp_client/mgcp_client_endpoint_fsm.h</span><br><span>@@ -29,6 +29,9 @@</span><br><span> uint32_t event_success, uint32_t event_failure,</span><br><span> void *notify_data);</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+void osmo_mgcpc_ep_cancel_notify(struct osmo_mgcpc_ep *ep, struct osmo_fsm_inst *notify);</span><br><span style="color: hsl(120, 100%, 40%);">+struct osmo_mgcpc_ep *osmo_mgcpc_ep_ci_ep(struct osmo_mgcpc_ep_ci *ci);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /*! Dispatch a DLCX for the given connection.</span><br><span> * \param ci Connection identifier as obtained from osmo_mgcpc_ep_ci_add().</span><br><span> */</span><br><span>diff --git a/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c b/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c</span><br><span>index 3ea1492..2259788 100644</span><br><span>--- a/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c</span><br><span>+++ b/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c</span><br><span>@@ -73,6 +73,14 @@</span><br><span> </span><br><span> static struct osmo_fsm osmo_mgcpc_ep_fsm;</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+struct fsm_notify {</span><br><span style="color: hsl(120, 100%, 40%);">+ struct llist_head entry;</span><br><span style="color: hsl(120, 100%, 40%);">+ struct osmo_fsm_inst *fi;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t success;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t failure;</span><br><span style="color: hsl(120, 100%, 40%);">+ void *data;</span><br><span style="color: hsl(120, 100%, 40%);">+};</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /*! One connection on an endpoint, corresponding to a connection identifier (CI) as returned by the MGW.</span><br><span> * An endpoint has a fixed number of slots of these, which may or may not be in use.</span><br><span> */</span><br><span>@@ -87,10 +95,7 @@</span><br><span> bool sent;</span><br><span> enum mgcp_verb verb;</span><br><span> struct mgcp_conn_peer verb_info;</span><br><span style="color: hsl(0, 100%, 40%);">- struct osmo_fsm_inst *notify;</span><br><span style="color: hsl(0, 100%, 40%);">- uint32_t notify_success;</span><br><span style="color: hsl(0, 100%, 40%);">- uint32_t notify_failure;</span><br><span style="color: hsl(0, 100%, 40%);">- void *notify_data;</span><br><span style="color: hsl(120, 100%, 40%);">+ struct fsm_notify notify;</span><br><span> </span><br><span> bool got_port_info;</span><br><span> struct mgcp_conn_peer rtp_info;</span><br><span>@@ -118,6 +123,10 @@</span><br><span> /*! Endpoint connection slots. Note that each connection has its own set of FSM event numbers to signal success</span><br><span> * and failure, depending on its index within this array. See CI_EV_SUCCESS and CI_EV_FAILURE. */</span><br><span> struct osmo_mgcpc_ep_ci ci[USABLE_CI];</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /*! Internal use: if a function keeps an fsm_notify for later dispatch while already clearing or re-using the</span><br><span style="color: hsl(120, 100%, 40%);">+ * ci[], the fsm_notify should be kept here to also get canceled by osmo_mgcpc_ep_cancel_notify(). */</span><br><span style="color: hsl(120, 100%, 40%);">+ struct llist_head background_notify;</span><br><span> };</span><br><span> </span><br><span> const struct value_string osmo_mgcp_verb_names[] = {</span><br><span>@@ -296,6 +305,7 @@</span><br><span> .fi = fi,</span><br><span> .T_defs = T_defs,</span><br><span> };</span><br><span style="color: hsl(120, 100%, 40%);">+ INIT_LLIST_HEAD(&ep->background_notify);</span><br><span> fi->priv = ep;</span><br><span> </span><br><span> va_start(ap, endpoint_str_fmt);</span><br><span>@@ -354,15 +364,20 @@</span><br><span> </span><br><span> static void on_failure(struct osmo_mgcpc_ep_ci *ci)</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- struct osmo_fsm_inst *notify = ci->notify;</span><br><span style="color: hsl(0, 100%, 40%);">- uint32_t notify_failure = ci->notify_failure;</span><br><span style="color: hsl(0, 100%, 40%);">- void *notify_data = ci->notify_data;</span><br><span> struct osmo_mgcpc_ep *ep = ci->ep;</span><br><span style="color: hsl(120, 100%, 40%);">+ struct fsm_notify notify;</span><br><span> int i;</span><br><span> </span><br><span> if (!ci->occupied)</span><br><span> return;</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ /* When dispatching an event for this CI, the user may decide to trigger the next request for this conn right</span><br><span style="color: hsl(120, 100%, 40%);">+ * away. So we must be ready with a cleared *ci. Store the notify separately and clear before dispatching. */</span><br><span style="color: hsl(120, 100%, 40%);">+ notify = ci->notify;</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Register the planned notification in ep->background_notify so we also catch any osmo_mgcpc_ep_cancel_notify()</span><br><span style="color: hsl(120, 100%, 40%);">+ * that might be triggered between clearing the ci and actually dispatching the event. */</span><br><span style="color: hsl(120, 100%, 40%);">+ llist_add(¬ify.entry, &ep->background_notify);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> *ci = (struct osmo_mgcpc_ep_ci){</span><br><span> .ep = ci->ep,</span><br><span> };</span><br><span>@@ -387,11 +402,15 @@</span><br><span> </span><br><span> /* If this check has terminated the FSM instance, don't fire any more events to prevent use-after-free problems.</span><br><span> * The endpoint FSM does dispatch a term event to its parent, and everything should be cleaned like that. */</span><br><span style="color: hsl(0, 100%, 40%);">- if (!osmo_mgcpc_ep_fsm_check_state_chg_after_response(ci->ep->fi))</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!osmo_mgcpc_ep_fsm_check_state_chg_after_response(ep->fi)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ /* The ep has deallocated, no need to llist_del(¬ify.entry) here. */</span><br><span> return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- if (notify)</span><br><span style="color: hsl(0, 100%, 40%);">- osmo_fsm_inst_dispatch(notify, notify_failure, notify_data);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (notify.fi)</span><br><span style="color: hsl(120, 100%, 40%);">+ osmo_fsm_inst_dispatch(notify.fi, notify.failure, notify.data);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ llist_del(¬ify.entry);</span><br><span> }</span><br><span> </span><br><span> static int update_endpoint_name(struct osmo_mgcpc_ep_ci *ci, const char *new_endpoint_name)</span><br><span>@@ -472,10 +491,10 @@</span><br><span> LOG_CI(ci, LOGL_DEBUG, "received successful response to %s: RTP=%s%s\n",</span><br><span> osmo_mgcp_verb_name(ci->verb),</span><br><span> mgcp_conn_peer_name(ci->got_port_info? &ci->rtp_info : NULL),</span><br><span style="color: hsl(0, 100%, 40%);">- ci->notify ? "" : " (not sending a notification)");</span><br><span style="color: hsl(120, 100%, 40%);">+ ci->notify.fi ? "" : " (not sending a notification)");</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- if (ci->notify)</span><br><span style="color: hsl(0, 100%, 40%);">- osmo_fsm_inst_dispatch(ci->notify, ci->notify_success, ci->notify_data);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (ci->notify.fi)</span><br><span style="color: hsl(120, 100%, 40%);">+ osmo_fsm_inst_dispatch(ci->notify.fi, ci->notify.success, ci->notify.data);</span><br><span> </span><br><span> osmo_mgcpc_ep_fsm_check_state_chg_after_response(ci->ep->fi);</span><br><span> }</span><br><span>@@ -536,6 +555,11 @@</span><br><span> ((struct osmo_mgcpc_ep*)fi->priv)->T_defs, 5)</span><br><span> </span><br><span> /*! Dispatch an actual CRCX/MDCX/DLCX message for this connection.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * If the 'notify' instance deallocates before it received a notification of event_success or event_failure,</span><br><span style="color: hsl(120, 100%, 40%);">+ * osmo_mgcpc_ep_ci_cancel_notify() or osmo_mgcpc_ep_cancel_notify() must be called. It is not harmful to cancel</span><br><span style="color: hsl(120, 100%, 40%);">+ * notification after an event has been received.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span> * \param ci Connection identifier as obtained from osmo_mgcpc_ep_ci_add().</span><br><span> * \param verb MGCP operation to dispatch.</span><br><span> * \param verb_info Parameters for the MGCP operation.</span><br><span>@@ -584,16 +608,18 @@</span><br><span> .occupied = true,</span><br><span> /* .pending = true follows below */</span><br><span> .verb = verb,</span><br><span style="color: hsl(0, 100%, 40%);">- .notify = notify,</span><br><span style="color: hsl(0, 100%, 40%);">- .notify_success = event_success,</span><br><span style="color: hsl(0, 100%, 40%);">- .notify_failure = event_failure,</span><br><span style="color: hsl(0, 100%, 40%);">- .notify_data = notify_data,</span><br><span style="color: hsl(120, 100%, 40%);">+ .notify = {</span><br><span style="color: hsl(120, 100%, 40%);">+ .fi = notify,</span><br><span style="color: hsl(120, 100%, 40%);">+ .success = event_success,</span><br><span style="color: hsl(120, 100%, 40%);">+ .failure = event_failure,</span><br><span style="color: hsl(120, 100%, 40%);">+ .data = notify_data,</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> };</span><br><span> osmo_strlcpy(cleared_ci.label, ci->label, sizeof(cleared_ci.label));</span><br><span> osmo_strlcpy(cleared_ci.mgcp_ci_str, ci->mgcp_ci_str, sizeof(cleared_ci.mgcp_ci_str));</span><br><span> *ci = cleared_ci;</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- LOG_CI_VERB(ci, LOGL_DEBUG, "notify=%s\n", osmo_fsm_inst_name(ci->notify));</span><br><span style="color: hsl(120, 100%, 40%);">+ LOG_CI_VERB(ci, LOGL_DEBUG, "notify=%s\n", osmo_fsm_inst_name(ci->notify.fi));</span><br><span> </span><br><span> if (verb_info)</span><br><span> ci->verb_info = *verb_info;</span><br><span>@@ -651,10 +677,39 @@</span><br><span> osmo_fsm_inst_dispatch(notify, event_failure, notify_data);</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+/*! No longer notify for any state changes for any conns of this endpoint.</span><br><span style="color: hsl(120, 100%, 40%);">+ * Useful if the notify instance passed to osmo_mgcpc_ep_ci_request() is about to deallocate.</span><br><span style="color: hsl(120, 100%, 40%);">+ * \param ep The endpoint FSM instance.</span><br><span style="color: hsl(120, 100%, 40%);">+ * \param notify Which target to cancel notification for, if NULL cancel all notifications. */</span><br><span style="color: hsl(120, 100%, 40%);">+void osmo_mgcpc_ep_cancel_notify(struct osmo_mgcpc_ep *ep, struct osmo_fsm_inst *notify)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ struct fsm_notify *n;</span><br><span style="color: hsl(120, 100%, 40%);">+ int i;</span><br><span style="color: hsl(120, 100%, 40%);">+ for (i = 0; i < ARRAY_SIZE(ep->ci); i++) {</span><br><span style="color: hsl(120, 100%, 40%);">+ struct osmo_mgcpc_ep_ci *ci = &ep->ci[i];</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!notify || ci->notify.fi == notify)</span><br><span style="color: hsl(120, 100%, 40%);">+ ci->notify.fi = NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ llist_for_each_entry(n, &ep->background_notify, entry) {</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!notify || n->fi == notify)</span><br><span style="color: hsl(120, 100%, 40%);">+ n->fi = NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/* Return the osmo_mgcpc_ep that this conn belongs to. */</span><br><span style="color: hsl(120, 100%, 40%);">+struct osmo_mgcpc_ep *osmo_mgcpc_ep_ci_ep(struct osmo_mgcpc_ep_ci *conn)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!conn)</span><br><span style="color: hsl(120, 100%, 40%);">+ return NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ return conn->ep;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> static int send_verb(struct osmo_mgcpc_ep_ci *ci)</span><br><span> {</span><br><span> int rc;</span><br><span> struct osmo_mgcpc_ep *ep = ci->ep;</span><br><span style="color: hsl(120, 100%, 40%);">+ struct fsm_notify notify;</span><br><span> </span><br><span> if (!ci->occupied || !ci->pending || ci->sent)</span><br><span> return 0;</span><br><span>@@ -693,11 +748,14 @@</span><br><span> osmo_mgcp_verb_name(ci->verb), ci->mgcp_ci_str);</span><br><span> /* The way this is designed, we actually need to forget all about the ci right away. */</span><br><span> mgcp_conn_delete(ci->mgcp_client_fi);</span><br><span style="color: hsl(0, 100%, 40%);">- if (ci->notify)</span><br><span style="color: hsl(0, 100%, 40%);">- osmo_fsm_inst_dispatch(ci->notify, ci->notify_success, ci->notify_data);</span><br><span style="color: hsl(120, 100%, 40%);">+ notify = ci->notify;</span><br><span> *ci = (struct osmo_mgcpc_ep_ci){</span><br><span> .ep = ep,</span><br><span> };</span><br><span style="color: hsl(120, 100%, 40%);">+ /* When dispatching an event for this CI, the user may decide to trigger the next request for this conn</span><br><span style="color: hsl(120, 100%, 40%);">+ * right away. So we must be ready with a cleared *ci. */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (notify.fi)</span><br><span style="color: hsl(120, 100%, 40%);">+ osmo_fsm_inst_dispatch(notify.fi, notify.success, notify.data);</span><br><span> break;</span><br><span> </span><br><span> default:</span><br><span>@@ -712,6 +770,7 @@</span><br><span> {</span><br><span> if (!ep)</span><br><span> return;</span><br><span style="color: hsl(120, 100%, 40%);">+ osmo_mgcpc_ep_cancel_notify(ep, NULL);</span><br><span> osmo_fsm_inst_term(ep->fi, OSMO_FSM_TERM_REGULAR, 0);</span><br><span> }</span><br><span> </span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/osmo-mgw/+/15838">change 15838</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/osmo-mgw/+/15838"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: osmo-mgw </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: I41687d7f3a808587ab7f7520f46dcc3c29cff92d </div>
<div style="display:none"> Gerrit-Change-Number: 15838 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: neels <nhofmeyr@sysmocom.de> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>