[MERGED] osmo-msc[master]: fix use after free: missing conn_get on CC paging response

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Neels Hofmeyr gerrit-no-reply at lists.osmocom.org
Tue Nov 28 01:32:15 UTC 2017


Neels Hofmeyr has submitted this change and it was merged.

Change subject: fix use after free: missing conn_get on CC paging response
......................................................................


fix use after free: missing conn_get on CC paging response

Adjust test expectations accordingly.

The error was:

  ==16084==ERROR: AddressSanitizer: heap-use-after-free on address 0x61500000f5f4 at pc 0x561be639ac2b bp 0x7ffc0aabbe40 sp 0x7ffc0aabbe38
  READ of size 4 at 0x61500000f5f4 thread T0
      #0 0x561be639ac2a in _msc_subscr_conn_put ../../../../src/osmo-msc/src/libmsc/osmo_msc.c:384
      #1 0x561be636070b in rx_from_ms ../../../../src/osmo-msc/tests/msc_vlr/msc_vlr_tests.c:204
      #2 0x561be6360b21 in ms_sends_msg ../../../../src/osmo-msc/tests/msc_vlr/msc_vlr_tests.c:217
      #3 0x561be635b40a in test_call_mt ../../../../src/osmo-msc/tests/msc_vlr/msc_vlr_test_call.c:328
      #4 0x561be6363bb7 in run_tests ../../../../src/osmo-msc/tests/msc_vlr/msc_vlr_tests.c:802
      #5 0x561be63524ea in main ../../../../src/osmo-msc/tests/msc_vlr/msc_vlr_tests.c:849
      #6 0x7f6eebb3e2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
      #7 0x561be6352fb9 in _start (/n/s/osmo/make-3G/osmo-msc/tests/msc_vlr/msc_vlr_test_call+0xdafb9)

Related: OS#2672
Change-Id: If0659a878deb383ed0300217e2c41c8c79b2b6a5
---
M src/libmsc/gsm_04_08.c
M tests/msc_vlr/msc_vlr_test_call.err
2 files changed, 16 insertions(+), 16 deletions(-)

Approvals:
  Harald Welte: Looks good to me, approved
  Jenkins Builder: Verified



diff --git a/src/libmsc/gsm_04_08.c b/src/libmsc/gsm_04_08.c
index e783b5e..d71b48b 100644
--- a/src/libmsc/gsm_04_08.c
+++ b/src/libmsc/gsm_04_08.c
@@ -1359,7 +1359,7 @@
 		       vlr_subscr_msisdn_or_name(transt->vsub));
 		OSMO_ASSERT(conn);
 		/* Assign conn */
-		transt->conn = conn;
+		transt->conn = msc_subscr_conn_get(conn, MSC_CONN_USE_TRANS_CC);
 		/* send SETUP request to called party */
 		gsm48_cc_tx_setup(transt, &transt->cc.msg);
 		break;
diff --git a/tests/msc_vlr/msc_vlr_test_call.err b/tests/msc_vlr/msc_vlr_test_call.err
index 6fd9288..5ffab4a 100644
--- a/tests/msc_vlr/msc_vlr_test_call.err
+++ b/tests/msc_vlr/msc_vlr_test_call.err
@@ -602,6 +602,7 @@
 DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_NEW}: state_chg to SUBSCR_CONN_S_ACCEPTED
 DPAG Paging success for MSISDN:42342 (event=0)
 DPAG Calling paging cbfn.
+DREF MSISDN:42342: MSC conn use + trans_cc == 2 (0xc)
 DMSC msc_tx 2 bytes to MSISDN:42342 via RAN_UTRAN_IU
 - DTAP --RAN_UTRAN_IU--> MS: GSM48_MT_CC_SETUP: 0305
 - DTAP matches expected message
@@ -610,7 +611,7 @@
 DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_ACCEPTED}: bump: connection still has active transaction: GSM48_PDISC_CC
   paging_stopped == 1
   MSC <--RAN_UTRAN_IU-- MS: GSM48_MT_CC_CALL_CONF
-DREF MSISDN:42342: MSC conn use + dtap == 2 (0x6)
+DREF MSISDN:42342: MSC conn use + dtap == 3 (0xe)
 DRLL Dispatching 04.08 message GSM48_MT_CC_CALL_CONF (0x3:0x8)
   MS <--Call Assignment-- MSC: subscr=MSISDN:42342 callref=0x423
 DMNCC transmit message MNCC_CALL_CONF_IND
@@ -619,27 +620,27 @@
 DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_ACCEPTED}: state_chg to SUBSCR_CONN_S_COMMUNICATING
 DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_COMMUNICATING}: Received Event SUBSCR_CONN_E_BUMP
 DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_COMMUNICATING}: bump: connection still has active transaction: GSM48_PDISC_CC
-DREF MSISDN:42342: MSC conn use - dtap == 1 (0x4)
+DREF MSISDN:42342: MSC conn use - dtap == 2 (0xc)
 - Total time passed: 1.000023 s
   MSC <--RAN_UTRAN_IU-- MS: GSM48_MT_CC_ALERTING
-DREF MSISDN:42342: MSC conn use + dtap == 2 (0x6)
+DREF MSISDN:42342: MSC conn use + dtap == 3 (0xe)
 DRLL Dispatching 04.08 message GSM48_MT_CC_ALERTING (0x3:0x1)
 DMNCC transmit message MNCC_ALERT_IND
   MSC --> MNCC: callref 0x423: MNCC_ALERT_IND
 DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_COMMUNICATING}: Received Event SUBSCR_CONN_E_COMMUNICATING
 DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_COMMUNICATING}: Received Event SUBSCR_CONN_E_BUMP
 DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_COMMUNICATING}: bump: connection still has active transaction: GSM48_PDISC_CC
-DREF MSISDN:42342: MSC conn use - dtap == 1 (0x4)
+DREF MSISDN:42342: MSC conn use - dtap == 2 (0xc)
 - Total time passed: 2.000046 s
   MSC <--RAN_UTRAN_IU-- MS: GSM48_MT_CC_CONNECT
-DREF MSISDN:42342: MSC conn use + dtap == 2 (0x6)
+DREF MSISDN:42342: MSC conn use + dtap == 3 (0xe)
 DRLL Dispatching 04.08 message GSM48_MT_CC_CONNECT (0x3:0x7)
 DMNCC transmit message MNCC_SETUP_CNF
   MSC --> MNCC: callref 0x423: MNCC_SETUP_CNF
 DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_COMMUNICATING}: Received Event SUBSCR_CONN_E_COMMUNICATING
 DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_COMMUNICATING}: Received Event SUBSCR_CONN_E_BUMP
 DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_COMMUNICATING}: bump: connection still has active transaction: GSM48_PDISC_CC
-DREF MSISDN:42342: MSC conn use - dtap == 1 (0x4)
+DREF MSISDN:42342: MSC conn use - dtap == 2 (0xc)
 DMNCC receive message MNCC_SETUP_COMPL_REQ
 DMSC msc_tx 2 bytes to MSISDN:42342 via RAN_UTRAN_IU
 - DTAP --RAN_UTRAN_IU--> MS: GSM48_MT_CC_CONNECT_ACK: 030f
@@ -650,27 +651,26 @@
 ---
 - Call ends
   MSC <--RAN_UTRAN_IU-- MS: GSM48_MT_CC_DISCONNECT
-DREF MSISDN:42342: MSC conn use + dtap == 2 (0x6)
+DREF MSISDN:42342: MSC conn use + dtap == 3 (0xe)
 DRLL Dispatching 04.08 message GSM48_MT_CC_DISCONNECT (0x3:0x25)
 DMNCC transmit message MNCC_DISC_IND
   MSC --> MNCC: callref 0x423: MNCC_DISC_IND
 DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_COMMUNICATING}: Received Event SUBSCR_CONN_E_COMMUNICATING
 DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_COMMUNICATING}: Received Event SUBSCR_CONN_E_BUMP
 DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_COMMUNICATING}: bump: connection still has active transaction: GSM48_PDISC_CC
-DREF MSISDN:42342: MSC conn use - dtap == 1 (0x4)
+DREF MSISDN:42342: MSC conn use - dtap == 2 (0xc)
 DMNCC receive message MNCC_REL_REQ
 DMSC msc_tx 2 bytes to MSISDN:42342 via RAN_UTRAN_IU
 - DTAP --RAN_UTRAN_IU--> MS: GSM48_MT_CC_RELEASE: 032d
 - DTAP matches expected message
   MSC <--RAN_UTRAN_IU-- MS: GSM48_MT_CC_RELEASE_COMPL
-DREF MSISDN:42342: MSC conn use + dtap == 2 (0x6)
+DREF MSISDN:42342: MSC conn use + dtap == 3 (0xe)
 DRLL Dispatching 04.08 message GSM48_MT_CC_RELEASE_COMPL (0x3:0x2a)
 DMNCC transmit message MNCC_REL_CNF
   MSC --> MNCC: callref 0x423: MNCC_REL_CNF
   MS <--Call Release-- MSC: subscr=MSISDN:42342 callref=0x0
 DREF VLR subscr MSISDN:42342 usage decreases to: 2
-DREF MSISDN:42342: MSC conn use error: freeing an unused token: trans_cc
-DREF MSISDN:42342: MSC conn use - trans_cc == 1 (0x6)
+DREF MSISDN:42342: MSC conn use - trans_cc == 2 (0x6)
 DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_COMMUNICATING}: Received Event SUBSCR_CONN_E_COMMUNICATING
 DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_COMMUNICATING}: Received Event SUBSCR_CONN_E_BUMP
 DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_COMMUNICATING}: bump: releasing conn
@@ -682,12 +682,12 @@
 DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_DONE}: Deallocated
 DMM msc_subscr_conn_close(vsub=MSISDN:42342, cause=2): no conn fsm, releasing directly without release event.
 - Iu Release --RAN_UTRAN_IU--> MS
-DREF MSISDN:42342: MSC conn use - fsm == 0 (0x2)
-DRLL subscr MSISDN:42342: Freeing subscriber connection
-DREF VLR subscr MSISDN:42342 usage decreases to: 1
+DREF MSISDN:42342: MSC conn use - fsm == 1 (0x2)
 DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_RELEASED}: Freeing instance
 DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_RELEASED}: Deallocated
-DREF unknown: MSC conn use - dtap failed: is already 0
+DREF MSISDN:42342: MSC conn use - dtap == 0 (0x0)
+DRLL subscr MSISDN:42342: Freeing subscriber connection
+DREF VLR subscr MSISDN:42342 usage decreases to: 1
   llist_count(&net->subscr_conns) == 0
 DREF freeing VLR subscr MSISDN:42342
 ===== test_call_mt: SUCCESS

-- 
To view, visit https://gerrit.osmocom.org/4974
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: If0659a878deb383ed0300217e2c41c8c79b2b6a5
Gerrit-PatchSet: 3
Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Owner: Neels Hofmeyr <nhofmeyr at sysmocom.de>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Neels Hofmeyr <nhofmeyr at sysmocom.de>



More information about the gerrit-log mailing list