Attention is currently required from: pespin. fixeria has posted comments on this change. ( https://gerrit.osmocom.org/c/libosmo-abis/+/32641 )
Change subject: fix use-after-free in ipaccess_bts_keepalive_fsm_alloc() ...................................................................... Patch Set 1: (2 comments) Commit Message: https://gerrit.osmocom.org/c/libosmo-abis/+/32641/comment/8127499a_dfc877f6 PS1, Line 31: *** (!) as well as the struct osmo_fsm_inst (talloc child) > shouldn't the fsm always be freed with explicit osmo_fsm_inst_free() and not > through automatic tallo […] Yes, all `osmo_fsm_inst` should normally be freed by calling `osmo_fsm_inst_free()`. But in this specific case it gets free()d implicitly (and incorrectly, not cleaning up stuff like timers and llists) before we reach the point of calling `osmo_fsm_inst_free()`. And when we call it, osmo-bts crashes due to use-after-free. https://gerrit.osmocom.org/c/libosmo-abis/+/32641/comment/67473659_0c543803 PS1, Line 33: *** calling ipaccess_keepalive_fsm_cleanup() > why is cleanup() called here if it was freed above? I don't know why the cleanup() is called in the alloc() function... ask Eric. > why wasn't the pointer set to NULL? talloc does not set pointers to NULL when free()ing child chunks... -- To view, visit https://gerrit.osmocom.org/c/libosmo-abis/+/32641 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: libosmo-abis Gerrit-Branch: master Gerrit-Change-Id: Ic56c4b5b7b24b63104908a0c24f2f645ba4c5c1b Gerrit-Change-Number: 32641 Gerrit-PatchSet: 1 Gerrit-Owner: fixeria <[email protected]> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: pespin <[email protected]> Gerrit-Attention: pespin <[email protected]> Gerrit-Comment-Date: Fri, 05 May 2023 17:44:17 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: pespin <[email protected]> Gerrit-MessageType: comment
