pespin submitted this change.
asp: Avoid double-free of received msg if conn is teared down
"""
20250516192255921 DLSS7 DEBUG IPA_ASP(ipa-asp-loadshare-sender0){WAIT_ID_RESP}: Received Event IPA_CCM_ID_RESP (ipa.c:120)
20250516192255921 DLMI DEBUG Rx IPA CCM ID_RESP: Unit_ID='0/1/2' MAC_Address='' Location_1='' Location_2='' Equipment_Version='' Software_Version='' Unit_Name='mahlzeit' Serial_Number='' (ipa.c:233)
20250516192255921 DLSS7 NOTICE IPA_ASP(ipa-asp-loadshare-sender0){WAIT_ID_RESP}: Cannot find any definition for IPA Unit Name 'mahlzeit' (xua_asp_fsm.c:968)
20250516192255921 DLSS7 INFO ipa-asp-loadshare-sender0: connection closed (ss7_asp.c:1159)
20250516192255921 DLSS7 DEBUG IPA_ASP(ipa-asp-loadshare-sender0){WAIT_ID_RESP}: Received Event SCTP-COMM_DOWN.ind (ss7_asp.c:1165)
20250516192255922 DLSS7 DEBUG IPA_ASP(ipa-asp-loadshare-sender0){WAIT_ID_RESP}: state_chg to ASP_DOWN (xua_asp_fsm.c:1154)
20250516192255922 DLSS7 DEBUG XUA_AS(ipa-as-loadshare-sender){AS_DOWN}: Received Event ASPAS-ASP_DOWN.ind (xua_asp_fsm.c:370)
20250516192255922 DLSS7 DEBUG IPA_ASP(ipa-asp-loadshare-sender0){ASP_DOWN}: No Layer Manager, dropping M-ASP_DOWN.indication (xua_asp_fsm.c:119)
20250516192255922 DLSS7 DEBUG IPA_ASP(ipa-asp-loadshare-sender0){ASP_DOWN}: No Layer Manager, dropping M-SCTP_RELEASE.indication (xua_asp_fsm.c:119)
Program terminated with signal SIGABRT, Aborted.
#0 0x000076bb9898ceec in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#0 0x000076bb9898ceec in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x000076bb9893dfb2 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x000076bb98928472 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x000076bb98ae6496 in ?? () from /lib/x86_64-linux-gnu/libtalloc.so.2
#4 0x000076bb98b1b869 in msgb_free (m=0x5f957de3e750) at ../../../src_copy/libosmocore/src/core/msgb.c:119
#5 0x000076bb98bab8c8 in ipa_rx_msg_ccm (asp=0x5f957de3da50, msg=0x5f957de3e750) at ../../src_copy/libosmo-sigtran/src/ipa.c:137
#6 0x000076bb98bac135 in ipa_rx_msg (asp=0x5f957de3da50, msg=0x5f957de3e750, sls=0 '\000') at ../../src_copy/libosmo-sigtran/src/ipa.c:321
#7 0x000076bb98bca44f in ss7_asp_ipa_srv_conn_rx_cb (conn=0x5f957ddba4a0, res=49, msg=0x5f957de3e750) at ../../src_copy/libosmo-sigtran/src/ss7_asp.c:895
#8 0x000076bb988efcb1 in stream_srv_iofd_read_cb (iofd=0x5f957ddd8e40, res=49, msg=0x5f957de3e750) at ../../src_copy/libosmo-netif/src/stream_srv.c:732
#9 0x000076bb98b23c3c in iofd_handle_segmented_read (iofd=0x5f957ddd8e40, msg=0x5f957de3e750, rc=49) at ../../../src_copy/libosmocore/src/core/osmo_io.c:357
#10 0x000076bb98b23d2b in iofd_handle_recv (iofd=0x5f957ddd8e40, msg=0x5f957de3e750, rc=49, hdr=0x0) at ../../../src_copy/libosmocore/src/core/osmo_io.c:384
#11 0x000076bb98b257b7 in iofd_poll_ofd_cb_recvmsg_sendmsg (ofd=0x5f957ddd8ef0, what=1) at ../../../src_copy/libosmocore/src/core/osmo_io_poll.c:64
#12 0x000076bb98b25b32 in iofd_poll_ofd_cb_dispatch (ofd=0x5f957ddd8ef0, what=1) at ../../../src_copy/libosmocore/src/core/osmo_io_poll.c:136
#13 0x000076bb98b2907b in poll_disp_fds (n_fd=6) at ../../../src_copy/libosmocore/src/core/select.c:419
#14 0x000076bb98b29191 in _osmo_select_main (polling=0) at ../../../src_copy/libosmocore/src/core/select.c:457
#15 0x000076bb98b291ac in osmo_select_main (polling=0) at ../../../src_copy/libosmocore/src/core/select.c:496
#16 0x00005f9553dd9a21 in main (argc=3, argv=0x7ffe754fac38) at ../../src_copy/libosmo-sigtran/stp/stp_main.c:270
"""
Related: OS#6728
(cherry picked from commit dfccd989dbffe418d9ab7b4d3087345636da762d)
Change-Id: I4b893078212444c967164a64219c67f6c6a74c37
---
M src/osmo_ss7_asp.c
1 file changed, 24 insertions(+), 0 deletions(-)
diff --git a/src/osmo_ss7_asp.c b/src/osmo_ss7_asp.c
index 57ebc82..dc60f67 100644
--- a/src/osmo_ss7_asp.c
+++ b/src/osmo_ss7_asp.c
@@ -802,6 +802,14 @@
int ss7_asp_ipa_srv_conn_rx_cb(struct osmo_stream_srv *conn, int res, struct msgb *msg)
{
struct osmo_ss7_asp *asp = osmo_stream_srv_get_data(conn);
+ struct osmo_stream_srv_link *link = osmo_stream_srv_get_master(conn);
+
+ /* Reparent msg to srv_link, to avoid "msg" being automatically freed if
+ * "conn" is teared down during msg handling (or if its associated
+ * dynamic ASP becomes unused), which would then result in a double-free
+ * if same code path then explicitly frees the msgb through msgb_free().
+ */
+ talloc_steal(link, msg);
if (res <= 0) {
if (res == -EAGAIN) {
@@ -824,10 +832,18 @@
int ss7_asp_xua_srv_conn_rx_cb(struct osmo_stream_srv *conn, int res, struct msgb *msg)
{
struct osmo_ss7_asp *asp = osmo_stream_srv_get_data(conn);
+ struct osmo_stream_srv_link *link = osmo_stream_srv_get_master(conn);
unsigned int ppid;
int flags;
int rc = 0;
+ /* Reparent msg to srv_link, to avoid "msg" being automatically freed if
+ * "conn" is teared down during msg handling (or if its associated
+ * dynamic ASP becomes unused), which would then result in a double-free
+ * if same code path then explicitly frees the msgb through msgb_free().
+ */
+ talloc_steal(link, msg);
+
/* process the received xUA message */
flags = msgb_sctp_msg_flags(msg);
@@ -889,9 +905,17 @@
int ss7_asp_m3ua_tcp_srv_conn_rx_cb(struct osmo_stream_srv *conn, int res, struct msgb *msg)
{
struct osmo_ss7_asp *asp = osmo_stream_srv_get_data(conn);
+ struct osmo_stream_srv_link *link = osmo_stream_srv_get_master(conn);
const struct xua_common_hdr *hdr;
int rc;
+ /* Reparent msg to srv_link, to avoid "msg" being automatically freed if
+ * "conn" is teared down during msg handling (or if its associated
+ * dynamic ASP becomes unused), which would then result in a double-free
+ * if same code path then explicitly frees the msgb through msgb_free().
+ */
+ talloc_steal(link, msg);
+
if (res <= 0) {
if (res == -EAGAIN) {
msgb_free(msg);
To view, visit change 40403. To unsubscribe, or for help writing mail filters, visit settings.