| commit | c2729a525c83979f9887ebbcda707e2c1d59e442 | [log] [tgz] |
|---|---|---|
| author | Vadim Yanitskiy <vyanitskiy@sysmocom.de> | Fri May 05 22:28:46 2023 +0700 |
| committer | Vadim Yanitskiy <vyanitskiy@sysmocom.de> | Mon May 08 22:18:14 2023 +0700 |
| tree | cc5925fe4ce8e7fb2d9a055bf029a44ab020aebd | |
| parent | 231f67ebb207a0a871043fc429a1b6f763ba880b [diff] |
fix use-after-free in ipaccess_bts_keepalive_fsm_alloc() In ipaccess_bts_keepalive_fsm_alloc() we allocate a keepalive FSM instance as a child of the respective struct ipa_client_conn, and store the pointer to the respective struct e1inp_ts. + struct e1inp_line | ---+ struct ipaccess_line (void *driver_data) | | | ---+ struct ipa_client_conn *ipa_cli[NUM_E1_TS] // <-- parent | ---+ struct e1inp_ts ts[NUM_E1_TS] | | | ---+ .driver.ipaccess.ka_fsm // <-- pointer When an ipaccess connection (be it OML or RSL) goes down and then up again, for instance if the BSC gets restarted, osmo-bts crashes. The problem is that struct ipa_client_conn gets free()ed before the associated FSM instance gets terminated: * e1inp_ipa_bts_rsl_connect_n() is called ** calling e1inp_ipa_bts_rsl_close_n() *** this function free()s struct ipa_client_conn *** (!) as well as the struct osmo_fsm_inst (talloc child) ** calling ipaccess_bts_keepalive_fsm_alloc() *** calling ipaccess_keepalive_fsm_cleanup() **** accessing free()d e1i_ts->driver.ipaccess.ka_fsm **** BOOOM! segmentation fault Fix this by calling ipaccess_keepalive_fsm_cleanup() before free()ing the associated struct ipa_client_conn. Note that ipaccess_bsc_keepalive_fsm_alloc() is not affected because it's allocating keepalive FSMs using the global tall_ipa_ctx. Change-Id: Ic56c4b5b7b24b63104908a0c24f2f645ba4c5c1b Related: SYS#6438 (cherry picked from commit f6bde0f521155f1d2a073181cfca97df83de2684)
This repository contains a set of C-language libraries that form the A-bis interface library of Osmocom Open Source Mobile Communications projects such as OpenBSC / OsmoBSC.
Historically, a lot of this code was developed as part of the OpenBSC project, but which are of a more generic nature and thus useful to (at least) other programs that we develop in the sphere of Free Software / Open Source mobile communications.
The libosmo-abis.git repository build multiple libraries:
The official homepage of the project is https://osmocom.org/projects/libosmo-abis
You can clone from the official libosmo-abis.git repository using
git clone https://gitea.osmocom.org/osmocom/libosmo-abis
There is a web interface at https://gitea.osmocom.org/osmocom/libosmo-abis
There is no Doxygen-generated API documentation yet for this library. It would be great to some day have it, comparable to libosmocore.
Discussions related to libosmo-abis are happening on the openbsc@lists.osmocom.org mailing list, please see https://lists.osmocom.org/mailman/listinfo/openbsc for subscription options and the list archive.
Please observe the Osmocom Mailing List Rules when posting.
Our coding standards are described at https://osmocom.org/projects/cellular-infrastructure/wiki/Coding_standards
We us a gerrit based patch submission/review process for managing contributions. Please see https://osmocom.org/projects/cellular-infrastructure/wiki/Gerrit for more details
The current patch queue for libosmo-abis can be seen at https://gerrit.osmocom.org/#/q/project:libosmo-abis+status:open