<p>laforge <strong>submitted</strong> this change.</p><p><a href="https://gerrit.osmocom.org/c/libosmocore/+/26199">View Change</a></p><div style="white-space:pre-wrap">Approvals:
Jenkins Builder: Verified
pespin: Looks good to me, but someone else must approve
osmith: Looks good to me, but someone else must approve
laforge: Looks good to me, approved
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">ns2: Avoid use-after-free when SGSN-side non-persistent SNS-NSE fails<br><br>alive_timeout_handler() changes the state to RECOVERING which calls<br>ns2_st_alive_onenter()->ns2_nse_notify_unblocked(unblocked=false)-><br>ns2_sns_notify_alive(unblocked=false)<br><br>When all (signalling) NSVCs have failed and gss->role is SGSN and not<br>persistent sns_failed() calls gprs_ns2_free_nse() which talloc_free()s<br>the nse before returning.<br><br>The next line in ns2_nse_notify_unblocked() tries to read nse->alive which then causes the<br>use-after-free.<br><br>Change-Id: I0486a77fd3e21fd3904bd19e4e0225ffbf654935<br>Related: OS#5302<br>---<br>M src/gb/gprs_ns2.c<br>1 file changed, 6 insertions(+), 1 deletion(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/gb/gprs_ns2.c b/src/gb/gprs_ns2.c</span><br><span>index 3bb04ae..02d2266 100644</span><br><span>--- a/src/gb/gprs_ns2.c</span><br><span>+++ b/src/gb/gprs_ns2.c</span><br><span>@@ -1392,11 +1392,16 @@</span><br><span> void ns2_nse_notify_unblocked(struct gprs_ns2_vc *nsvc, bool unblocked)</span><br><span> {</span><br><span> struct gprs_ns2_nse *nse = nsvc->nse;</span><br><span style="color: hsl(120, 100%, 40%);">+ struct gprs_ns2_inst *nsi = nse->nsi;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint16_t nsei = nse->nsei;</span><br><span> </span><br><span> ns2_nse_data_sum(nse);</span><br><span> ns2_sns_notify_alive(nse, nsvc, unblocked);</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- if (unblocked == nse->alive)</span><br><span style="color: hsl(120, 100%, 40%);">+ /* NSE could have been freed, try to get it again */</span><br><span style="color: hsl(120, 100%, 40%);">+ nse = gprs_ns2_nse_by_nsei(nsi, nsei);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!nse || unblocked == nse->alive)</span><br><span> return;</span><br><span> </span><br><span> /* wait until both data_weight and sig_weight are != 0 before declaring NSE as alive */</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/libosmocore/+/26199">change 26199</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/libosmocore/+/26199"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: libosmocore </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: I0486a77fd3e21fd3904bd19e4e0225ffbf654935 </div>
<div style="display:none"> Gerrit-Change-Number: 26199 </div>
<div style="display:none"> Gerrit-PatchSet: 3 </div>
<div style="display:none"> Gerrit-Owner: daniel <dwillmann@sysmocom.de> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins Builder </div>
<div style="display:none"> Gerrit-Reviewer: laforge <laforge@osmocom.org> </div>
<div style="display:none"> Gerrit-Reviewer: lynxis lazus <lynxis@fe80.eu> </div>
<div style="display:none"> Gerrit-Reviewer: osmith <osmith@sysmocom.de> </div>
<div style="display:none"> Gerrit-Reviewer: pespin <pespin@sysmocom.de> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>