Change in osmo-ggsn[master]: libgtp: Fix ggsn crash if pdp alloc array is full (PDP_MAX)

Mon, 28 Feb 2022 05:24:22 -0800 

pespin has uploaded this change for review. ( 
https://gerrit.osmocom.org/c/osmo-ggsn/+/27351 )


Change subject: libgtp: Fix ggsn crash if pdp alloc array is full (PDP_MAX)
......................................................................

libgtp: Fix ggsn crash if pdp alloc array is full (PDP_MAX)

osmo-ggsn crashes when concurrent pdp context 1024 is created, due to
the gsn->pdpa array (of size PDP_MAX, 1024) being full.
The crash happens because return code of gtp_pdp_newpdp was not checked,
and hence a pointer "pdp" pointing to a temporary not-fully-allocated
object was being passed to gsn->cb_create_context_ind() callback.

Let's avoid crashing and instead reject the PDP context.

Related: OS#5469

Change-Id: I0d94ffad97eb4fef477d981bf285bf99740592a3
---
M gtp/gtp.c
1 file changed, 12 insertions(+), 1 deletion(-)



  git pull ssh://gerrit.osmocom.org:29418/osmo-ggsn refs/changes/51/27351/1

diff --git a/gtp/gtp.c b/gtp/gtp.c
index 59fd355..7c781de 100644
--- a/gtp/gtp.c
+++ b/gtp/gtp.c
@@ -1809,7 +1809,16 @@
                }
        }

-       gtp_pdp_newpdp(gsn, &pdp, pdp->imsi, pdp->nsapi, pdp);
+       rc = gtp_pdp_newpdp(gsn, &pdp, pdp->imsi, pdp->nsapi, pdp);
+       if (rc != 0) {
+               GTP_LOGPKG(LOGL_ERROR, peer, pack, len,
+                                  "Failed creating a new PDP context, array 
full (%u)\n", PDP_MAX);
+               /* &pdp in gtp_pdp_newpdp is untouched if it failed: */
+               rc = gtp_create_pdp_resp(gsn, version, pdp, GTPCAUSE_NO_MEMORY);
+               /* Don't pass it to emit_cb_recovery, since allocation failed 
and it was already rejected: */
+               pdp = NULL;
+               goto recover_ret;
+       }

        /* Callback function to validate login */
        if (gsn->cb_create_context_ind != 0)
@@ -1820,6 +1829,8 @@
                rc = gtp_create_pdp_resp(gsn, version, pdp,
                                           GTPCAUSE_NOT_SUPPORTED);
        }
+
+recover_ret:
        if (recovery_recvd)
                emit_cb_recovery(gsn, peer, pdp, recovery);
        return rc;

--
To view, visit https://gerrit.osmocom.org/c/osmo-ggsn/+/27351
To unsubscribe, or for help writing mail filters, visit 
https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-ggsn
Gerrit-Branch: master
Gerrit-Change-Id: I0d94ffad97eb4fef477d981bf285bf99740592a3
Gerrit-Change-Number: 27351
Gerrit-PatchSet: 1
Gerrit-Owner: pespin <[email protected]>
Gerrit-MessageType: newchange

Reply via email to