<p>daniel has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.osmocom.org/c/libosmocore/+/26199">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">ns2: Avoid use-after-free when SGSN-side non-persistent SNS-NSE fails<br><br>alive_timeout_handler() changes the state to RECOVERING which calls<br>ns2_st_alive_onenter()->ns2_nse_notify_unblocked(unblocked=false)-><br>ns2_sns_notify_alive(unblocked=false)<br><br>When all (signalling) NSVCs have failed and gss->role is SGSN and not<br>persistent sns_failed() calls gprs_ns2_free_nse() which talloc_free()s<br>the nse before returning.<br><br>The next line in ns2_nse_notify_unblocked() tries to read nse->alive which then causes the<br>use-after-free.<br><br>Change-Id: I0486a77fd3e21fd3904bd19e4e0225ffbf654935<br>Related: OS#5302<br>---<br>M src/gb/gprs_ns2.c<br>M src/gb/gprs_ns2_internal.h<br>M src/gb/gprs_ns2_sns.c<br>3 files changed, 14 insertions(+), 11 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/99/26199/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/gb/gprs_ns2.c b/src/gb/gprs_ns2.c</span><br><span>index 3bb04ae..c422cda 100644</span><br><span>--- a/src/gb/gprs_ns2.c</span><br><span>+++ b/src/gb/gprs_ns2.c</span><br><span>@@ -1391,12 +1391,13 @@</span><br><span> * \param[in] unblocked whether the NSE should be marked as unblocked (true) or blocked (false) */</span><br><span> void ns2_nse_notify_unblocked(struct gprs_ns2_vc *nsvc, bool unblocked)</span><br><span> {</span><br><span style="color: hsl(120, 100%, 40%);">+ int rc;</span><br><span> struct gprs_ns2_nse *nse = nsvc->nse;</span><br><span> </span><br><span> ns2_nse_data_sum(nse);</span><br><span style="color: hsl(0, 100%, 40%);">- ns2_sns_notify_alive(nse, nsvc, unblocked);</span><br><span style="color: hsl(120, 100%, 40%);">+ rc = ns2_sns_notify_alive(nse, nsvc, unblocked);</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- if (unblocked == nse->alive)</span><br><span style="color: hsl(120, 100%, 40%);">+ if (rc == -ENOENT || unblocked == nse->alive)</span><br><span> return;</span><br><span> </span><br><span> /* wait until both data_weight and sig_weight are != 0 before declaring NSE as alive */</span><br><span>diff --git a/src/gb/gprs_ns2_internal.h b/src/gb/gprs_ns2_internal.h</span><br><span>index 0959d2b..aaf0897 100644</span><br><span>--- a/src/gb/gprs_ns2_internal.h</span><br><span>+++ b/src/gb/gprs_ns2_internal.h</span><br><span>@@ -456,7 +456,7 @@</span><br><span> const char *id);</span><br><span> struct osmo_fsm_inst *ns2_sns_sgsn_fsm_alloc(struct gprs_ns2_nse *nse, const char *id);</span><br><span> void ns2_sns_replace_nsvc(struct gprs_ns2_vc *nsvc);</span><br><span style="color: hsl(0, 100%, 40%);">-void ns2_sns_notify_alive(struct gprs_ns2_nse *nse, struct gprs_ns2_vc *nsvc, bool alive);</span><br><span style="color: hsl(120, 100%, 40%);">+int ns2_sns_notify_alive(struct gprs_ns2_nse *nse, struct gprs_ns2_vc *nsvc, bool alive);</span><br><span> void ns2_sns_update_weights(struct gprs_ns2_vc_bind *bind);</span><br><span> </span><br><span> /* vc */</span><br><span>diff --git a/src/gb/gprs_ns2_sns.c b/src/gb/gprs_ns2_sns.c</span><br><span>index 0afc06e..7984417 100644</span><br><span>--- a/src/gb/gprs_ns2_sns.c</span><br><span>+++ b/src/gb/gprs_ns2_sns.c</span><br><span>@@ -2584,24 +2584,24 @@</span><br><span> return count;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-void ns2_sns_notify_alive(struct gprs_ns2_nse *nse, struct gprs_ns2_vc *nsvc, bool alive)</span><br><span style="color: hsl(120, 100%, 40%);">+int ns2_sns_notify_alive(struct gprs_ns2_nse *nse, struct gprs_ns2_vc *nsvc, bool alive)</span><br><span> {</span><br><span> struct ns2_sns_state *gss;</span><br><span> struct gprs_ns2_vc *tmp;</span><br><span> </span><br><span> if (!nse->bss_sns_fi)</span><br><span style="color: hsl(0, 100%, 40%);">- return;</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span> </span><br><span> gss = nse->bss_sns_fi->priv;</span><br><span> if (nse->bss_sns_fi->state != GPRS_SNS_ST_CONFIGURED && nse->bss_sns_fi->state != GPRS_SNS_ST_LOCAL_PROCEDURE)</span><br><span style="color: hsl(0, 100%, 40%);">- return;</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span> </span><br><span> if (gss->block_no_nsvc_events)</span><br><span style="color: hsl(0, 100%, 40%);">- return;</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span> </span><br><span> if (gss->alive && nse->sum_sig_weight == 0) {</span><br><span> sns_failed(nse->bss_sns_fi, "No signalling NSVC available");</span><br><span style="color: hsl(0, 100%, 40%);">- return;</span><br><span style="color: hsl(120, 100%, 40%);">+ return -ENOENT;</span><br><span> }</span><br><span> </span><br><span> /* check if this is the current SNS NS-VC */</span><br><span>@@ -2620,25 +2620,27 @@</span><br><span> }</span><br><span> </span><br><span> if (alive == gss->alive)</span><br><span style="color: hsl(0, 100%, 40%);">- return;</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span> </span><br><span> if (alive) {</span><br><span> /* we need at least a signalling NSVC before become alive */</span><br><span> if (nse->sum_sig_weight == 0)</span><br><span style="color: hsl(0, 100%, 40%);">- return;</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span> gss->alive = true;</span><br><span> osmo_fsm_inst_dispatch(nse->bss_sns_fi, NS2_SNS_EV_REQ_NSVC_ALIVE, NULL);</span><br><span> } else {</span><br><span> /* is there at least another alive nsvc? */</span><br><span> llist_for_each_entry(tmp, &nse->nsvc, list) {</span><br><span> if (ns2_vc_is_unblocked(tmp))</span><br><span style="color: hsl(0, 100%, 40%);">- return;</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span> }</span><br><span> </span><br><span> /* all NS-VC have failed */</span><br><span> gss->alive = false;</span><br><span> osmo_fsm_inst_dispatch(nse->bss_sns_fi, NS2_SNS_EV_REQ_NO_NSVC, NULL);</span><br><span> }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span> }</span><br><span> </span><br><span> int gprs_ns2_sns_add_bind(struct gprs_ns2_nse *nse,</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/libosmocore/+/26199">change 26199</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/libosmocore/+/26199"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: libosmocore </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: I0486a77fd3e21fd3904bd19e4e0225ffbf654935 </div>
<div style="display:none"> Gerrit-Change-Number: 26199 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: daniel <dwillmann@sysmocom.de> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>