Change in osmo-hnbgw[master]: hnb_read_cb(): -EBADF must be returned if conn is freed to avoid use-...

Fri, 30 Sep 2022 05:57:50 -0700 

pespin has uploaded this change for review. ( 
https://gerrit.osmocom.org/c/osmo-hnbgw/+/29549 )


Change subject: hnb_read_cb(): -EBADF must be returned if conn is freed to 
avoid use-after-free
......................................................................

hnb_read_cb(): -EBADF must be returned if conn is freed to avoid use-after-free

Otherwise the libosmo-netif stream API may continue accessing the conn
after returning if the socket has the WRITE flag active in the same main
loop iteration.

Change-Id: I628c59a88d94d299f432f405b37fbe602381d47e
---
M src/osmo-hnbgw/hnbgw.c
1 file changed, 4 insertions(+), 3 deletions(-)



  git pull ssh://gerrit.osmocom.org:29418/osmo-hnbgw refs/changes/49/29549/1

diff --git a/src/osmo-hnbgw/hnbgw.c b/src/osmo-hnbgw/hnbgw.c
index b824dd3..38d33eb 100644
--- a/src/osmo-hnbgw/hnbgw.c
+++ b/src/osmo-hnbgw/hnbgw.c
@@ -264,7 +264,7 @@
                                       "sctp_recvmsg(%s) = SCTP_COMM_LOST, 
closing conn\n",
                                       osmo_sock_get_name2(ofd->fd));
                                osmo_stream_srv_destroy(conn);
-                               rc = -1;
+                               rc = -EBADF;
                                break;
                        case SCTP_RESTART:
                                LOGHNB(hnb, DMAIN, LOGL_NOTICE, "HNB SCTP conn 
RESTARTed, marking as HNBAP-unregistered\n");
@@ -277,7 +277,7 @@
                               "sctp_recvmsg(%s) = SCTP_SHUTDOWN_EVENT, closing 
conn\n",
                               osmo_sock_get_name2(ofd->fd));
                        osmo_stream_srv_destroy(conn);
-                       rc = -1;
+                       rc = -EBADF;
                        break;
                }
                goto out;
@@ -291,12 +291,13 @@
                LOGHNB(hnb, DMAIN, LOGL_ERROR, "Error during 
sctp_recvmsg(%s)\n",
                       osmo_sock_get_name2(ofd->fd));
                osmo_stream_srv_destroy(conn);
+               rc = -EBADF;
                goto out;
        } else if (rc == 0) {
                LOGHNB(hnb, DMAIN, LOGL_NOTICE, "Connection closed 
sctp_recvmsg(%s) = 0\n",
                       osmo_sock_get_name2(ofd->fd));
                osmo_stream_srv_destroy(conn);
-               rc = -1;
+               rc = -EBADF;
                goto out;
        } else {
                msgb_put(msg, rc);

--
To view, visit https://gerrit.osmocom.org/c/osmo-hnbgw/+/29549
To unsubscribe, or for help writing mail filters, visit 
https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-hnbgw
Gerrit-Branch: master
Gerrit-Change-Id: I628c59a88d94d299f432f405b37fbe602381d47e
Gerrit-Change-Number: 29549
Gerrit-PatchSet: 1
Gerrit-Owner: pespin <[email protected]>
Gerrit-MessageType: newchange

Reply via email to