Change in libosmo-sccp[master]: osmo_ss7: remove use-after-free of stream_server after close_cb

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

laforge gerrit-no-reply at lists.osmocom.org
Thu Jun 25 11:18:54 UTC 2020


laforge has submitted this change. ( https://gerrit.osmocom.org/c/libosmo-sccp/+/19004 )

Change subject: osmo_ss7: remove use-after-free of stream_server after close_cb
......................................................................

osmo_ss7: remove use-after-free of stream_server after close_cb

In I9b3ae6dfcf6efeabb7fb6c33503d1d7924fec2fa we fixed some problems
regarding rapid open/close cycles of inbound M3UA client connections.
Unfortunately the fix now triggered another bug.

xua_srv_conn_closed_cb() is called by libosmo-netif stream code whenever
a connection (socket) is closed.  As the stream_server is de-allocated
right after this call-back, the call-back must make sure to remove
any pending references to the stream_server.

Change-Id: I2464cf524f1f91bfad10ff1861a03bf1461dfed8
Related: OS#4625
---
M src/osmo_ss7.c
1 file changed, 2 insertions(+), 1 deletion(-)

Approvals:
  laforge: Looks good to me, approved; Verified



diff --git a/src/osmo_ss7.c b/src/osmo_ss7.c
index 9aeed9b..cdac27a 100644
--- a/src/osmo_ss7.c
+++ b/src/osmo_ss7.c
@@ -1786,12 +1786,13 @@
 	/* send M-SCTP_RELEASE.ind to Layer Manager */
 	xua_asp_send_xlm_prim_simple(asp, OSMO_XLM_PRIM_M_SCTP_RELEASE, PRIM_OP_INDICATION);
 
+	asp->server = NULL;
+
 	/* if we were dynamically allocated at accept_cb() time, let's
 	 * self-destruct now.  A new connection will re-create the ASP. */
 	if (asp->dyn_allocated) {
 		/* avoid re-entrance via osmo_stream_srv_destroy() which
 		 * called us */
-		asp->server = NULL;
 		osmo_ss7_asp_destroy(asp);
 	}
 

-- 
To view, visit https://gerrit.osmocom.org/c/libosmo-sccp/+/19004
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: libosmo-sccp
Gerrit-Branch: master
Gerrit-Change-Id: I2464cf524f1f91bfad10ff1861a03bf1461dfed8
Gerrit-Change-Number: 19004
Gerrit-PatchSet: 1
Gerrit-Owner: laforge <laforge at osmocom.org>
Gerrit-Reviewer: laforge <laforge at osmocom.org>
Gerrit-CC: Jenkins Builder
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20200625/d0a9d749/attachment.htm>


More information about the gerrit-log mailing list