pespin has submitted this change. ( https://gerrit.osmocom.org/c/osmo-hnbgw/+/29549 )

Change subject: hnb_read_cb(): -EBADF must be returned if conn is freed to avoid use-after-free ......................................................................

hnb_read_cb(): -EBADF must be returned if conn is freed to avoid use-after-free

Otherwise the libosmo-netif stream API may continue accessing the conn after returning if the socket has the WRITE flag active in the same main loop iteration.

Change-Id: I628c59a88d94d299f432f405b37fbe602381d47e --- M src/osmo-hnbgw/hnbgw.c 1 file changed, 4 insertions(+), 3 deletions(-)

Approvals: Jenkins Builder: Verified pespin: Looks good to me, approved laforge: Looks good to me, but someone else must approve fixeria: Looks good to me, but someone else must approve

diff --git a/src/osmo-hnbgw/hnbgw.c b/src/osmo-hnbgw/hnbgw.c index b824dd3..38d33eb 100644 --- a/src/osmo-hnbgw/hnbgw.c +++ b/src/osmo-hnbgw/hnbgw.c @@ -264,7 +264,7 @@ "sctp_recvmsg(%s) = SCTP_COMM_LOST, closing conn\n", osmo_sock_get_name2(ofd->fd)); osmo_stream_srv_destroy(conn); - rc = -1; + rc = -EBADF; break; case SCTP_RESTART: LOGHNB(hnb, DMAIN, LOGL_NOTICE, "HNB SCTP conn RESTARTed, marking as HNBAP-unregistered\n"); @@ -277,7 +277,7 @@ "sctp_recvmsg(%s) = SCTP_SHUTDOWN_EVENT, closing conn\n", osmo_sock_get_name2(ofd->fd)); osmo_stream_srv_destroy(conn); - rc = -1; + rc = -EBADF; break; } goto out; @@ -291,12 +291,13 @@ LOGHNB(hnb, DMAIN, LOGL_ERROR, "Error during sctp_recvmsg(%s)\n", osmo_sock_get_name2(ofd->fd)); osmo_stream_srv_destroy(conn); + rc = -EBADF; goto out; } else if (rc == 0) { LOGHNB(hnb, DMAIN, LOGL_NOTICE, "Connection closed sctp_recvmsg(%s) = 0\n", osmo_sock_get_name2(ofd->fd)); osmo_stream_srv_destroy(conn); - rc = -1; + rc = -EBADF; goto out; } else { msgb_put(msg, rc);