Change in osmo-pcu[master]: pdch: Fix heap-use-after-free in pdch->ulc

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

pespin gerrit-no-reply at lists.osmocom.org
Thu Jul 1 11:09:14 UTC 2021


Hello Jenkins Builder, laforge, fixeria, 

I'd like you to reexamine a change. Please visit

    https://gerrit.osmocom.org/c/osmo-pcu/+/24812

to look at the new patch set (#2).

Change subject: pdch: Fix heap-use-after-free in pdch->ulc
......................................................................

pdch: Fix heap-use-after-free in pdch->ulc

In existing previous code, pdch->ulc would be freed in
gprs_rlcmac_pdch::free_resources() when  it became disabled as per PCUIF
info_ind (for instance, when a DYN TS is switched PDCH->SDCCH8).
However, pdch->ulc was so far only allocated during pdch_init, which is
only called during bts_alloc() time.
Hence, after first info_ind disabling it, if it became again enabled
(again by info_ind re-enabling it after SDCCH8 was not longer in use),
the pdch->ulc would be used again but it would point to freed memory.

Let's rearrange how/when resources are freed to make it more logical.
With this patch, pdch internal resources are freed upon ->disable(), and
re-allocated upon ->enable().

Change-Id: Id51f5f6a54ac9f24b784c17bc360ac38f5726fc7
---
M src/osmobts_sock.c
M src/pcu_l1_if.cpp
M src/pdch.cpp
M src/pdch.h
M tests/tbf/TbfTest.cpp
M tests/ulc/PdchUlcTest.cpp
6 files changed, 36 insertions(+), 19 deletions(-)


  git pull ssh://gerrit.osmocom.org:29418/osmo-pcu refs/changes/12/24812/2
-- 
To view, visit https://gerrit.osmocom.org/c/osmo-pcu/+/24812
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-pcu
Gerrit-Branch: master
Gerrit-Change-Id: Id51f5f6a54ac9f24b784c17bc360ac38f5726fc7
Gerrit-Change-Number: 24812
Gerrit-PatchSet: 2
Gerrit-Owner: pespin <pespin at sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <vyanitskiy at sysmocom.de>
Gerrit-Reviewer: laforge <laforge at osmocom.org>
Gerrit-MessageType: newpatchset
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20210701/2af2e3b5/attachment.htm>


More information about the gerrit-log mailing list