Change in libosmocore[master]: lapd_core: Don't dereference data link after sending PRIM_DL_REL

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

laforge gerrit-no-reply at lists.osmocom.org
Tue Dec 22 11:08:29 UTC 2020 

laforge has submitted this change. ( https://gerrit.osmocom.org/c/libosmocore/+/21831 )

Change subject: lapd_core: Don't dereference data link after sending PRIM_DL_REL
......................................................................

lapd_core: Don't dereference data link after sending PRIM_DL_REL

We must always send the RELEASE.{indication,confirm} last before
returning from a function.  We cannot rely on the datalink to
still be around after the call, as the SAP user might have destroyed
the data link meanwhile.

This fixes a heap use-after-free (at least) with RBS2000 when the BTS
is fully brought up and the OML data link is lost, see OS#1762

Change-Id: I8ccca8d5e5d07b666557afe12ab8ac4910ddfb00
Related: OS#1761
Related: OS#1762
---
M src/gsm/lapd_core.c
1 file changed, 4 insertions(+), 5 deletions(-)

Approvals:
  Jenkins Builder: Verified
  laforge: Looks good to me, approved



diff --git a/src/gsm/lapd_core.c b/src/gsm/lapd_core.c
index ed0b320..e0c232f 100644
--- a/src/gsm/lapd_core.c
+++ b/src/gsm/lapd_core.c
@@ -624,8 +624,6 @@
 		if (dl->retrans_ctr >= dl->n200_est_rel + 1) {
 			/* send MDL ERROR INIDCATION to L3 */
 			mdl_error(MDL_CAUSE_T200_EXPIRED, &dl->lctx);
-			/* send RELEASE INDICATION to L3 */
-			send_dl_simple(PRIM_DL_REL, PRIM_OP_CONFIRM, &dl->lctx);
 			/* flush tx and send buffers */
 			lapd_dl_flush_tx(dl);
 			lapd_dl_flush_send(dl);
@@ -634,6 +632,8 @@
 			/* NOTE: we must not change any other states or buffers
 			 * and queues, since we may reconnect after handover
 			 * failure. the buffered messages is replaced there */
+			/* send RELEASE INDICATION to L3 */
+			send_dl_simple(PRIM_DL_REL, PRIM_OP_CONFIRM, &dl->lctx);
 			break;
 		}
 		/* retransmit DISC command */
@@ -1230,13 +1230,12 @@
 		 || !!memcmp(dl->tx_hist[0].msg->data, msg->l3h,
 							length)) {
 			LOGDL(dl, LOGL_INFO, "**** UA response mismatches ****\n");
-			rc = send_dl_simple(PRIM_DL_REL,
-				PRIM_OP_INDICATION, lctx);
-			msgb_free(msg);
 			/* go to idle state */
 			lapd_dl_flush_tx(dl);
 			lapd_dl_flush_send(dl);
 			lapd_dl_newstate(dl, LAPD_STATE_IDLE);
+			rc = send_dl_simple(PRIM_DL_REL, PRIM_OP_INDICATION, lctx);
+			msgb_free(msg);
 			return 0;
 		}
 	}

-- 
To view, visit https://gerrit.osmocom.org/c/libosmocore/+/21831
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Change-Id: I8ccca8d5e5d07b666557afe12ab8ac4910ddfb00
Gerrit-Change-Number: 21831
Gerrit-PatchSet: 1
Gerrit-Owner: laforge <laforge at osmocom.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <laforge at osmocom.org>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20201222/d8255ae1/attachment.htm>

More information about the gerrit-log mailing list