[XS] Change in osmo-mgw[master]: mgw: osmux: Fix heap-use-after-free

25 Apr 2025

pespin has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-mgw/+/40151?usp=email )
Change subject: mgw: osmux: Fix heap-use-after-free
......................................................................
mgw: osmux: Fix heap-use-after-free
As found by Asan on a osmo-mgw running in production:
"""
 ==2238035==ERROR: AddressSanitizer: heap-use-after-free on address 0x62100043bdca at pc 0x7f9bcebaa070 bp 0x7ffcb08f2150 sp 0x7ffcb08f2148
 READ of size 2 at 0x62100043bdca thread T0
     #0 0x7f9bcebaa06f in msgb_length src/core/msgb.c:287
     #1 0x55869457a8ff in conn_osmux_send_rtp src/libosmo-mgcp/mgcp_osmux.c:245
     #2 0x558694563a86 in mgcp_dispatch_rtp_bridge_cb src/libosmo-mgcp/mgcp_network.c:1347
     #3 0x5586945570a9 in rx_rtp src/libosmo-mgcp/mgcp_network.c:1550
     #4 0x5586945570a9 in rtp_recvfrom_cb src/libosmo-mgcp/mgcp_network.c:1505
     #5 0x7f9bcebc96cc in iofd_poll_ofd_cb_recvmsg_sendmsg src/core/osmo_io_poll.c:84
     #6 0x7f9bcebcb699 in iofd_poll_ofd_cb_dispatch src/core/osmo_io_poll.c:136
     #7 0x7f9bcebd7df5 in poll_disp_fds src/core/select.c:419
     #8 0x7f9bcebd7df5 in _osmo_select_main src/core/select.c:457
     #9 0x7f9bcebd8298 in osmo_select_main src/core/select.c:496
     #10 0x558694534f2e in main src/osmo-mgw/mgw_main.c:428
"""
Related: SYS#7450
Change-Id: Id90c77aaf44422c3ed70ffb06560537e920a468c
---
M src/libosmo-mgcp/mgcp_osmux.c
1 file changed, 4 insertions(+), 1 deletion(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-mgw refs/changes/51/40151/1

diff --git a/src/libosmo-mgcp/mgcp_osmux.c b/src/libosmo-mgcp/mgcp_osmux.c
index 620220f..711c6c6 100644
--- a/src/libosmo-mgcp/mgcp_osmux.c
+++ b/src/libosmo-mgcp/mgcp_osmux.c
@@ -211,6 +211,7 @@
 int conn_osmux_send_rtp(struct mgcp_conn_rtp *conn, struct msgb *msg)
 {
    int ret;
+	size_t msg_len;
if (!conn->end.output_enabled) {
    	rtpconn_osmux_rate_ctr_inc(conn, OSMUX_RTP_PACKETS_TX_DROPPED_CTR);
@@ -234,15 +235,17 @@
    	return -1;
    }
+	msg_len = msgb_length(msg);
    while ((ret = osmux_xfrm_input(conn->osmux.in, msg, conn->osmux.remote_cid)) > 0) {
    	/* batch full, build and deliver it */
    	osmux_xfrm_input_deliver(conn->osmux.in);
    }
+	/* NOTE: At this point msg is now owned by osmux subsystem and may have been potentially freed. */
    if (ret < 0) {
    	rtpconn_osmux_rate_ctr_inc(conn, OSMUX_RTP_PACKETS_TX_DROPPED_CTR);
    } else {
    	rtpconn_osmux_rate_ctr_inc(conn, OSMUX_RTP_PACKETS_TX_CTR);
-		rtpconn_osmux_rate_ctr_add(conn, OSMUX_AMR_OCTETS_TX_CTR, msgb_length(msg) - sizeof(struct rtp_hdr));
+		rtpconn_osmux_rate_ctr_add(conn, OSMUX_AMR_OCTETS_TX_CTR, msg_len - sizeof(struct rtp_hdr));
    }
    return 0;
 }
-- 
To view, visit https://gerrit.osmocom.org/c/osmo-mgw/+/40151?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email

Gerrit-MessageType: newchange
Gerrit-Project: osmo-mgw
Gerrit-Branch: master
Gerrit-Change-Id: Id90c77aaf44422c3ed70ffb06560537e920a468c
Gerrit-Change-Number: 40151
Gerrit-PatchSet: 1
Gerrit-Owner: pespin pespin@sysmocom.de



    

2025

2024

2023

2022

[XS] Change in osmo-mgw[master]: mgw: osmux: Fix heap-use-after-free