Change in osmocom-bb[master]: mobile/gsm322.c: fix heap-use-after-free in gsm322_unselect_cell()

historical

Harald Welte has submitted this change and it was merged. ( https://gerrit.osmocom.org/13855 )

Change subject: mobile/gsm322.c: fix heap-use-after-free in gsm322_unselect_cell()
......................................................................

mobile/gsm322.c: fix heap-use-after-free in gsm322_unselect_cell()

In gsm322_l1_signal(), if S_L1CTL_FBSB_ERR is received, we free
stored System Information of the current cell, but cs->si may
still point to it. Let's set it to NULL.

Found with AddressSanitizer:

  DL1C ERROR l1ctl.c:96 FBSB RESP: result=255
  DCS INFO gsm322.c:2995 Channel sync error, try again
  DCS INFO gsm322.c:467 Sync to ARFCN=860(DCS) rxlev=-106
  DRR INFO gsm48_rr.c:665 MON: no cell info
  DRR INFO gsm48_rr.c:665 MON: no cell info
  DRR INFO gsm48_rr.c:665 MON: no cell info
  DRR INFO gsm48_rr.c:665 MON: no cell info
  DL1C ERROR l1ctl.c:96 FBSB RESP: result=255
  DCS INFO gsm322.c:3008 Channel sync error.
  DCS DEBUG gsm322.c:3013 free sysinfo ARFCN=860(DCS)
  DCS INFO gsm322.c:3020 Unselect cell due to sync error!
  DCS INFO gsm322.c:509 Unselecting serving cell.
  =================================================================
  ==6014==ERROR: AddressSanitizer: heap-use-after-free on address
                 0x61b0000000e6 at pc 0x00000050d6dd
		 bp 0x7fff7f84aa60 sp 0x7fff7f84aa58

Change-Id: I9cc526c18d69695d810de98703579818408de011
---
M src/host/layer23/src/mobile/gsm322.c
1 file changed, 2 insertions(+), 0 deletions(-)

Approvals:
  Jenkins Builder: Verified
  Harald Welte: Looks good to me, approved

diff --git a/src/host/layer23/src/mobile/gsm322.c b/src/host/layer23/src/mobile/gsm322.c
index 7da63e3..bfe6329 100644
--- a/src/host/layer23/src/mobile/gsm322.c
+++ b/src/host/layer23/src/mobile/gsm322.c
@@ -3011,6 +3011,8 @@
 			cs->list[cs->arfci].flags &= ~GSM322_CS_FLAG_SYSINFO;
 			LOGP(DCS, LOGL_DEBUG, "free sysinfo ARFCN=%s\n",
 				gsm_print_arfcn(index2arfcn(cs->arfci)));
+			if (cs->si == cs->list[cs->arfci].sysinfo)
+				cs->si = NULL;
 			talloc_free(cs->list[cs->arfci].sysinfo);
 			cs->list[cs->arfci].sysinfo = NULL;
 

-- 
To view, visit https://gerrit.osmocom.org/13855
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmocom-bb
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I9cc526c18d69695d810de98703579818408de011
Gerrit-Change-Number: 13855
Gerrit-PatchSet: 1
Gerrit-Owner: Vadim Yanitskiy <axilirator at gmail.com>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder (1000002)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190502/ecfcb427/attachment.htm>
