Change in libosmocore[master]: gprs_ns2: add recursive anchor to protect against double free

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

laforge gerrit-no-reply at lists.osmocom.org
Fri Aug 13 09:55:53 UTC 2021


laforge has submitted this change. ( https://gerrit.osmocom.org/c/libosmocore/+/25143 )

Change subject: gprs_ns2: add recursive anchor to protect against double free
......................................................................

gprs_ns2: add recursive anchor to protect against double free

When free'ing a NSE/NSVC/BIND ensure there can't be a double
free by using a free anchor in the struct.

Recursive free's can happen when the NS user reacts on an event
(e.g. GPRS_NS2_AFF_CAUSE_VC_FAILURE) and calls the free().
Or when the user free's a NSVC when the NSE uses SNS as configuration,
the fsm tries to free it again.

Change-Id: If9823aadaa936e136aa43e88cee925ddd5974841
---
M src/gb/gprs_ns2.c
M src/gb/gprs_ns2_internal.h
2 files changed, 20 insertions(+), 5 deletions(-)

Approvals:
  laforge: Looks good to me, approved
  daniel: Looks good to me, but someone else must approve
  Jenkins Builder: Verified



diff --git a/src/gb/gprs_ns2.c b/src/gb/gprs_ns2.c
index fb2965a..45cdfcc 100644
--- a/src/gb/gprs_ns2.c
+++ b/src/gb/gprs_ns2.c
@@ -639,9 +639,9 @@
  *  \param[in] nsvc NS-VC to destroy */
 void gprs_ns2_free_nsvc(struct gprs_ns2_vc *nsvc)
 {
-	if (!nsvc)
+	if (!nsvc || nsvc->freed)
 		return;
-
+	nsvc->freed = true;
 	ns2_prim_status_ind(nsvc->nse, nsvc, 0, GPRS_NS2_AFF_CAUSE_VC_FAILURE);
 
 	llist_del(&nsvc->list);
@@ -671,7 +671,7 @@
 {
 	struct gprs_ns2_vc *nsvc, *tmp;
 
-	if (!nse)
+	if (!nse || nse->freed)
 		return;
 
 	llist_for_each_entry_safe(nsvc, tmp, &nse->nsvc, list) {
@@ -889,9 +889,11 @@
  *  \param[in] nse NS Entity to destroy */
 void gprs_ns2_free_nse(struct gprs_ns2_nse *nse)
 {
-	if (!nse)
+	struct gprs_ns2_vc *nsvc, *nsvc2;
+	if (!nse || nse->freed)
 		return;
 
+	nse->freed = true;
 	nse->alive = false;
 	if (nse->bss_sns_fi) {
 		osmo_fsm_inst_term(nse->bss_sns_fi, OSMO_FSM_TERM_REQUEST, NULL);
@@ -901,6 +903,9 @@
 	gprs_ns2_free_nsvcs(nse);
 	ns2_prim_status_ind(nse, NULL, 0, GPRS_NS2_AFF_CAUSE_FAILURE);
 	rate_ctr_group_free(nse->ctrg);
+	llist_for_each_entry_safe(nsvc, nsvc2, &nse->nsvc, list) {
+		gprs_ns2_free_nsvc(nsvc);
+	}
 
 	llist_del(&nse->list);
 	talloc_free(nse);
@@ -1466,9 +1471,10 @@
 {
 	struct gprs_ns2_vc *nsvc, *tmp;
 	struct gprs_ns2_nse *nse;
-	if (!bind)
+	if (!bind || bind->freed)
 		return;
 
+	bind->freed = true;
 	llist_for_each_entry_safe(nsvc, tmp, &bind->nsvc, blist) {
 		gprs_ns2_free_nsvc(nsvc);
 	}
diff --git a/src/gb/gprs_ns2_internal.h b/src/gb/gprs_ns2_internal.h
index db01c2e..95efbae 100644
--- a/src/gb/gprs_ns2_internal.h
+++ b/src/gb/gprs_ns2_internal.h
@@ -215,6 +215,9 @@
 
 	/*! NSE-wide statistics */
 	struct rate_ctr_group *ctrg;
+
+	/*! recursive anchor */
+	bool freed;
 };
 
 /*! Structure representing a single NS-VC */
@@ -259,6 +262,9 @@
 	enum gprs_ns2_vc_mode mode;
 
 	struct osmo_fsm_inst *fi;
+
+	/*! recursive anchor */
+	bool freed;
 };
 
 /*! Structure repesenting a bind instance. E.g. IPv4 listen port. */
@@ -303,6 +309,9 @@
 	uint8_t sns_data_weight;
 
 	struct osmo_stat_item_group *statg;
+
+	/*! recursive anchor */
+	bool freed;
 };
 
 struct gprs_ns2_vc_driver {

-- 
To view, visit https://gerrit.osmocom.org/c/libosmocore/+/25143
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Change-Id: If9823aadaa936e136aa43e88cee925ddd5974841
Gerrit-Change-Number: 25143
Gerrit-PatchSet: 3
Gerrit-Owner: lynxis lazus <lynxis at fe80.eu>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: daniel <dwillmann at sysmocom.de>
Gerrit-Reviewer: laforge <laforge at osmocom.org>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20210813/b051e3c1/attachment.htm>


More information about the gerrit-log mailing list