Gitiles
Code Review Sign In
gerrit.osmocom.org / libosmocore / 554f7b8a773b3cffd74707c18172366ab45ea306
commit554f7b8a773b3cffd74707c18172366ab45ea306[log] [tgz]
authorNeels Hofmeyr <neels@hofmeyr.de>Wed Dec 20 01:14:31 2017 +0100
committerNeels Hofmeyr <neels@hofmeyr.de>Wed Dec 20 01:29:59 2017 +0100
treee04404c2111366a5c25f68ececf6227ecab3ab68
parentc0b0b623053f16790d7d675812befe382ebdfd6e [diff]
rate_ctr: fix osmo-sgsn DoS: don't return NULL on already used index

Recent patch I563764af1d28043e909234ebb048239125ce6ecd introduced returning
NULL from rate_ctr_group_alloc() when the index passed already exists.

Instead of returning NULL, find an unused group index and use that, adjust the
error message.

In stats_test.c, adjust, and also assert allocated counter group indexes
everywhere.

Rationale:

The original patch causes osmo-sgsn to crash as soon as the second subscriber
attempts to establish an MM context. Of course osmo-sgsn is wrong to a) fail to
check a NULL return value and crash and b) to fail to allocate an MM context
just because the rate counter group could not be allocated (it still rejects
the MM context completely if rate_ctr_group_alloc() fails).

Nevertheless, the price we pay for rate counter correctness is, at least in
this instance, way too high: osmo-sgsn becomes completely unusable for more
than one subscriber.

Numerous other places exist where rate_ctr_group_alloc() is called with a
constant index number; from a quick grep magic I found these possible breaking
points:

osmo-sgsn/src/gprs/gb_proxy.c:1431:     cfg->ctrg = rate_ctr_group_alloc(tall_bsc_ctx, &global_ctrg_desc, 0);
osmo-sgsn/src/gprs/gprs_sgsn.c:139:     sgsn->rate_ctrs = rate_ctr_group_alloc(tall_bsc_ctx, &sgsn_ctrg_desc, 0);
osmo-sgsn/src/gprs/gprs_sgsn.c:270:     ctx->ctrg = rate_ctr_group_alloc(ctx, &mmctx_ctrg_desc, 0);
osmo-sgsn/src/gprs/gtphub.c:888:        b->counters_io = rate_ctr_group_alloc(osmo_gtphub_ctx,
                                                                              &gtphub_ctrg_io_desc, 0);
osmo-bsc/src/libfilter/bsc_msg_acc.c:87:        lst->stats = rate_ctr_group_alloc(lst, &bsc_cfg_acc_list_desc, 0);
osmo-pcu/src/bts.cpp:228:               m_ratectrs = rate_ctr_group_alloc(tall_pcu_ctx, &bts_ctrg_desc, 0);
osmo-pcu/src/tbf.cpp:793:       tbf->m_ctrs = rate_ctr_group_alloc(tbf, &tbf_ctrg_desc, 0);
osmo-pcu/src/tbf.cpp:879:       tbf->m_ul_egprs_ctrs = rate_ctr_group_alloc(tbf, &tbf_ul_egprs_ctrg_desc, 0);
osmo-pcu/src/tbf.cpp:880:       tbf->m_ul_gprs_ctrs = rate_ctr_group_alloc(tbf, &tbf_ul_gprs_ctrg_desc, 0);
osmo-pcu/src/tbf.cpp:970:               tbf->m_dl_egprs_ctrs = rate_ctr_group_alloc(tbf, &tbf_dl_egprs_ctrg_desc, 0);
osmo-pcu/src/tbf.cpp:977:               tbf->m_dl_gprs_ctrs = rate_ctr_group_alloc(tbf, &tbf_dl_gprs_ctrg_desc, 0);
osmo-pcu/src/tbf.cpp:1475:      ul_tbf->m_ctrs = rate_ctr_group_alloc(ul_tbf, &tbf_ctrg_desc, 0);
osmo-pcu/src/bts.cpp:226:               m_ratectrs = rate_ctr_group_alloc(tall_pcu_ctx, &bts_ctrg_desc, 1);

We can fix all of these callers and then reconsider returning NULL, but IMO
even into the future, rate counter group indexes are not something worth
failing to provide service for. For future bugs we should keep the automatic
index picking in case of index collisions. We will get an error message barfed
and can fix the issue in our own time, while the application remains completely
usable, and even the rate counters can still be queried (at wrong indexes, but
life is tough).

Related: I49aa95b610f2faec52dede2e4816da47ca1dfb14 (osmo-sgsn's segfault)
Change-Id: Iba6e41b8eeaea5ff6ed862bab3f34a62ab976914
2 files changed
tree: e04404c2111366a5c25f68ececf6227ecab3ab68
  1. contrib/
  2. debian/
  3. doc/
  4. include/
  5. m4/
  6. src/
  7. tests/
  8. utils/
  9. .gitignore
  10. .gitreview
  11. .mailmap
  12. configure.ac
  13. COPYING
  14. Doxyfile.codec.in
  15. Doxyfile.coding.in
  16. Doxyfile.core.in
  17. Doxyfile.gb.in
  18. Doxyfile.gsm.in
  19. Doxyfile.vty.in
  20. git-version-gen
  21. libosmocodec.pc.in
  22. libosmocoding.pc.in
  23. libosmocore.pc.in
  24. libosmoctrl.pc.in
  25. libosmogb.pc.in
  26. libosmogsm.pc.in
  27. libosmosim.pc.in
  28. libosmovty.pc.in
  29. Makefile.am
  30. osmo-release.mk
  31. osmo-release.sh
  32. README.md
  33. TODO-RELEASE
README.md

libosmocore - set of Osmocom core libraries

This repository contains a set of C-language libraries that form the core infrastructure of many Osmocom Open Source Mobile Communications projects.

Historically, a lot of this code was developed as part of the OpenBSC project, but which are of a more generic nature and thus useful to (at least) other programs that we develop in the sphere of Free Software / Open Source mobile communications.

There is no clear scope of it. We simply move all shared code between the various Osmocom projects in this library to avoid code duplication.

The libosmcoore.git repository build multiple libraries:

  • libosmocore contains some general-purpose functions like select-loop abstraction, message buffers, timers, linked lists
  • libosmovty contains routines related to the interactive command-line interface called VTY
  • libosmogsm contains definitions and helper code related to GSM protocols
  • libosmoctrl contains a shared implementation of the Osmocom control interface
  • libosmogb contains an implementation of the Gb interface with its NS/BSSGP protocols
  • libosmocodec contains an implementation of GSM voice codecs
  • libosmocoding contains an implementation of GSM channel coding
  • libosmosim contains infrastructure to interface SIM/UICC/USIM cards
  • libosmotrau contains encoding/decoding functions for A-bis TRAU frames

Homepage

The official homepage of the project is https://osmocom.org/projects/libosmocore/wiki/Libosmocore

GIT Repository

You can clone from the official libosmocore.git repository using

git clone git://git.osmocom.org/libosmocore.git

There is a cgit interface at http://git.osmocom.org/libosmocore/

Documentation

Doxygen-generated API documentation is generated during the build process, but also available online for each of the sub-libraries at http://ftp.osmocom.org/api/latest/libosmocore/

Mailing List

Discussions related to libosmocore are happening on the openbsc@lists.osmocom.org mailing list, please see https://lists.osmocom.org/mailman/listinfo/openbsc for subscription options and the list archive.

Please observe the Osmocom Mailing List Rules when posting.

Contributing

Our coding standards are described at https://osmocom.org/projects/cellular-infrastructure/wiki/Coding_standards

We us a gerrit based patch submission/review process for managing contributions. Please see https://osmocom.org/projects/cellular-infrastructure/wiki/Gerrit for more details

The current patch queue for libosmocore can be seen at https://gerrit.osmocom.org/#/q/project:libosmocore+status:open