fixeria has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-sgsn/+/42602?usp=email )
Change subject: sgsn_libgtp: fix NULL dereference in cb_delete_context() ......................................................................
sgsn_libgtp: fix NULL dereference in cb_delete_context()
sgsn_pdp_ctx_free() contains an abnormal path (with a backtrace log) for the case where a PDP context is freed while its libgtp handle is still attached. In that path, lib->priv is set to NULL to prevent other callbacks (e.g. cb_data_ind()) from dereferencing the already- freed sgsn_pdp_ctx.
When libgtp subsequently calls cb_delete_context() as part of its own teardown, pdp->priv is NULL, causing an immediate NULL dereference at the pctx->lib = NULL assignment.
Guard against this by returning early when priv is NULL: the SGSN-side context is already gone, so there is nothing left for the callback to do.
Change-Id: I7d800766b08d87b6f2b23a0cd45435925f9998ff --- M src/sgsn/sgsn_libgtp.c 1 file changed, 6 insertions(+), 0 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-sgsn refs/changes/02/42602/1
diff --git a/src/sgsn/sgsn_libgtp.c b/src/sgsn/sgsn_libgtp.c index 4021bbc..e4fc9fd 100644 --- a/src/sgsn/sgsn_libgtp.c +++ b/src/sgsn/sgsn_libgtp.c @@ -702,6 +702,12 @@
LOGPDPX(DGPRS, LOGL_INFO, pdp, "Context %p was deleted\n", pdp);
+ /* sgsn_pdp_ctx_free() clears pdp->priv when it has to release a context + * that still has a libgtp handle attached (the "shouldn't happen" path). + * In that case the SGSN side is already gone; nothing to do here. */ + if (!pctx) + return 0; + /* unlink the now non-existing library handle from the pdp context. This way we avoid calling pdp_freepdp() on it, since after returning from cb_delete_context callback, libgtp is already doing so. */