[MERGED] osmo-msc[master]: vlr_gsupc_read_cb: fix use after free of GSUP msgb

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Neels Hofmeyr gerrit-no-reply at lists.osmocom.org
Mon Nov 20 13:49:33 UTC 2017 

Neels Hofmeyr has submitted this change and it was merged.

Change subject: vlr_gsupc_read_cb: fix use after free of GSUP msgb
......................................................................


vlr_gsupc_read_cb: fix use after free of GSUP msgb

osmo_gsup_decode() doesn't actually decode everything, it does leave quite a
number of pointers into the original msgb. Hence we must not deallocate the
gsup msgb before dispatching GSUP events.

Move msgb_free() to the bottom of vlr_gsupc_read_cb() and use rc and gotos to
early-exit if needed.

Change-Id: I16fc92dcf84e29fcf34712a2e8b0464ef08425ad
---
M src/libvlr/vlr.c
1 file changed, 10 insertions(+), 5 deletions(-)

Approvals:
  Jenkins Builder: Verified
  Holger Freyther: Looks good to me, approved



diff --git a/src/libvlr/vlr.c b/src/libvlr/vlr.c
index 07c31ee..4ef52da 100644
--- a/src/libvlr/vlr.c
+++ b/src/libvlr/vlr.c
@@ -804,12 +804,11 @@
 	       osmo_hexdump_nospc(msgb_l2(msg), msgb_l2len(msg)));
 
 	rc = osmo_gsup_decode(msgb_l2(msg), msgb_l2len(msg), &gsup);
-	msgb_free(msg);
 	if (rc < 0) {
 		LOGP(DVLR, LOGL_ERROR,
 			"decoding GSUP message fails with error '%s' (%d)\n",
 			get_value_string(gsm48_gmm_cause_names, -rc), -rc);
-		return rc;
+		goto msgb_free_and_return;
 	}
 
 	if (!gsup.imsi[0]) {
@@ -817,7 +816,8 @@
 		if (OSMO_GSUP_IS_MSGT_REQUEST(gsup.message_type))
 			vlr_tx_gsup_error_reply(vlr, &gsup,
 						GMM_CAUSE_INV_MAND_INFO);
-		return -GMM_CAUSE_INV_MAND_INFO;
+		rc = -GMM_CAUSE_INV_MAND_INFO;
+		goto msgb_free_and_return;
 	}
 
 	vsub = vlr_subscr_find_by_imsi(vlr, gsup.imsi);
@@ -825,9 +825,11 @@
 		switch (gsup.message_type) {
 		case OSMO_GSUP_MSGT_PURGE_MS_RESULT:
 		case OSMO_GSUP_MSGT_PURGE_MS_ERROR:
-			return vlr_rx_gsup_purge_no_subscr(vlr, &gsup);
+			rc = vlr_rx_gsup_purge_no_subscr(vlr, &gsup);
+			goto msgb_free_and_return;
 		default:
-			return vlr_rx_gsup_unknown_imsi(vlr, &gsup);
+			rc = vlr_rx_gsup_unknown_imsi(vlr, &gsup);
+			goto msgb_free_and_return;
 		}
 	}
 
@@ -865,6 +867,9 @@
 	}
 
 	vlr_subscr_put(vsub);
+
+msgb_free_and_return:
+	msgb_free(msg);
 	return rc;
 }
 

-- 
To view, visit https://gerrit.osmocom.org/4924
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I16fc92dcf84e29fcf34712a2e8b0464ef08425ad
Gerrit-PatchSet: 2
Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Owner: Neels Hofmeyr <nhofmeyr at sysmocom.de>
Gerrit-Reviewer: Holger Freyther <holger at freyther.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Neels Hofmeyr <nhofmeyr at sysmocom.de>

More information about the gerrit-log mailing list