<p>pespin has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.osmocom.org/c/osmo-ggsn/+/24642">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">ggsn: Fix heap-use-after-free during Recovery without associated PDP<br><br>Related: OS#4641<br>Change-Id: Ib4dca2e30e723a196084b0fa0040fbceca835359<br>---<br>M ggsn/sgsn.c<br>1 file changed, 10 insertions(+), 2 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.osmocom.org:29418/osmo-ggsn refs/changes/42/24642/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/ggsn/sgsn.c b/ggsn/sgsn.c</span><br><span>index 8360439..15548ef 100644</span><br><span>--- a/ggsn/sgsn.c</span><br><span>+++ b/ggsn/sgsn.c</span><br><span>@@ -116,6 +116,7 @@</span><br><span> {</span><br><span>         unsigned int num = 0;</span><br><span>        char buf[INET_ADDRSTRLEN];</span><br><span style="color: hsl(120, 100%, 40%);">+    unsigned int count = llist_count(&sgsn->pdp_list);</span><br><span> </span><br><span>        inet_ntop(AF_INET, &sgsn->addr, buf, sizeof(buf));</span><br><span> </span><br><span>@@ -125,10 +126,17 @@</span><br><span>                        continue;</span><br><span>            ggsn_close_one_pdp(pdp->lib);</span><br><span>             num++;</span><br><span style="color: hsl(120, 100%, 40%);">+                if (num == count) {</span><br><span style="color: hsl(120, 100%, 40%);">+                   /* Note: if except is NULL, all pdp contexts are freed and sgsn</span><br><span style="color: hsl(120, 100%, 40%);">+                        * is most probably already freed at this point.</span><br><span style="color: hsl(120, 100%, 40%);">+                       * As a result, last access to sgsn->pdp_list before exiting</span><br><span style="color: hsl(120, 100%, 40%);">+                        * loop would access already freed memory. Avoid it by exiting</span><br><span style="color: hsl(120, 100%, 40%);">+                         * the loop without the last check, and make sure sgsn is not</span><br><span style="color: hsl(120, 100%, 40%);">+                  * accessed after this loop. */</span><br><span style="color: hsl(120, 100%, 40%);">+                        break;</span><br><span style="color: hsl(120, 100%, 40%);">+               }</span><br><span>    }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-   /* Note: if except is NULL, all pdp contexts are freed and sgsn is</span><br><span style="color: hsl(0, 100%, 40%);">-         already freed at this point */</span><br><span>    LOGP(DGGSN, LOGL_INFO, "SGSN(%s) Dropped %u PDP contexts\n", buf, num);</span><br><span> </span><br><span>        return num;</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/osmo-ggsn/+/24642">change 24642</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/osmo-ggsn/+/24642"/><meta itemprop="name" content="View Change"/></div></div>

<div style="display:none"> Gerrit-Project: osmo-ggsn </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: Ib4dca2e30e723a196084b0fa0040fbceca835359 </div>
<div style="display:none"> Gerrit-Change-Number: 24642 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: pespin <pespin@sysmocom.de> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>