[M] Change in libosmo-abis[rel-1.4.1]: fix use-after-free in ipaccess_bts_keepalive_fsm_alloc()

Hello Jenkins Builder, I'd like you to reexamine a change. Please visit https://gerrit.osmocom.org/c/libosmo-abis/+/32664 to look at the new patch set (#2). Change subject: fix use-after-free in ipaccess_bts_keepalive_fsm_alloc() ...................................................................... fix use-after-free in ipaccess_bts_keepalive_fsm_alloc() In ipaccess_bts_keepalive_fsm_alloc() we allocate a keepalive FSM instance as a child of the respective struct ipa_client_conn, and store the pointer to the respective struct e1inp_ts. + struct e1inp_line | ---+ struct ipaccess_line (void *driver_data) | | | ---+ struct ipa_client_conn *ipa_cli[NUM_E1_TS] // <-- parent | ---+ struct e1inp_ts ts[NUM_E1_TS] | | | ---+ .driver.ipaccess.ka_fsm // <-- pointer When an ipaccess connection (be it OML or RSL) goes down and then up again, for instance if the BSC gets restarted, osmo-bts crashes. The problem is that struct ipa_client_conn gets free()ed before the associated FSM instance gets terminated: * e1inp_ipa_bts_rsl_connect_n() is called ** calling e1inp_ipa_bts_rsl_close_n() *** this function free()s struct ipa_client_conn *** (!) as well as the struct osmo_fsm_inst (talloc child) ** calling ipaccess_bts_keepalive_fsm_alloc() *** calling ipaccess_keepalive_fsm_cleanup() **** accessing free()d e1i_ts->driver.ipaccess.ka_fsm **** BOOOM! segmentation fault Fix this by calling ipaccess_keepalive_fsm_cleanup() before free()ing the associated struct ipa_client_conn. Note that ipaccess_bsc_keepalive_fsm_alloc() is not affected because it's allocating keepalive FSMs using the global tall_ipa_ctx. Change-Id: Ic56c4b5b7b24b63104908a0c24f2f645ba4c5c1b Related: SYS#6438 (cherry picked from commit f6bde0f521155f1d2a073181cfca97df83de2684) --- M src/input/ipaccess.c 1 file changed, 50 insertions(+), 1 deletion(-) git pull ssh://gerrit.osmocom.org:29418/libosmo-abis refs/changes/64/32664/2 -- To view, visit https://gerrit.osmocom.org/c/libosmo-abis/+/32664 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: libosmo-abis Gerrit-Branch: rel-1.4.1 Gerrit-Change-Id: Ic56c4b5b7b24b63104908a0c24f2f645ba4c5c1b Gerrit-Change-Number: 32664 Gerrit-PatchSet: 2 Gerrit-Owner: fixeria &lt;vyanitskiy(a)sysmocom.de&gt; Gerrit-Reviewer: Jenkins Builder Gerrit-MessageType: newpatchset