This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
neels gerrit-no-reply at lists.osmocom.orgneels has submitted this change. ( https://gerrit.osmocom.org/c/osmo-mgw/+/15839 ) Change subject: fix use-after-free: require new fsm deferred dealloc, check for term ...................................................................... fix use-after-free: require new fsm deferred dealloc, check for term API doc: require osmo_fsm_set_dealloc_ctx(). mgcp_client during delete: do not reparent the FSM when it is already terminating. I have recently discovered a vulnerability: if an endpoint FSM deallocates during event handling of a successful MGCP response, this causes a use-after-free; and once that is fixed, a state change on the already terminated FSM causes a pointer corruption by using already cleaned data structures. osmo_fsm_set_dealloc_ctx() fixes the use-after-free, and osmo_fsm_set_term_stops_actions() fixes the pointer corruption. Related: Ib7fce7b7d54dfb87af97544796680919e5929a50 (osmo-bsc), I08c03946605aa12e0a5ce8b3c773704ef5327a7a (osmo-msc) Depends: Ief4dba9ea587c9b4aea69993e965fbb20fb80e78 (libosmocore), I0adc13a1a998e953b6c850efa2761350dd07e03a (libosmocore) Change-Id: I7df2e9202b04e7ca7366bb0a8ec53cf3bb14faf3 --- M src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c M src/libosmo-mgcp-client/mgcp_client_fsm.c 2 files changed, 6 insertions(+), 0 deletions(-) Approvals: Jenkins Builder: Verified laforge: Looks good to me, but someone else must approve pespin: Looks good to me, but someone else must approve fixeria: Looks good to me, but someone else must approve neels: Looks good to me, approved diff --git a/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c b/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c index 2259788..ef4da17 100644 --- a/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c +++ b/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c @@ -255,6 +255,9 @@ * MGCP messages to set up the endpoint will be sent on the given mgcp_client, as soon as the first * osmo_mgcpc_ep_ci_request() is invoked. * + * IMPORTANT: To avoid use-after-free problems, using this FSM requires use of deferred FSM deallocation using + * osmo_fsm_set_dealloc_ctx(), e.g. using osmo_select_main_ctx(OTC_SELECT) with osmo_select_main_ctx() as main loop. + * * A typical sequence of events would be: * * ep = osmo_mgcpc_ep_alloc(..., mgcp_client_rtpbridge_wildcard(client)); diff --git a/src/libosmo-mgcp-client/mgcp_client_fsm.c b/src/libosmo-mgcp-client/mgcp_client_fsm.c index 7565d32..800ae1b 100644 --- a/src/libosmo-mgcp-client/mgcp_client_fsm.c +++ b/src/libosmo-mgcp-client/mgcp_client_fsm.c @@ -708,6 +708,9 @@ OSMO_ASSERT(mgcp_ctx); + if (fi->proc.terminating) + return; + /* Unlink FSM from parent */ osmo_fsm_inst_unlink_parent(fi, NULL); -- To view, visit https://gerrit.osmocom.org/c/osmo-mgw/+/15839 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-mgw Gerrit-Branch: master Gerrit-Change-Id: I7df2e9202b04e7ca7366bb0a8ec53cf3bb14faf3 Gerrit-Change-Number: 15839 Gerrit-PatchSet: 3 Gerrit-Owner: neels <nhofmeyr at sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria <axilirator at gmail.com> Gerrit-Reviewer: laforge <laforge at osmocom.org> Gerrit-Reviewer: neels <nhofmeyr at sysmocom.de> Gerrit-Reviewer: pespin <pespin at sysmocom.de> Gerrit-MessageType: merged -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20191124/15a5e06b/attachment.htm>