neels submitted this change.

View Change


Approvals: fixeria: Looks good to me, but someone else must approve Jenkins Builder: Verified laforge: Looks good to me, approved pespin: Looks good to me, but someone else must approve 
prevent use-after-free after FSM instance termination

- Set osmo_fsm_set_dealloc_ctx(OTC_SELECT) in osmo-hnbgw's main().
- Only dispatch RANAP when FSM instances aren't terminated.

This way we possibly pre-empt use-after-free crashes for deallocating
FSM "nests" for obscure corner cases.

Use-after-free is a general problem for FSM design. For this, we created
osmo_fsm_set_dealloc_ctx(): When an FSM is terminated, move it to a
separate talloc context, instead of being deallocated.

An actual use-after-free was observed as described in OS#6484, but that
needs a separate, orthogonal fix:

When the Iuh link is lost while the CN link is waiting for SCCP CC or
CREF -- the better solution is described in OS#6085: don't wait for CC
at all, just dispatch DISCONN to SCCP-SCOC.

So even though the code where a crash was observed will be removed, this
patch is a general safeguard against corner case crashes, improving
general stability.

Related: OS#6484
Change-Id: Ib41e1a996aaa03221e73643636140947ac8f99e2
---
M src/osmo-hnbgw/context_map_rua.c
M src/osmo-hnbgw/context_map_sccp.c
M src/osmo-hnbgw/osmo_hnbgw_main.c
3 files changed, 42 insertions(+), 0 deletions(-)

diff --git a/src/osmo-hnbgw/context_map_rua.c b/src/osmo-hnbgw/context_map_rua.c
index 3c6ea1e..7286906 100644
--- a/src/osmo-hnbgw/context_map_rua.c
+++ b/src/osmo-hnbgw/context_map_rua.c
@@ -158,6 +158,11 @@
 static int handle_rx_rua(struct osmo_fsm_inst *fi, struct msgb *ranap_msg)
 {
 	struct hnbgw_context_map *map = fi->priv;
+
+	/* If the FSM instance has already terminated, don't dispatch anything. */
+	if (fi->proc.terminating)
+		return 0;
+
 	if (!msg_has_l2_data(ranap_msg))
 		return 0;
 
diff --git a/src/osmo-hnbgw/context_map_sccp.c b/src/osmo-hnbgw/context_map_sccp.c
index 10ddaf2..511577c 100644
--- a/src/osmo-hnbgw/context_map_sccp.c
+++ b/src/osmo-hnbgw/context_map_sccp.c
@@ -198,6 +198,10 @@
 	struct hnbgw_context_map *map = fi->priv;
 	int rc;
 
+	/* If the FSM instance has already terminated, don't dispatch anything. */
+	if (fi->proc.terminating)
+		return 0;
+
 	/* When there was no message received along with the received event, then there is nothing to forward to RUA. */
 	if (!msg_has_l2_data(ranap_msg))
 		return 0;
diff --git a/src/osmo-hnbgw/osmo_hnbgw_main.c b/src/osmo-hnbgw/osmo_hnbgw_main.c
index 2f71251..3e715b0 100644
--- a/src/osmo-hnbgw/osmo_hnbgw_main.c
+++ b/src/osmo-hnbgw/osmo_hnbgw_main.c
@@ -360,6 +360,8 @@
 	signal(SIGUSR2, &signal_handler);
 	osmo_init_ignore_signals();
 
+	osmo_fsm_set_dealloc_ctx(OTC_SELECT);
+
 	while (1) {
 		rc = osmo_select_main_ctx(0);
 		if (rc < 0)

To view, visit change 37147. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: osmo-hnbgw
Gerrit-Branch: master
Gerrit-Change-Id: Ib41e1a996aaa03221e73643636140947ac8f99e2
Gerrit-Change-Number: 37147
Gerrit-PatchSet: 2
Gerrit-Owner: neels <nhofmeyr@sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <vyanitskiy@sysmocom.de>
Gerrit-Reviewer: laforge <laforge@osmocom.org>
Gerrit-Reviewer: neels <nhofmeyr@sysmocom.de>
Gerrit-Reviewer: pespin <pespin@sysmocom.de>
Gerrit-MessageType: merged