fixeria has submitted this change. ( https://gerrit.osmocom.org/c/osmo-msc/+/39976?usp=email ) Change subject: gsm0911_rcv_nc_ss(): avoid assertion failure in msc_a_put() ...................................................................... gsm0911_rcv_nc_ss(): avoid assertion failure in msc_a_put() It was reported by a user that osmo-msc hits an assertion failure: Assert failed osmo_use_count_get_put(&msc_a->use_count, "cm_service_ss", -1) == 0 gsm_09_11.c:147 It's yet unclear how can this happen, because the MS/UE shall not be sending SS/USSD messages without a prior CM Service Request. However, I was able to write an "evil MS" testcase that reproduces the problem (see the related patch). This is pretty much a DoS vector, so let's add safety checks preventing this to gsm0911_rcv_nc_ss(). Change-Id: I724f0f0c9ef8611d3c3653e9370361b252127f72 Related: osmo-ttcn3-hacks.git If1d85a1b4b63b01b4565e53677acfd21e664e799 Related: 5fb4a9efcf ("Release BSS connection when SS message is rejected") Related: OS#6756 --- M src/libmsc/gsm_09_11.c 1 file changed, 8 insertions(+), 4 deletions(-) Approvals: Jenkins Builder: Verified osmith: Looks good to me, but someone else must approve fixeria: Looks good to me, approved laforge: Looks good to me, but someone else must approve diff --git a/src/libmsc/gsm_09_11.c b/src/libmsc/gsm_09_11.c index 442995e..f0d31bb 100644 --- a/src/libmsc/gsm_09_11.c +++ b/src/libmsc/gsm_09_11.c @@ -143,8 +143,10 @@ GSM48_PDISC_NC_SS | (tid << 4), GSM0480_MTYPE_RELEASE_COMPLETE); /* Decrement use counter that has been incremented by CM Service Request (SS). - * If there is no other service request, the BSS connection will be released. */ - msc_a_put(msc_a, MSC_A_USE_CM_SERVICE_SS); + * If there is no other service request, the BSS connection will be released. + * Guard against an "evil" MS/UE not sending CM Service Request (see OS#6756). */ + if (osmo_use_count_by(&msc_a->use_count, MSC_A_USE_CM_SERVICE_SS)) + msc_a_put(msc_a, MSC_A_USE_CM_SERVICE_SS); return -EINVAL; } @@ -155,8 +157,10 @@ GSM48_PDISC_NC_SS | (tid << 4), GSM0480_MTYPE_RELEASE_COMPLETE); /* Decrement use counter that has been incremented by CM Service Request (SS). - * If there is no other service request, the BSS connection will be released. */ - msc_a_put(msc_a, MSC_A_USE_CM_SERVICE_SS); + * If there is no other service request, the BSS connection will be released. + * Guard against an "evil" MS/UE not sending CM Service Request (see OS#6756). */ + if (osmo_use_count_by(&msc_a->use_count, MSC_A_USE_CM_SERVICE_SS)) + msc_a_put(msc_a, MSC_A_USE_CM_SERVICE_SS); return -ENOMEM; } -- To view, visit https://gerrit.osmocom.org/c/osmo-msc/+/39976?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: osmo-msc Gerrit-Branch: master Gerrit-Change-Id: I724f0f0c9ef8611d3c3653e9370361b252127f72 Gerrit-Change-Number: 39976 Gerrit-PatchSet: 2 Gerrit-Owner: fixeria &lt;vyanitskiy(a)sysmocom.de&gt; Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria &lt;vyanitskiy(a)sysmocom.de&gt; Gerrit-Reviewer: laforge &lt;laforge(a)osmocom.org&gt; Gerrit-Reviewer: osmith &lt;osmith(a)sysmocom.de&gt;