<p>daniel has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.osmocom.org/c/libosmocore/+/22234">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">ns2: Add sanity checks<br><br>Prevent memory corruption or segfaults by asserting that NSE and bind<br>link layer match. A mismatch should never happen and might cause the<br>bind to access invalid memory when sending because nsvc->priv doesn't<br>match what it expects.<br><br>Change-Id: I7ca4cd1c5dac8b5e44ffc4825b9373b2d04911ab<br>Related: OS#4948<br>---<br>M src/gb/gprs_ns2.c<br>M src/gb/gprs_ns2_message.c<br>2 files changed, 15 insertions(+), 0 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/34/22234/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/gb/gprs_ns2.c b/src/gb/gprs_ns2.c</span><br><span>index e43b636..3ca87a4 100644</span><br><span>--- a/src/gb/gprs_ns2.c</span><br><span>+++ b/src/gb/gprs_ns2.c</span><br><span>@@ -490,6 +490,9 @@</span><br><span> struct gprs_ns2_vc *ns2_vc_alloc(struct gprs_ns2_vc_bind *bind, struct gprs_ns2_nse *nse, bool initiater,</span><br><span> enum gprs_ns2_vc_mode vc_mode)</span><br><span> {</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Sanity check */</span><br><span style="color: hsl(120, 100%, 40%);">+ OSMO_ASSERT(bind->ll == nse->ll);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> struct gprs_ns2_vc *nsvc = talloc_zero(bind, struct gprs_ns2_vc);</span><br><span> </span><br><span> if (!nsvc)</span><br><span>diff --git a/src/gb/gprs_ns2_message.c b/src/gb/gprs_ns2_message.c</span><br><span>index eb9a198..35d3ba7 100644</span><br><span>--- a/src/gb/gprs_ns2_message.c</span><br><span>+++ b/src/gb/gprs_ns2_message.c</span><br><span>@@ -187,6 +187,7 @@</span><br><span> /* transmit functions */</span><br><span> static int ns2_tx_simple(struct gprs_ns2_vc *nsvc, uint8_t pdu_type)</span><br><span> {</span><br><span style="color: hsl(120, 100%, 40%);">+ OSMO_ASSERT(nsvc->bind->ll == nsvc->nse->ll);</span><br><span> struct msgb *msg = gprs_ns2_msgb_alloc();</span><br><span> struct gprs_ns_hdr *nsh;</span><br><span> </span><br><span>@@ -210,6 +211,7 @@</span><br><span> * \returns 0 in case of success */</span><br><span> int ns2_tx_block(struct gprs_ns2_vc *nsvc, uint8_t cause)</span><br><span> {</span><br><span style="color: hsl(120, 100%, 40%);">+ OSMO_ASSERT(nsvc->bind->ll == nsvc->nse->ll);</span><br><span> struct msgb *msg;</span><br><span> struct gprs_ns_hdr *nsh;</span><br><span> uint16_t nsvci = osmo_htons(nsvc->nsvci);</span><br><span>@@ -243,6 +245,7 @@</span><br><span> * \returns 0 in case of success */</span><br><span> int ns2_tx_block_ack(struct gprs_ns2_vc *nsvc)</span><br><span> {</span><br><span style="color: hsl(120, 100%, 40%);">+ OSMO_ASSERT(nsvc->bind->ll == nsvc->nse->ll);</span><br><span> struct msgb *msg;</span><br><span> struct gprs_ns_hdr *nsh;</span><br><span> uint16_t nsvci = osmo_htons(nsvc->nsvci);</span><br><span>@@ -274,6 +277,7 @@</span><br><span> * \returns 0 in case of success */</span><br><span> int ns2_tx_reset(struct gprs_ns2_vc *nsvc, uint8_t cause)</span><br><span> {</span><br><span style="color: hsl(120, 100%, 40%);">+ OSMO_ASSERT(nsvc->bind->ll == nsvc->nse->ll);</span><br><span> struct msgb *msg;</span><br><span> struct gprs_ns_hdr *nsh;</span><br><span> uint16_t nsvci = osmo_htons(nsvc->nsvci);</span><br><span>@@ -307,6 +311,7 @@</span><br><span> * \returns 0 in case of success */</span><br><span> int ns2_tx_reset_ack(struct gprs_ns2_vc *nsvc)</span><br><span> {</span><br><span style="color: hsl(120, 100%, 40%);">+ OSMO_ASSERT(nsvc->bind->ll == nsvc->nse->ll);</span><br><span> struct msgb *msg;</span><br><span> struct gprs_ns_hdr *nsh;</span><br><span> uint16_t nsvci, nsei;</span><br><span>@@ -407,6 +412,7 @@</span><br><span> uint16_t bvci, uint8_t sducontrol,</span><br><span> struct msgb *msg)</span><br><span> {</span><br><span style="color: hsl(120, 100%, 40%);">+ OSMO_ASSERT(nsvc->bind->ll == nsvc->nse->ll);</span><br><span> struct gprs_ns_hdr *nsh;</span><br><span> </span><br><span> log_set_context(LOG_CTX_GB_NSE, nsvc->nse);</span><br><span>@@ -437,6 +443,7 @@</span><br><span> int ns2_tx_status(struct gprs_ns2_vc *nsvc, uint8_t cause,</span><br><span> uint16_t bvci, struct msgb *orig_msg)</span><br><span> {</span><br><span style="color: hsl(120, 100%, 40%);">+ OSMO_ASSERT(nsvc->bind->ll == nsvc->nse->ll);</span><br><span> struct msgb *msg = gprs_ns2_msgb_alloc();</span><br><span> struct gprs_ns_hdr *nsh;</span><br><span> uint16_t nsvci = osmo_htons(nsvc->nsvci);</span><br><span>@@ -498,6 +505,7 @@</span><br><span> const struct gprs_ns_ie_ip6_elem *ip6_elems,</span><br><span> unsigned int num_ip6_elems)</span><br><span> {</span><br><span style="color: hsl(120, 100%, 40%);">+ OSMO_ASSERT(nsvc->bind->ll == nsvc->nse->ll);</span><br><span> struct msgb *msg = gprs_ns2_msgb_alloc();</span><br><span> struct gprs_ns_hdr *nsh;</span><br><span> uint16_t nsei;</span><br><span>@@ -557,6 +565,7 @@</span><br><span> const struct gprs_ns_ie_ip6_elem *ip6_elems,</span><br><span> unsigned int num_ip6_elems)</span><br><span> {</span><br><span style="color: hsl(120, 100%, 40%);">+ OSMO_ASSERT(nsvc->bind->ll == nsvc->nse->ll);</span><br><span> struct msgb *msg;</span><br><span> struct gprs_ns_hdr *nsh;</span><br><span> uint16_t nsei;</span><br><span>@@ -607,6 +616,7 @@</span><br><span> * \returns 0 on success; negative in case of error */</span><br><span> int ns2_tx_sns_config_ack(struct gprs_ns2_vc *nsvc, uint8_t *cause)</span><br><span> {</span><br><span style="color: hsl(120, 100%, 40%);">+ OSMO_ASSERT(nsvc->bind->ll == nsvc->nse->ll);</span><br><span> struct msgb *msg;</span><br><span> struct gprs_ns_hdr *nsh;</span><br><span> uint16_t nsei;</span><br><span>@@ -652,6 +662,7 @@</span><br><span> int ns2_tx_sns_size(struct gprs_ns2_vc *nsvc, bool reset_flag, uint16_t max_nr_nsvc,</span><br><span> int ip4_ep_nr, int ip6_ep_nr)</span><br><span> {</span><br><span style="color: hsl(120, 100%, 40%);">+ OSMO_ASSERT(nsvc->bind->ll == nsvc->nse->ll);</span><br><span> struct msgb *msg = gprs_ns2_msgb_alloc();</span><br><span> struct gprs_ns_hdr *nsh;</span><br><span> uint16_t nsei;</span><br><span>@@ -697,6 +708,7 @@</span><br><span> * \returns 0 on success; negative in case of error */</span><br><span> int ns2_tx_sns_size_ack(struct gprs_ns2_vc *nsvc, uint8_t *cause)</span><br><span> {</span><br><span style="color: hsl(120, 100%, 40%);">+ OSMO_ASSERT(nsvc->bind->ll == nsvc->nse->ll);</span><br><span> struct msgb *msg = gprs_ns2_msgb_alloc();</span><br><span> struct gprs_ns_hdr *nsh;</span><br><span> uint16_t nsei;</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/libosmocore/+/22234">change 22234</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/libosmocore/+/22234"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: libosmocore </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: I7ca4cd1c5dac8b5e44ffc4825b9373b2d04911ab </div>
<div style="display:none"> Gerrit-Change-Number: 22234 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: daniel <dwillmann@sysmocom.de> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>