[MERGED] osmo-msc[master]: a_iface: Fix heap-use-after-free in a_clear_all()

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Harald Welte gerrit-no-reply at lists.osmocom.org
Sat Feb 10 09:59:17 UTC 2018 

Harald Welte has submitted this change and it was merged.

Change subject: a_iface: Fix heap-use-after-free in a_clear_all()
......................................................................


a_iface: Fix heap-use-after-free in a_clear_all()

We cannot use conn->a.conn_id after conn has been free'd inside
msc_clear_request().  Let's store conn_id before that call to
ensure we avoid an use-after-free situation.

A more elegant (but more intrusive) solution would be to
move the SCCP connection clearing into the FSM itself.

Change-Id: Ibe41aa503e9f7cbeb05dce4b1a20b3eac85e619f
Closes: OS#2922
---
M src/libmsc/a_iface.c
1 file changed, 5 insertions(+), 3 deletions(-)

Approvals:
  Harald Welte: Looks good to me, approved
  Jenkins Builder: Verified



diff --git a/src/libmsc/a_iface.c b/src/libmsc/a_iface.c
index b769b0a..3983ede 100644
--- a/src/libmsc/a_iface.c
+++ b/src/libmsc/a_iface.c
@@ -605,14 +605,16 @@
 		/* Clear only A connections and connections that actually
 		 * belong to the specified BSC */
 		if (conn->via_ran == RAN_GERAN_A && memcmp(bsc_addr, &conn->a.bsc_addr, sizeof(conn->a.bsc_addr)) == 0) {
+			uint32_t conn_id = conn->a.conn_id;
 			LOGPCONN(conn, LOGL_NOTICE, "Dropping orphaned subscriber connection\n");
+			/* This call will/may talloc_free(conn), so we must save conn_id above */
 			msc_clear_request(conn, GSM48_CC_CAUSE_SWITCH_CONG);
 
 			/* If there is still an SCCP connection active, remove it now */
-			if (check_connection_active(conn->a.conn_id)) {
-				osmo_sccp_tx_disconn(scu, conn->a.conn_id, bsc_addr,
+			if (check_connection_active(conn_id)) {
+				osmo_sccp_tx_disconn(scu, conn_id, bsc_addr,
 						     SCCP_RELEASE_CAUSE_END_USER_ORIGINATED);
-				a_delete_bsc_con(conn->a.conn_id);
+				a_delete_bsc_con(conn_id);
 			}
 		}
 	}

-- 
To view, visit https://gerrit.osmocom.org/6359
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ibe41aa503e9f7cbeb05dce4b1a20b3eac85e619f
Gerrit-PatchSet: 1
Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Owner: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: dexter <pmaier at sysmocom.de>

More information about the gerrit-log mailing list