[PATCH net 0/4] gtp: fix several bugs in gtp module

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/osmocom-net-gprs@lists.osmocom.org/.

Jakub Kicinski jakub.kicinski at netronome.com
Sun Dec 15 01:21:31 UTC 2019


On Wed, 11 Dec 2019 08:22:43 +0000, Taehee Yoo wrote:
> This patchset fixes several bugs in the GTP module.
> 
> 1. Do not allow adding duplicate TID and ms_addr pdp context.
> In the current code, duplicate TID and ms_addr pdp context could be added.
> So, RX and TX path could find correct pdp context.
> 
> 2. Fix wrong condition in ->dumpit() callback.
> ->dumpit() callback is re-called if dump packet size is too big.  
> So, before return, it saves last position and then restart from
> last dump position.
> TID value is used to find last dump position.
> GTP module allows adding zero TID value. But ->dumpit() callback ignores
> zero TID value.
> So, dump would not work correctly if dump packet size too big.
> 
> 3. Fix use-after-free in ipv4_pdp_find().
> RX and TX patch always uses gtp->tid_hash and gtp->addr_hash.
> but while packet processing, these hash pointer would be freed.
> So, use-after-free would occur.
> 
> 4. Fix panic because of zero size hashtable
> GTP hashtable size could be set by user-space.
> If hashsize is set to 0, hashtable will not work and panic will occur.

Looks good to me, thank you, applied and queued for stable.



More information about the osmocom-net-gprs mailing list