Change in openbsc[master]: bsc-nat: Avoid heap-use-after-free on USSD conn lost

Wed, 27 Jun 2018 04:45:27 -0700 

Pau Espin Pedrol has uploaded this change for review. ( 
https://gerrit.osmocom.org/9749


Change subject: bsc-nat: Avoid heap-use-after-free on USSD conn lost
......................................................................

bsc-nat: Avoid heap-use-after-free on USSD conn lost

When ussd_read_cb calls bsc_nat_ussd_destroy the osmo_fd struct is
freed, so we need to indicate to osmo_wqueue_bfd_cb that it should not
continue using the fd pointer after we return.

Fixes following AddressSanitizer report:
<0015> osmo-bsc_nat/bsc_ussd.c:273 USSD Connection on 13 with IP: 1.2.3.4
<0015> osmo-bsc_nat/bsc_ussd.c:132 USSD Connection was lost.
=================================================================
==18118==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200047c4b4 
at pc 0x7ffff6067540 bp 0x7fffffffe170 sp 0x7fffffffe168
READ of size 4 at 0x61200047c4b4 thread T0
    #0 0x7ffff606753f in osmo_wqueue_bfd_cb libosmocore/src/write_queue.c:65
    #1 0x7ffff605206b in osmo_fd_disp_fds libosmocore/src/select.c:217
    #2 0x7ffff6052305 in osmo_select_main libosmocore/src/select.c:257
    #3 0x421dfa in main osmo-bsc_nat/bsc_nat.c:1718
    #4 0x7ffff47ffb44 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #5 0x406438 (/bin/osmo-bsc_nat+0x406438)

Change-Id: I35854c43524714d07f31d71c775ac1cd0a57d22e
---
M openbsc/src/osmo-bsc_nat/bsc_ussd.c
1 file changed, 7 insertions(+), 4 deletions(-)



  git pull ssh://gerrit.osmocom.org:29418/openbsc refs/changes/49/9749/1

diff --git a/openbsc/src/osmo-bsc_nat/bsc_ussd.c 
b/openbsc/src/osmo-bsc_nat/bsc_ussd.c
index 0ba6327..ee0b085 100644
--- a/openbsc/src/osmo-bsc_nat/bsc_ussd.c
+++ b/openbsc/src/osmo-bsc_nat/bsc_ussd.c
@@ -126,12 +126,11 @@
        int ret;

        ret = ipa_msg_recv_buffered(bfd->fd, &msg, &conn->pending_msg);
+       if (ret == -EAGAIN)
+               return 0;
        if (ret <= 0) {
-               if (ret == -EAGAIN)
-                       return 0;
                LOGP(DNAT, LOGL_ERROR, "USSD Connection was lost.\n");
-               bsc_nat_ussd_destroy(conn);
-               return -1;
+               goto close_fd;
        }

        LOGP(DNAT, LOGL_NOTICE, "MSG from USSD: %s proto: %d\n",
@@ -168,6 +167,10 @@
        }

        return 0;
+
+close_fd:
+       bsc_nat_ussd_destroy(conn);
+       return -EBADF;
 }

 static void ussd_auth_cb(void *_data)

--
To view, visit https://gerrit.osmocom.org/9749
To unsubscribe, or for help writing mail filters, visit 
https://gerrit.osmocom.org/settings

Gerrit-Project: openbsc
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I35854c43524714d07f31d71c775ac1cd0a57d22e
Gerrit-Change-Number: 9749
Gerrit-PatchSet: 1
Gerrit-Owner: Pau Espin Pedrol <[email protected]>

Reply via email to