[S] Change in libosmo-sigtran[pespin/rel-2.1.0]: asp: Avoid double-free of received msg if conn is teared down

pespin Thu, 29 May 2025 05:42:24 -0700

pespin has submitted this change. ( 
https://gerrit.osmocom.org/c/libosmo-sigtran/+/40403?usp=email )


Change subject: asp: Avoid double-free of received msg if conn is teared down
......................................................................

asp: Avoid double-free of received msg if conn is teared down

"""
20250516192255921 DLSS7 DEBUG IPA_ASP(ipa-asp-loadshare-sender0){WAIT_ID_RESP}: 
Received Event IPA_CCM_ID_RESP (ipa.c:120)
20250516192255921 DLMI DEBUG Rx IPA CCM ID_RESP: Unit_ID='0/1/2' MAC_Address='' 
Location_1='' Location_2='' Equipment_Version='' Software_Version='' 
Unit_Name='mahlzeit' Serial_Number=''  (ipa.c:233)
20250516192255921 DLSS7 NOTICE 
IPA_ASP(ipa-asp-loadshare-sender0){WAIT_ID_RESP}: Cannot find any definition 
for IPA Unit Name 'mahlzeit' (xua_asp_fsm.c:968)
20250516192255921 DLSS7 INFO ipa-asp-loadshare-sender0: connection closed 
(ss7_asp.c:1159)
20250516192255921 DLSS7 DEBUG IPA_ASP(ipa-asp-loadshare-sender0){WAIT_ID_RESP}: 
Received Event SCTP-COMM_DOWN.ind (ss7_asp.c:1165)
20250516192255922 DLSS7 DEBUG IPA_ASP(ipa-asp-loadshare-sender0){WAIT_ID_RESP}: 
state_chg to ASP_DOWN (xua_asp_fsm.c:1154)
20250516192255922 DLSS7 DEBUG XUA_AS(ipa-as-loadshare-sender){AS_DOWN}: 
Received Event ASPAS-ASP_DOWN.ind (xua_asp_fsm.c:370)
20250516192255922 DLSS7 DEBUG IPA_ASP(ipa-asp-loadshare-sender0){ASP_DOWN}: No 
Layer Manager, dropping M-ASP_DOWN.indication (xua_asp_fsm.c:119)
20250516192255922 DLSS7 DEBUG IPA_ASP(ipa-asp-loadshare-sender0){ASP_DOWN}: No 
Layer Manager, dropping M-SCTP_RELEASE.indication (xua_asp_fsm.c:119)

Program terminated with signal SIGABRT, Aborted.
 #0  0x000076bb9898ceec in ?? () from /lib/x86_64-linux-gnu/libc.so.6
 #0  0x000076bb9898ceec in ?? () from /lib/x86_64-linux-gnu/libc.so.6
 #1  0x000076bb9893dfb2 in raise () from /lib/x86_64-linux-gnu/libc.so.6
 #2  0x000076bb98928472 in abort () from /lib/x86_64-linux-gnu/libc.so.6
 #3  0x000076bb98ae6496 in ?? () from /lib/x86_64-linux-gnu/libtalloc.so.2
 #4  0x000076bb98b1b869 in msgb_free (m=0x5f957de3e750) at 
../../../src_copy/libosmocore/src/core/msgb.c:119
 #5  0x000076bb98bab8c8 in ipa_rx_msg_ccm (asp=0x5f957de3da50, 
msg=0x5f957de3e750) at ../../src_copy/libosmo-sigtran/src/ipa.c:137
 #6  0x000076bb98bac135 in ipa_rx_msg (asp=0x5f957de3da50, msg=0x5f957de3e750, 
sls=0 '\000') at ../../src_copy/libosmo-sigtran/src/ipa.c:321
 #7  0x000076bb98bca44f in ss7_asp_ipa_srv_conn_rx_cb (conn=0x5f957ddba4a0, 
res=49, msg=0x5f957de3e750) at ../../src_copy/libosmo-sigtran/src/ss7_asp.c:895
 #8  0x000076bb988efcb1 in stream_srv_iofd_read_cb (iofd=0x5f957ddd8e40, 
res=49, msg=0x5f957de3e750) at ../../src_copy/libosmo-netif/src/stream_srv.c:732
 #9  0x000076bb98b23c3c in iofd_handle_segmented_read (iofd=0x5f957ddd8e40, 
msg=0x5f957de3e750, rc=49) at 
../../../src_copy/libosmocore/src/core/osmo_io.c:357
 #10 0x000076bb98b23d2b in iofd_handle_recv (iofd=0x5f957ddd8e40, 
msg=0x5f957de3e750, rc=49, hdr=0x0) at 
../../../src_copy/libosmocore/src/core/osmo_io.c:384
 #11 0x000076bb98b257b7 in iofd_poll_ofd_cb_recvmsg_sendmsg 
(ofd=0x5f957ddd8ef0, what=1) at 
../../../src_copy/libosmocore/src/core/osmo_io_poll.c:64
 #12 0x000076bb98b25b32 in iofd_poll_ofd_cb_dispatch (ofd=0x5f957ddd8ef0, 
what=1) at ../../../src_copy/libosmocore/src/core/osmo_io_poll.c:136
 #13 0x000076bb98b2907b in poll_disp_fds (n_fd=6) at 
../../../src_copy/libosmocore/src/core/select.c:419
 #14 0x000076bb98b29191 in _osmo_select_main (polling=0) at 
../../../src_copy/libosmocore/src/core/select.c:457
 #15 0x000076bb98b291ac in osmo_select_main (polling=0) at 
../../../src_copy/libosmocore/src/core/select.c:496
 #16 0x00005f9553dd9a21 in main (argc=3, argv=0x7ffe754fac38) at 
../../src_copy/libosmo-sigtran/stp/stp_main.c:270
"""

Related: OS#6728
(cherry picked from commit dfccd989dbffe418d9ab7b4d3087345636da762d)
Change-Id: I4b893078212444c967164a64219c67f6c6a74c37
---
M src/osmo_ss7_asp.c
1 file changed, 24 insertions(+), 0 deletions(-)

Approvals:
  Jenkins Builder: Verified
  pespin: Looks good to me, approved




diff --git a/src/osmo_ss7_asp.c b/src/osmo_ss7_asp.c
index 57ebc82..dc60f67 100644
--- a/src/osmo_ss7_asp.c
+++ b/src/osmo_ss7_asp.c
@@ -802,6 +802,14 @@
 int ss7_asp_ipa_srv_conn_rx_cb(struct osmo_stream_srv *conn, int res, struct 
msgb *msg)
 {
        struct osmo_ss7_asp *asp = osmo_stream_srv_get_data(conn);
+       struct osmo_stream_srv_link *link = osmo_stream_srv_get_master(conn);
+
+       /* Reparent msg to srv_link, to avoid "msg" being automatically freed if
+        * "conn" is teared down during msg handling (or if its associated
+        * dynamic ASP becomes unused), which would then result in a double-free
+        * if same code path then explicitly frees the msgb through msgb_free().
+        */
+       talloc_steal(link, msg);

        if (res <= 0) {
                if (res == -EAGAIN) {
@@ -824,10 +832,18 @@
 int ss7_asp_xua_srv_conn_rx_cb(struct osmo_stream_srv *conn, int res, struct 
msgb *msg)
 {
        struct osmo_ss7_asp *asp = osmo_stream_srv_get_data(conn);
+       struct osmo_stream_srv_link *link = osmo_stream_srv_get_master(conn);
        unsigned int ppid;
        int flags;
        int rc = 0;

+       /* Reparent msg to srv_link, to avoid "msg" being automatically freed if
+        * "conn" is teared down during msg handling (or if its associated
+        * dynamic ASP becomes unused), which would then result in a double-free
+        * if same code path then explicitly frees the msgb through msgb_free().
+        */
+       talloc_steal(link, msg);
+
        /* process the received xUA message */
        flags = msgb_sctp_msg_flags(msg);

@@ -889,9 +905,17 @@
 int ss7_asp_m3ua_tcp_srv_conn_rx_cb(struct osmo_stream_srv *conn, int res, 
struct msgb *msg)
 {
        struct osmo_ss7_asp *asp = osmo_stream_srv_get_data(conn);
+       struct osmo_stream_srv_link *link = osmo_stream_srv_get_master(conn);
        const struct xua_common_hdr *hdr;
        int rc;

+       /* Reparent msg to srv_link, to avoid "msg" being automatically freed if
+        * "conn" is teared down during msg handling (or if its associated
+        * dynamic ASP becomes unused), which would then result in a double-free
+        * if same code path then explicitly frees the msgb through msgb_free().
+        */
+       talloc_steal(link, msg);
+
        if (res <= 0) {
                if (res == -EAGAIN) {
                        msgb_free(msg);

--
To view, visit https://gerrit.osmocom.org/c/libosmo-sigtran/+/40403?usp=email
To unsubscribe, or for help writing mail filters, visit 
https://gerrit.osmocom.org/settings?usp=email

Gerrit-MessageType: merged
Gerrit-Project: libosmo-sigtran
Gerrit-Branch: pespin/rel-2.1.0
Gerrit-Change-Id: I4b893078212444c967164a64219c67f6c6a74c37
Gerrit-Change-Number: 40403
Gerrit-PatchSet: 1
Gerrit-Owner: pespin <pes...@sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: pespin <pes...@sysmocom.de>

[S] Change in libosmo-sigtran[pespin/rel-2.1.0]: asp: Avoid double-free of received msg if conn is teared down

Reply via email to