<p>laforge <strong>submitted</strong> this change.</p><p><a href="https://gerrit.osmocom.org/c/libosmocore/+/21831">View Change</a></p><div style="white-space:pre-wrap">Approvals:
Jenkins Builder: Verified
laforge: Looks good to me, approved
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">lapd_core: Don't dereference data link after sending PRIM_DL_REL<br><br>We must always send the RELEASE.{indication,confirm} last before<br>returning from a function. We cannot rely on the datalink to<br>still be around after the call, as the SAP user might have destroyed<br>the data link meanwhile.<br><br>This fixes a heap use-after-free (at least) with RBS2000 when the BTS<br>is fully brought up and the OML data link is lost, see OS#1762<br><br>Change-Id: I8ccca8d5e5d07b666557afe12ab8ac4910ddfb00<br>Related: OS#1761<br>Related: OS#1762<br>---<br>M src/gsm/lapd_core.c<br>1 file changed, 4 insertions(+), 5 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/gsm/lapd_core.c b/src/gsm/lapd_core.c</span><br><span>index ed0b320..e0c232f 100644</span><br><span>--- a/src/gsm/lapd_core.c</span><br><span>+++ b/src/gsm/lapd_core.c</span><br><span>@@ -624,8 +624,6 @@</span><br><span> if (dl->retrans_ctr >= dl->n200_est_rel + 1) {</span><br><span> /* send MDL ERROR INIDCATION to L3 */</span><br><span> mdl_error(MDL_CAUSE_T200_EXPIRED, &dl->lctx);</span><br><span style="color: hsl(0, 100%, 40%);">- /* send RELEASE INDICATION to L3 */</span><br><span style="color: hsl(0, 100%, 40%);">- send_dl_simple(PRIM_DL_REL, PRIM_OP_CONFIRM, &dl->lctx);</span><br><span> /* flush tx and send buffers */</span><br><span> lapd_dl_flush_tx(dl);</span><br><span> lapd_dl_flush_send(dl);</span><br><span>@@ -634,6 +632,8 @@</span><br><span> /* NOTE: we must not change any other states or buffers</span><br><span> * and queues, since we may reconnect after handover</span><br><span> * failure. the buffered messages is replaced there */</span><br><span style="color: hsl(120, 100%, 40%);">+ /* send RELEASE INDICATION to L3 */</span><br><span style="color: hsl(120, 100%, 40%);">+ send_dl_simple(PRIM_DL_REL, PRIM_OP_CONFIRM, &dl->lctx);</span><br><span> break;</span><br><span> }</span><br><span> /* retransmit DISC command */</span><br><span>@@ -1230,13 +1230,12 @@</span><br><span> || !!memcmp(dl->tx_hist[0].msg->data, msg->l3h,</span><br><span> length)) {</span><br><span> LOGDL(dl, LOGL_INFO, "**** UA response mismatches ****\n");</span><br><span style="color: hsl(0, 100%, 40%);">- rc = send_dl_simple(PRIM_DL_REL,</span><br><span style="color: hsl(0, 100%, 40%);">- PRIM_OP_INDICATION, lctx);</span><br><span style="color: hsl(0, 100%, 40%);">- msgb_free(msg);</span><br><span> /* go to idle state */</span><br><span> lapd_dl_flush_tx(dl);</span><br><span> lapd_dl_flush_send(dl);</span><br><span> lapd_dl_newstate(dl, LAPD_STATE_IDLE);</span><br><span style="color: hsl(120, 100%, 40%);">+ rc = send_dl_simple(PRIM_DL_REL, PRIM_OP_INDICATION, lctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ msgb_free(msg);</span><br><span> return 0;</span><br><span> }</span><br><span> }</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/libosmocore/+/21831">change 21831</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/libosmocore/+/21831"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: libosmocore </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: I8ccca8d5e5d07b666557afe12ab8ac4910ddfb00 </div>
<div style="display:none"> Gerrit-Change-Number: 21831 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: laforge <laforge@osmocom.org> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins Builder </div>
<div style="display:none"> Gerrit-Reviewer: laforge <laforge@osmocom.org> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>