This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
laforge gerrit-no-reply at lists.osmocom.orglaforge has submitted this change. ( https://gerrit.osmocom.org/c/libosmocore/+/25143 ) Change subject: gprs_ns2: add recursive anchor to protect against double free ...................................................................... gprs_ns2: add recursive anchor to protect against double free When free'ing a NSE/NSVC/BIND ensure there can't be a double free by using a free anchor in the struct. Recursive free's can happen when the NS user reacts on an event (e.g. GPRS_NS2_AFF_CAUSE_VC_FAILURE) and calls the free(). Or when the user free's a NSVC when the NSE uses SNS as configuration, the fsm tries to free it again. Change-Id: If9823aadaa936e136aa43e88cee925ddd5974841 --- M src/gb/gprs_ns2.c M src/gb/gprs_ns2_internal.h 2 files changed, 20 insertions(+), 5 deletions(-) Approvals: laforge: Looks good to me, approved daniel: Looks good to me, but someone else must approve Jenkins Builder: Verified diff --git a/src/gb/gprs_ns2.c b/src/gb/gprs_ns2.c index fb2965a..45cdfcc 100644 --- a/src/gb/gprs_ns2.c +++ b/src/gb/gprs_ns2.c @@ -639,9 +639,9 @@ * \param[in] nsvc NS-VC to destroy */ void gprs_ns2_free_nsvc(struct gprs_ns2_vc *nsvc) { - if (!nsvc) + if (!nsvc || nsvc->freed) return; - + nsvc->freed = true; ns2_prim_status_ind(nsvc->nse, nsvc, 0, GPRS_NS2_AFF_CAUSE_VC_FAILURE); llist_del(&nsvc->list); @@ -671,7 +671,7 @@ { struct gprs_ns2_vc *nsvc, *tmp; - if (!nse) + if (!nse || nse->freed) return; llist_for_each_entry_safe(nsvc, tmp, &nse->nsvc, list) { @@ -889,9 +889,11 @@ * \param[in] nse NS Entity to destroy */ void gprs_ns2_free_nse(struct gprs_ns2_nse *nse) { - if (!nse) + struct gprs_ns2_vc *nsvc, *nsvc2; + if (!nse || nse->freed) return; + nse->freed = true; nse->alive = false; if (nse->bss_sns_fi) { osmo_fsm_inst_term(nse->bss_sns_fi, OSMO_FSM_TERM_REQUEST, NULL); @@ -901,6 +903,9 @@ gprs_ns2_free_nsvcs(nse); ns2_prim_status_ind(nse, NULL, 0, GPRS_NS2_AFF_CAUSE_FAILURE); rate_ctr_group_free(nse->ctrg); + llist_for_each_entry_safe(nsvc, nsvc2, &nse->nsvc, list) { + gprs_ns2_free_nsvc(nsvc); + } llist_del(&nse->list); talloc_free(nse); @@ -1466,9 +1471,10 @@ { struct gprs_ns2_vc *nsvc, *tmp; struct gprs_ns2_nse *nse; - if (!bind) + if (!bind || bind->freed) return; + bind->freed = true; llist_for_each_entry_safe(nsvc, tmp, &bind->nsvc, blist) { gprs_ns2_free_nsvc(nsvc); } diff --git a/src/gb/gprs_ns2_internal.h b/src/gb/gprs_ns2_internal.h index db01c2e..95efbae 100644 --- a/src/gb/gprs_ns2_internal.h +++ b/src/gb/gprs_ns2_internal.h @@ -215,6 +215,9 @@ /*! NSE-wide statistics */ struct rate_ctr_group *ctrg; + + /*! recursive anchor */ + bool freed; }; /*! Structure representing a single NS-VC */ @@ -259,6 +262,9 @@ enum gprs_ns2_vc_mode mode; struct osmo_fsm_inst *fi; + + /*! recursive anchor */ + bool freed; }; /*! Structure repesenting a bind instance. E.g. IPv4 listen port. */ @@ -303,6 +309,9 @@ uint8_t sns_data_weight; struct osmo_stat_item_group *statg; + + /*! recursive anchor */ + bool freed; }; struct gprs_ns2_vc_driver { -- To view, visit https://gerrit.osmocom.org/c/libosmocore/+/25143 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: libosmocore Gerrit-Branch: master Gerrit-Change-Id: If9823aadaa936e136aa43e88cee925ddd5974841 Gerrit-Change-Number: 25143 Gerrit-PatchSet: 3 Gerrit-Owner: lynxis lazus <lynxis at fe80.eu> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: daniel <dwillmann at sysmocom.de> Gerrit-Reviewer: laforge <laforge at osmocom.org> Gerrit-MessageType: merged -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20210813/b051e3c1/attachment.htm>