<p>lynxis lazus has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.osmocom.org/c/libosmocore/+/25143">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">gprs_ns2: add recursive anchor to protect against double free<br><br>When free'ing a NSE/NSVC/BIND ensure there can't be a double<br>free by using a free anchor in the struct.<br><br>Change-Id: If9823aadaa936e136aa43e88cee925ddd5974841<br>---<br>M src/gb/gprs_ns2.c<br>M src/gb/gprs_ns2_internal.h<br>2 files changed, 20 insertions(+), 5 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/43/25143/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/gb/gprs_ns2.c b/src/gb/gprs_ns2.c</span><br><span>index fb2965a..45cdfcc 100644</span><br><span>--- a/src/gb/gprs_ns2.c</span><br><span>+++ b/src/gb/gprs_ns2.c</span><br><span>@@ -639,9 +639,9 @@</span><br><span>  *  \param[in] nsvc NS-VC to destroy */</span><br><span> void gprs_ns2_free_nsvc(struct gprs_ns2_vc *nsvc)</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">-  if (!nsvc)</span><br><span style="color: hsl(120, 100%, 40%);">+    if (!nsvc || nsvc->freed)</span><br><span>                 return;</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(120, 100%, 40%);">+       nsvc->freed = true;</span><br><span>       ns2_prim_status_ind(nsvc->nse, nsvc, 0, GPRS_NS2_AFF_CAUSE_VC_FAILURE);</span><br><span> </span><br><span>       llist_del(&nsvc->list);</span><br><span>@@ -671,7 +671,7 @@</span><br><span> {</span><br><span>    struct gprs_ns2_vc *nsvc, *tmp;</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-     if (!nse)</span><br><span style="color: hsl(120, 100%, 40%);">+     if (!nse || nse->freed)</span><br><span>           return;</span><br><span> </span><br><span>  llist_for_each_entry_safe(nsvc, tmp, &nse->nsvc, list) {</span><br><span>@@ -889,9 +889,11 @@</span><br><span>  *  \param[in] nse NS Entity to destroy */</span><br><span> void gprs_ns2_free_nse(struct gprs_ns2_nse *nse)</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">-   if (!nse)</span><br><span style="color: hsl(120, 100%, 40%);">+     struct gprs_ns2_vc *nsvc, *nsvc2;</span><br><span style="color: hsl(120, 100%, 40%);">+     if (!nse || nse->freed)</span><br><span>           return;</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+   nse->freed = true;</span><br><span>        nse->alive = false;</span><br><span>       if (nse->bss_sns_fi) {</span><br><span>            osmo_fsm_inst_term(nse->bss_sns_fi, OSMO_FSM_TERM_REQUEST, NULL);</span><br><span>@@ -901,6 +903,9 @@</span><br><span>   gprs_ns2_free_nsvcs(nse);</span><br><span>    ns2_prim_status_ind(nse, NULL, 0, GPRS_NS2_AFF_CAUSE_FAILURE);</span><br><span>       rate_ctr_group_free(nse->ctrg);</span><br><span style="color: hsl(120, 100%, 40%);">+    llist_for_each_entry_safe(nsvc, nsvc2, &nse->nsvc, list) {</span><br><span style="color: hsl(120, 100%, 40%);">+             gprs_ns2_free_nsvc(nsvc);</span><br><span style="color: hsl(120, 100%, 40%);">+     }</span><br><span> </span><br><span>        llist_del(&nse->list);</span><br><span>        talloc_free(nse);</span><br><span>@@ -1466,9 +1471,10 @@</span><br><span> {</span><br><span>      struct gprs_ns2_vc *nsvc, *tmp;</span><br><span>      struct gprs_ns2_nse *nse;</span><br><span style="color: hsl(0, 100%, 40%);">-       if (!bind)</span><br><span style="color: hsl(120, 100%, 40%);">+    if (!bind || bind->freed)</span><br><span>                 return;</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+   bind->freed = true;</span><br><span>       llist_for_each_entry_safe(nsvc, tmp, &bind->nsvc, blist) {</span><br><span>            gprs_ns2_free_nsvc(nsvc);</span><br><span>    }</span><br><span>diff --git a/src/gb/gprs_ns2_internal.h b/src/gb/gprs_ns2_internal.h</span><br><span>index db01c2e..95efbae 100644</span><br><span>--- a/src/gb/gprs_ns2_internal.h</span><br><span>+++ b/src/gb/gprs_ns2_internal.h</span><br><span>@@ -215,6 +215,9 @@</span><br><span> </span><br><span>     /*! NSE-wide statistics */</span><br><span>   struct rate_ctr_group *ctrg;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+        /*! recursive anchor */</span><br><span style="color: hsl(120, 100%, 40%);">+       bool freed;</span><br><span> };</span><br><span> </span><br><span> /*! Structure representing a single NS-VC */</span><br><span>@@ -259,6 +262,9 @@</span><br><span>  enum gprs_ns2_vc_mode mode;</span><br><span> </span><br><span>      struct osmo_fsm_inst *fi;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+   /*! recursive anchor */</span><br><span style="color: hsl(120, 100%, 40%);">+       bool freed;</span><br><span> };</span><br><span> </span><br><span> /*! Structure repesenting a bind instance. E.g. IPv4 listen port. */</span><br><span>@@ -303,6 +309,9 @@</span><br><span>  uint8_t sns_data_weight;</span><br><span> </span><br><span>         struct osmo_stat_item_group *statg;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /*! recursive anchor */</span><br><span style="color: hsl(120, 100%, 40%);">+       bool freed;</span><br><span> };</span><br><span> </span><br><span> struct gprs_ns2_vc_driver {</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/libosmocore/+/25143">change 25143</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/libosmocore/+/25143"/><meta itemprop="name" content="View Change"/></div></div>

<div style="display:none"> Gerrit-Project: libosmocore </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: If9823aadaa936e136aa43e88cee925ddd5974841 </div>
<div style="display:none"> Gerrit-Change-Number: 25143 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: lynxis lazus <lynxis@fe80.eu> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>