VTY Crash due an assumption we are breaking

Holger Hans Peter Freyther holger at freyther.de
Tue Aug 10 20:24:35 UTC 2010


Hi all,
I was debugging a crash with the VTY and I am not fully understanding it but I
can easily reproduce it. The problem is triggered with the new VTY OML code
and here is what I know.

1.) we move from ENABLE_NODE to the OML node. and allocate memory
2.) when exiting the node we will free the data at vty->index.. and
    set the pointer to NULL.

But I can easily produce a double free issue and this seems to be due.

cmd_execute_command:
	1.) saves the vty->index to oindex and vty->node to onode
	2.) tries calling vty_go_parent or such...
	3.) tries more stuff...
	4.) as stuff failed resets vty->index to oindex...

so the next exit command will do a double free... and the funny part is that
the code has one assumption everything > CONFIG_NODE is considered to be
config as well. This means that we should have two enum values in libosmovty,
one for Last_Enable, one for Last_Config and have enough space between them.
And the other part... maybe vty_go_parent should return CMD_SUCCESS?

thoughts?



[1] ./script | telnet localhost 4242 and see the bsc_hack/bsc_msc_io crash
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: script
URL: <http://lists.osmocom.org/pipermail/openbsc/attachments/20100811/7e536bf0/attachment.ksh>


More information about the OpenBSC mailing list