<p>pespin has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.osmocom.org/c/libosmo-abis/+/19478">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">ipaccess: Fix use-after-free in ipaccess_drop()<br><br>Recent commit b8ea0ff521a3e01c22a9dd1948b9a853521f575e introduced a<br>heap-use-after-free while getting rid of memleaks and clearing up the<br>reference counting lifecycle of the line object.<br><br>In that commit, e1inp_line_put2() was added in ipaccess_drop() which may<br>potentially free the line object (and its children e1inp_ts objects)<br>under specific conditions/scenarions. However, the function still used<br>the child object e1i_ts which in those scenarios would access already<br>freed memory.<br><br>Let's keep a local reference during the life of the function to make<br>sure the object is non-freed during e1inp_line_put2(), so that we can<br>notify upper layers that the link is down.<br><br>Detected by enabling ASan and running BSC_Tests.TC_chopped_ipa_ping<br>TTCN3 test.<br><br>Related: OS#4688<br>Change-Id: I4f56af28ad8297846bcdc8ba7afe51fff0f9a00f<br>---<br>M src/input/ipaccess.c<br>1 file changed, 2 insertions(+), 0 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.osmocom.org:29418/libosmo-abis refs/changes/78/19478/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/input/ipaccess.c b/src/input/ipaccess.c</span><br><span>index d81191c..30bcaf9 100644</span><br><span>--- a/src/input/ipaccess.c</span><br><span>+++ b/src/input/ipaccess.c</span><br><span>@@ -82,6 +82,7 @@</span><br><span> {</span><br><span> int ret = 1;</span><br><span> struct e1inp_ts *e1i_ts = ipaccess_line_ts(bfd, line);</span><br><span style="color: hsl(120, 100%, 40%);">+ e1inp_line_get2(line, __func__);</span><br><span> </span><br><span> ipaccess_keepalive_fsm_cleanup(e1i_ts);</span><br><span> </span><br><span>@@ -108,6 +109,7 @@</span><br><span> /* e1inp_sign_link_destroy releases the socket descriptors for us. */</span><br><span> line->ops->sign_link_down(line);</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ e1inp_line_put2(line, __func__);</span><br><span> return ret;</span><br><span> }</span><br><span> </span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/libosmo-abis/+/19478">change 19478</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/libosmo-abis/+/19478"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: libosmo-abis </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: I4f56af28ad8297846bcdc8ba7afe51fff0f9a00f </div>
<div style="display:none"> Gerrit-Change-Number: 19478 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: pespin <pespin@sysmocom.de> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>