VTY Crash due an assumption we are breaking
Holger Hans Peter Freyther
holger at freyther.de
Tue Aug 10 20:24:35 UTC 2010
I was debugging a crash with the VTY and I am not fully understanding it but I
can easily reproduce it. The problem is triggered with the new VTY OML code
and here is what I know.
1.) we move from ENABLE_NODE to the OML node. and allocate memory
2.) when exiting the node we will free the data at vty->index.. and
set the pointer to NULL.
But I can easily produce a double free issue and this seems to be due.
1.) saves the vty->index to oindex and vty->node to onode
2.) tries calling vty_go_parent or such...
3.) tries more stuff...
4.) as stuff failed resets vty->index to oindex...
so the next exit command will do a double free... and the funny part is that
the code has one assumption everything > CONFIG_NODE is considered to be
config as well. This means that we should have two enum values in libosmovty,
one for Last_Enable, one for Last_Config and have enough space between them.
And the other part... maybe vty_go_parent should return CMD_SUCCESS?
 ./script | telnet localhost 4242 and see the bsc_hack/bsc_msc_io crash
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
More information about the OpenBSC