Change in osmocom-bb[master]: mobile/gsm322: fix use-after-free of cs->si reported by ASan

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

laforge gerrit-no-reply at lists.osmocom.org
Sun Mar 1 19:19:21 UTC 2020 

laforge has submitted this change. ( https://gerrit.osmocom.org/c/osmocom-bb/+/17302 )

Change subject: mobile/gsm322: fix use-after-free of cs->si reported by ASan
......................................................................

mobile/gsm322: fix use-after-free of cs->si reported by ASan

This pointer cs->si stores an address to the System Information of
a currently selected cell. When we release System Information,
ensure that it does not point to free()d memory.

Change-Id: Ife2ddf7274a48447a9ded9035f9dd01befaf2e6c
---
M src/host/layer23/src/mobile/gsm322.c
1 file changed, 7 insertions(+), 0 deletions(-)

Approvals:
  Jenkins Builder: Verified
  pespin: Looks good to me, but someone else must approve
  laforge: Looks good to me, approved



diff --git a/src/host/layer23/src/mobile/gsm322.c b/src/host/layer23/src/mobile/gsm322.c
index ddb3a77..cc4f0cd 100644
--- a/src/host/layer23/src/mobile/gsm322.c
+++ b/src/host/layer23/src/mobile/gsm322.c
@@ -2635,6 +2635,8 @@
 			if (cs->list[cs->arfci].sysinfo) {
 				LOGP(DCS, LOGL_DEBUG, "free sysinfo arfcn=%s\n",
 					gsm_print_arfcn(cs->arfcn));
+				if (cs->si == cs->list[cs->arfci].sysinfo)
+					cs->si = NULL;
 				talloc_free(cs->list[cs->arfci].sysinfo);
 				cs->list[cs->arfci].sysinfo = NULL;
 			}
@@ -2752,6 +2754,8 @@
 	if (cs->list[cs->arfci].sysinfo) {
 		LOGP(DCS, LOGL_DEBUG, "free sysinfo arfcn=%s\n",
 			gsm_print_arfcn(cs->arfcn));
+		if (cs->si == cs->list[cs->arfci].sysinfo)
+			cs->si = NULL;
 		talloc_free(cs->list[cs->arfci].sysinfo);
 		cs->list[cs->arfci].sysinfo = NULL;
 	}
@@ -2919,6 +2923,8 @@
 			cs->list[i].flags &= ~GSM322_CS_FLAG_SYSINFO;
 			LOGP(DCS, LOGL_DEBUG, "free sysinfo ARFCN=%s\n",
 				gsm_print_arfcn(index2arfcn(i)));
+			if (cs->si == cs->list[i].sysinfo)
+				cs->si = NULL;
 			talloc_free(cs->list[i].sysinfo);
 			cs->list[i].sysinfo = NULL;
 		}
@@ -5145,6 +5151,7 @@
 				gsm_print_arfcn(index2arfcn(i)));
 			talloc_free(cs->list[i].sysinfo);
 			cs->list[i].sysinfo = NULL;
+			cs->si = NULL;
 		}
 		cs->list[i].flags = 0;
 	}

-- 
To view, visit https://gerrit.osmocom.org/c/osmocom-bb/+/17302
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmocom-bb
Gerrit-Branch: master
Gerrit-Change-Id: Ife2ddf7274a48447a9ded9035f9dd01befaf2e6c
Gerrit-Change-Number: 17302
Gerrit-PatchSet: 1
Gerrit-Owner: Vadim Yanitskiy <axilirator at gmail.com>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <laforge at osmocom.org>
Gerrit-Reviewer: pespin <pespin at sysmocom.de>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20200301/6655fa69/attachment.htm>

More information about the gerrit-log mailing list