Change in libosmocore[master]: ns2_fr: Fix null pointer deref in error path

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

laforge gerrit-no-reply at lists.osmocom.org
Thu Feb 11 15:08:00 UTC 2021


laforge has uploaded this change for review. ( https://gerrit.osmocom.org/c/libosmocore/+/22849 )


Change subject: ns2_fr: Fix null pointer deref in error path
......................................................................

ns2_fr: Fix null pointer deref in error path

The followign happens if osmo-gbproxy is started without CAP_NET_RAW:

<0026> gprs_ns2_fr.c:515 BIND(hdlcnet1) Can not create AF_PACKET socket. Are you root or have CAP_NET_RAW?
gprs_ns2_fr.c:176:2: runtime error: member access within null pointer of type 'struct msgb' AddressSanitizer:DEADLYSIGNAL

the second line is free_bind() iterating overr the backlog while
destroying the not-yet-fully-initialized bind.

Let's make sure the backlog llist_head is always initialized properly.

Change-Id: I4d2fa50955c5897cd469fee68d4ddc65a9f5688f
---
M src/gb/gprs_ns2_fr.c
1 file changed, 1 insertion(+), 1 deletion(-)



  git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/49/22849/1

diff --git a/src/gb/gprs_ns2_fr.c b/src/gb/gprs_ns2_fr.c
index 93b7759..2df5986 100644
--- a/src/gb/gprs_ns2_fr.c
+++ b/src/gb/gprs_ns2_fr.c
@@ -807,6 +807,7 @@
 		goto err_bind;
 	}
 
+	INIT_LLIST_HEAD(&priv->backlog.list);
 	OSMO_STRLCPY_ARRAY(priv->netif, netif);
 
 	/* FIXME: move fd handling into socket.c */
@@ -836,7 +837,6 @@
 	rc = open_socket(priv->ifindex, bind);
 	if (rc < 0)
 		goto err_fr;
-	INIT_LLIST_HEAD(&priv->backlog.list);
 	priv->backlog.retry_us = 2500; /* start with some non-zero value; this corrsponds to 496 bytes */
 	osmo_timer_setup(&priv->backlog.timer, fr_backlog_timer_cb, bind);
 	osmo_fd_setup(&priv->backlog.ofd, rc, OSMO_FD_READ, fr_netif_ofd_cb, bind, 0);

-- 
To view, visit https://gerrit.osmocom.org/c/libosmocore/+/22849
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Change-Id: I4d2fa50955c5897cd469fee68d4ddc65a9f5688f
Gerrit-Change-Number: 22849
Gerrit-PatchSet: 1
Gerrit-Owner: laforge <laforge at osmocom.org>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20210211/6a40f23c/attachment.htm>


More information about the gerrit-log mailing list