This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
Harald Welte gerrit-no-reply at lists.osmocom.orgHarald Welte has submitted this change and it was merged. ( https://gerrit.osmocom.org/9263 ) Change subject: ipaccess: Avoid using released line and bfd in ipaccess_fd_cb ...................................................................... ipaccess: Avoid using released line and bfd in ipaccess_fd_cb Related: OS#3282 Change-Id: I52faa9e6717137a7dab9c4e006eaa50b7367fc3e --- M src/input/ipaccess.c 1 file changed, 11 insertions(+), 17 deletions(-) Approvals: Jenkins Builder: Verified Harald Welte: Looks good to me, approved diff --git a/src/input/ipaccess.c b/src/input/ipaccess.c index 5fd9ec3..23eeda6 100644 --- a/src/input/ipaccess.c +++ b/src/input/ipaccess.c @@ -84,6 +84,8 @@ return ret; } +/* Returns -1 on error, and 0 or 1 on success. If -1 or 1 is returned, line has + * been released and should not be used anymore by the caller. */ static int ipaccess_rcvmsg(struct e1inp_line *line, struct msgb *msg, struct osmo_fd *bfd) { @@ -123,13 +125,11 @@ if (ret < 0) { LOGP(DLINP, LOGL_ERROR, "IPA response message " "with malformed TLVs\n"); - ret = -EINVAL; goto err; } if (!TLVP_PRESENT(&tlvp, IPAC_IDTAG_UNIT)) { LOGP(DLINP, LOGL_ERROR, "IPA response message " "without unit ID\n"); - ret = -EINVAL; goto err; } @@ -137,7 +137,6 @@ if (len < 1) { LOGP(DLINP, LOGL_ERROR, "IPA response message " "with too small unit ID\n"); - ret = -EINVAL; goto err; } unitid = (char *) TLVP_VAL(&tlvp, IPAC_IDTAG_UNIT); @@ -147,7 +146,6 @@ if (!line->ops->sign_link_up) { LOGP(DLINP, LOGL_ERROR, "Unable to set signal link, closing socket.\n"); - ret = -EINVAL; goto err; } /* the BSC creates the new sign links at this stage. */ @@ -159,7 +157,6 @@ LOGP(DLINP, LOGL_ERROR, "Unable to set signal link, " "closing socket.\n"); - ret = -EINVAL; goto err; } } else if (bfd->priv_nr == E1INP_SIGN_RSL) { @@ -174,7 +171,6 @@ LOGP(DLINP, LOGL_ERROR, "Unable to set signal link, " "closing socket.\n"); - ret = -EINVAL; goto err; } /* this is a bugtrap, the BSC should be using the @@ -209,11 +205,11 @@ } /* now we can release the dummy RSL line. */ e1inp_line_put(line); + return 1; } break; default: LOGP(DLINP, LOGL_ERROR, "Unknown IPA message type\n"); - ret = -EINVAL; goto err; } return 0; @@ -222,9 +218,10 @@ close(bfd->fd); bfd->fd = -1; e1inp_line_put(line); - return ret; + return -1; } +/* Returns -EBADF if bfd cannot be used by the caller anymore after return. */ static int handle_ts1_read(struct osmo_fd *bfd) { struct e1inp_line *line = bfd->data; @@ -250,23 +247,21 @@ hh = (struct ipaccess_head *) msg->data; if (hh->proto == IPAC_PROTO_IPACCESS) { - ipaccess_rcvmsg(line, msg, bfd); + ret = ipaccess_rcvmsg(line, msg, bfd); + /* BIG FAT WARNING: bfd might no longer exist here (ret != 0), + * since ipaccess_rcvmsg() might have free'd it !!! */ msgb_free(msg); - return 0; + return ret != 0 ? -EBADF : 0; } else if (e1i_ts->type == E1INP_TS_TYPE_NONE) { /* this sign link is not know yet.. complain. */ LOGP(DLINP, LOGL_ERROR, "Timeslot is not configured.\n"); - ret = -EINVAL; goto err_msg; } - /* BIG FAT WARNING: bfd might no longer exist here, since ipaccess_rcvmsg() - * might have free'd it !!! */ link = e1inp_lookup_sign_link(e1i_ts, hh->proto, 0); if (!link) { LOGP(DLINP, LOGL_ERROR, "no matching signalling link for " "hh->proto=0x%02x\n", hh->proto); - ret = -EINVAL; goto err_msg; } msg->dst = link; @@ -275,7 +270,6 @@ if (!e1i_ts->line->ops->sign_link) { LOGP(DLINP, LOGL_ERROR, "Fix your application, " "no action set for signalling messages.\n"); - ret = -EINVAL; goto err_msg; } rc = e1i_ts->line->ops->sign_link(msg); @@ -293,7 +287,7 @@ msgb_free(msg); err: ipaccess_drop(bfd, line); - return ret; + return -EBADF; } static int ts_want_write(struct e1inp_ts *e1i_ts) @@ -394,7 +388,7 @@ if (what & BSC_FD_READ) rc = handle_ts1_read(bfd); - if (what & BSC_FD_WRITE) + if (rc != -EBADF && (what & BSC_FD_WRITE)) rc = handle_ts1_write(bfd); return rc; -- To view, visit https://gerrit.osmocom.org/9263 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: libosmo-abis Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: I52faa9e6717137a7dab9c4e006eaa50b7367fc3e Gerrit-Change-Number: 9263 Gerrit-PatchSet: 2 Gerrit-Owner: Pau Espin Pedrol <pespin at sysmocom.de> Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: Stefan Sperling <ssperling at sysmocom.de> -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20180523/a711a0d4/attachment.htm>