<p>neels <strong>submitted</strong> this change.</p><p><a href="https://gerrit.osmocom.org/c/osmo-mgw/+/15839">View Change</a></p><div style="white-space:pre-wrap">Approvals:
Jenkins Builder: Verified
laforge: Looks good to me, but someone else must approve
pespin: Looks good to me, but someone else must approve
fixeria: Looks good to me, but someone else must approve
neels: Looks good to me, approved
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">fix use-after-free: require new fsm deferred dealloc, check for term<br><br>API doc: require osmo_fsm_set_dealloc_ctx().<br><br>mgcp_client during delete: do not reparent the FSM when it is already<br>terminating.<br><br>I have recently discovered a vulnerability: if an endpoint FSM deallocates<br>during event handling of a successful MGCP response, this causes a<br>use-after-free; and once that is fixed, a state change on the already<br>terminated FSM causes a pointer corruption by using already cleaned data<br>structures. osmo_fsm_set_dealloc_ctx() fixes the use-after-free, and<br>osmo_fsm_set_term_stops_actions() fixes the pointer corruption.<br><br>Related: Ib7fce7b7d54dfb87af97544796680919e5929a50 (osmo-bsc),<br> I08c03946605aa12e0a5ce8b3c773704ef5327a7a (osmo-msc)<br>Depends: Ief4dba9ea587c9b4aea69993e965fbb20fb80e78 (libosmocore),<br> I0adc13a1a998e953b6c850efa2761350dd07e03a (libosmocore)<br>Change-Id: I7df2e9202b04e7ca7366bb0a8ec53cf3bb14faf3<br>---<br>M src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c<br>M src/libosmo-mgcp-client/mgcp_client_fsm.c<br>2 files changed, 6 insertions(+), 0 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c b/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c</span><br><span>index 2259788..ef4da17 100644</span><br><span>--- a/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c</span><br><span>+++ b/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c</span><br><span>@@ -255,6 +255,9 @@</span><br><span> * MGCP messages to set up the endpoint will be sent on the given mgcp_client, as soon as the first</span><br><span> * osmo_mgcpc_ep_ci_request() is invoked.</span><br><span> *</span><br><span style="color: hsl(120, 100%, 40%);">+ * IMPORTANT: To avoid use-after-free problems, using this FSM requires use of deferred FSM deallocation using</span><br><span style="color: hsl(120, 100%, 40%);">+ * osmo_fsm_set_dealloc_ctx(), e.g. using osmo_select_main_ctx(OTC_SELECT) with osmo_select_main_ctx() as main loop.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span> * A typical sequence of events would be:</span><br><span> *</span><br><span> * ep = osmo_mgcpc_ep_alloc(..., mgcp_client_rtpbridge_wildcard(client));</span><br><span>diff --git a/src/libosmo-mgcp-client/mgcp_client_fsm.c b/src/libosmo-mgcp-client/mgcp_client_fsm.c</span><br><span>index 7565d32..800ae1b 100644</span><br><span>--- a/src/libosmo-mgcp-client/mgcp_client_fsm.c</span><br><span>+++ b/src/libosmo-mgcp-client/mgcp_client_fsm.c</span><br><span>@@ -708,6 +708,9 @@</span><br><span> </span><br><span> OSMO_ASSERT(mgcp_ctx);</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ if (fi->proc.terminating)</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /* Unlink FSM from parent */</span><br><span> osmo_fsm_inst_unlink_parent(fi, NULL);</span><br><span> </span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/osmo-mgw/+/15839">change 15839</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/osmo-mgw/+/15839"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: osmo-mgw </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: I7df2e9202b04e7ca7366bb0a8ec53cf3bb14faf3 </div>
<div style="display:none"> Gerrit-Change-Number: 15839 </div>
<div style="display:none"> Gerrit-PatchSet: 3 </div>
<div style="display:none"> Gerrit-Owner: neels <nhofmeyr@sysmocom.de> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins Builder </div>
<div style="display:none"> Gerrit-Reviewer: fixeria <axilirator@gmail.com> </div>
<div style="display:none"> Gerrit-Reviewer: laforge <laforge@osmocom.org> </div>
<div style="display:none"> Gerrit-Reviewer: neels <nhofmeyr@sysmocom.de> </div>
<div style="display:none"> Gerrit-Reviewer: pespin <pespin@sysmocom.de> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>