Hello Jenkins Builder,
I'd like you to reexamine a change. Please visit
https://gerrit.osmocom.org/c/libosmo-abis/+/32664
to look at the new patch set (#2).
Change subject: fix use-after-free in ipaccess_bts_keepalive_fsm_alloc() ......................................................................
fix use-after-free in ipaccess_bts_keepalive_fsm_alloc()
In ipaccess_bts_keepalive_fsm_alloc() we allocate a keepalive FSM instance as a child of the respective struct ipa_client_conn, and store the pointer to the respective struct e1inp_ts.
+ struct e1inp_line | ---+ struct ipaccess_line (void *driver_data) | | | ---+ struct ipa_client_conn *ipa_cli[NUM_E1_TS] // <-- parent | ---+ struct e1inp_ts ts[NUM_E1_TS] | | | ---+ .driver.ipaccess.ka_fsm // <-- pointer
When an ipaccess connection (be it OML or RSL) goes down and then up again, for instance if the BSC gets restarted, osmo-bts crashes. The problem is that struct ipa_client_conn gets free()ed before the associated FSM instance gets terminated:
* e1inp_ipa_bts_rsl_connect_n() is called ** calling e1inp_ipa_bts_rsl_close_n() *** this function free()s struct ipa_client_conn *** (!) as well as the struct osmo_fsm_inst (talloc child) ** calling ipaccess_bts_keepalive_fsm_alloc() *** calling ipaccess_keepalive_fsm_cleanup() **** accessing free()d e1i_ts->driver.ipaccess.ka_fsm **** BOOOM! segmentation fault
Fix this by calling ipaccess_keepalive_fsm_cleanup() before free()ing the associated struct ipa_client_conn.
Note that ipaccess_bsc_keepalive_fsm_alloc() is not affected because it's allocating keepalive FSMs using the global tall_ipa_ctx.
Change-Id: Ic56c4b5b7b24b63104908a0c24f2f645ba4c5c1b Related: SYS#6438 (cherry picked from commit f6bde0f521155f1d2a073181cfca97df83de2684) --- M src/input/ipaccess.c 1 file changed, 50 insertions(+), 1 deletion(-)
git pull ssh://gerrit.osmocom.org:29418/libosmo-abis refs/changes/64/32664/2