[S] Change in osmo-gbproxy[master]: gbprox_rx_ptp_from_bss: fix dangling pointer - gerrit-log

13 Jul 2023

osmith has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-gbproxy/+/33738 )
Change subject: gbprox_rx_ptp_from_bss: fix dangling pointer
......................................................................
gbprox_rx_ptp_from_bss: fix dangling pointer
Building with GCC 12 and --enable-werror fails without this. There is
already a "hack to get both msg + tlv_parsed passed via
osmo_fsm_inst_dispatch" comment, make the variable global until this is
implemented properly.
../../../src/gb_proxy.c:450:24: error: storing the address of local variable 'tp' in '((struct libgb_msgb_cb *)msg)[2].bssgp_cell_id' [-Werror=dangling-pointer=]
  450 |         msgb_bcid(msg) = (void *)&tp;
Related: OS#6057
Change-Id: Ie51e37572993cb5dc24ecf13bc300225f09cb744
---
M src/gb_proxy.c
1 file changed, 33 insertions(+), 13 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-gbproxy refs/changes/38/33738/1

diff --git a/src/gb_proxy.c b/src/gb_proxy.c
index a7554a6..f91d431 100644
--- a/src/gb_proxy.c
+++ b/src/gb_proxy.c
@@ -80,6 +80,9 @@
    .class_id = OSMO_STATS_CLASS_GLOBAL,
 };
+/* Hack for gbprox_rx_ptp_from_bss */
+struct tlv_parsed g_tp;
+
 int tx_status(struct gbproxy_nse *nse, uint16_t ns_bvci, enum gprs_bssgp_cause cause, const uint16_t *bvci, const struct msgb *old_msg)
 {
    int rc;
@@ -410,7 +413,6 @@
    struct bssgp_normal_hdr *bgph = (struct bssgp_normal_hdr *) msgb_bssgph(msg);
    const char *pdut_name = osmo_tlv_prot_msg_name(&osmo_pdef_bssgp, bgph->pdu_type);
    struct gbproxy_bvc *bss_bvc;
-	struct tlv_parsed tp;
    char log_pfx[32];
    uint32_t tlli;
    int rc;
@@ -441,13 +443,13 @@
    	return tx_status(nse, ns_bvci, BSSGP_CAUSE_UNKNOWN_BVCI, &ns_bvci, msg);
    }
-	rc = gbproxy_decode_bssgp(bgph, msgb_bssgp_len(msg), &tp, log_pfx);
+	rc = gbproxy_decode_bssgp(bgph, msgb_bssgp_len(msg), &g_tp, log_pfx);
    if (rc < 0) {
    	rate_ctr_inc(rate_ctr_group_get_ctr(nse->cfg->ctrg, GBPROX_GLOB_CTR_PROTO_ERR_BSS));
    	return tx_status_from_tlvp(nse, rc, msg);
    }
    /* hack to get both msg + tlv_parsed passed via osmo_fsm_inst_dispatch */
-	msgb_bcid(msg) = (void *)&tp;
+	msgb_bcid(msg) = (void *)&g_tp;
switch (bgph->pdu_type) {
    case BSSGP_PDUT_UL_UNITDATA:
@@ -466,20 +468,20 @@
    case BSSGP_PDUT_PS_HO_COMPLETE:
    case BSSGP_PDUT_PS_HO_CANCEL:
    	/* We can route based on TLLI-NRI */
-		tlli = osmo_load32be(TLVP_VAL(&tp, BSSGP_IE_TLLI));
+		tlli = osmo_load32be(TLVP_VAL(&g_tp, BSSGP_IE_TLLI));
    	rc = gbprox_bss2sgsn_tlli(bss_bvc->cell, msg, &tlli, false);
    	break;
    case BSSGP_PDUT_RADIO_STATUS:
-		if (TLVP_PRESENT(&tp, BSSGP_IE_TLLI)) {
-			tlli = osmo_load32be(TLVP_VAL(&tp, BSSGP_IE_TLLI));
+		if (TLVP_PRESENT(&g_tp, BSSGP_IE_TLLI)) {
+			tlli = osmo_load32be(TLVP_VAL(&g_tp, BSSGP_IE_TLLI));
    		rc = gbprox_bss2sgsn_tlli(bss_bvc->cell, msg, &tlli, false);
-		} else if (TLVP_PRESENT(&tp, BSSGP_IE_TMSI)) {
+		} else if (TLVP_PRESENT(&g_tp, BSSGP_IE_TMSI)) {
    		/* we treat the TMSI like a TLLI and extract the NRI from it */
-			tlli = osmo_load32be(TLVP_VAL(&tp, BSSGP_IE_TMSI));
+			tlli = osmo_load32be(TLVP_VAL(&g_tp, BSSGP_IE_TMSI));
    		/* Convert the TMSI into a FOREIGN TLLI so it is routed appropriately */
    		tlli = gprs_tmsi2tlli(tlli, TLLI_FOREIGN);
    		rc = gbprox_bss2sgsn_tlli(bss_bvc->cell, msg, &tlli, false);
-		} else if (TLVP_PRESENT(&tp, BSSGP_IE_IMSI)) {
+		} else if (TLVP_PRESENT(&g_tp, BSSGP_IE_IMSI)) {
    		/* FIXME: Use the IMSI as selector? */
    		rc = gbprox_bss2sgsn_tlli(bss_bvc->cell, msg, NULL, false);
    	} else
@@ -490,8 +492,8 @@
    {
    	/* Route according to IMSI<->NSE cache entry */
    	struct osmo_mobile_identity mi;
-		const uint8_t *mi_data = TLVP_VAL(&tp, BSSGP_IE_IMSI);
-		uint8_t mi_len = TLVP_LEN(&tp, BSSGP_IE_IMSI);
+		const uint8_t *mi_data = TLVP_VAL(&g_tp, BSSGP_IE_IMSI);
+		uint8_t mi_len = TLVP_LEN(&g_tp, BSSGP_IE_IMSI);
    	osmo_mobile_identity_decode(&mi, mi_data, mi_len, false);
    	nse = gbproxy_nse_by_imsi(nse->cfg, mi.imsi, CACHE_USAGE_PAGING);
    	if (nse) {
@@ -509,12 +511,12 @@
    {
    	struct gbproxy_sgsn *sgsn;
    	/* Check if the status needs to be terminated locally */
-		uint8_t cause = *TLVP_VAL(&tp, BSSGP_IE_CAUSE);
+		uint8_t cause = *TLVP_VAL(&g_tp, BSSGP_IE_CAUSE);
LOGPNSE(nse, LOGL_NOTICE, "Rx STATUS cause=0x%02x(%s)\n", cause,
    		bssgp_cause_str(cause));
-		if (gbproxy_tlli_from_status_pdu(&tp, &tlli, log_pfx) == 0)
+		if (gbproxy_tlli_from_status_pdu(&g_tp, &tlli, log_pfx) == 0)
    		sgsn = gbproxy_select_sgsn(nse->cfg, &tlli);
    	else
    		sgsn = gbproxy_select_sgsn(nse->cfg, NULL);
-- 
To view, visit https://gerrit.osmocom.org/c/osmo-gbproxy/+/33738
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-gbproxy
Gerrit-Branch: master
Gerrit-Change-Id: Ie51e37572993cb5dc24ecf13bc300225f09cb744
Gerrit-Change-Number: 33738
Gerrit-PatchSet: 1
Gerrit-Owner: osmith osmith@sysmocom.de
Gerrit-MessageType: newchange



    