commit	686eba9bfcdd229bc1e40c75a220cfd379d15b8c	[log] [tgz]
author	Pau Espin Pedrol <pespin@sysmocom.de>	Fri May 04 18:20:35 2018 +0200
committer	Pau Espin Pedrol <pespin@sysmocom.de>	Fri May 04 18:29:26 2018 +0200
tree	100ce5f90fd3caf399f0c0c6c7835a9b2489b7c1
parent	13154ffabd35a7b6d017e54bd92ab2b984ba5066 [diff]

control_if: Avoid heap-use-after-free in osmo_wqueue_bfd_cb

Imagine following scenario:
1- client connects to CTRL iface, a new conn is created with POLL_READ
enabled.
2- A non-related event happens which triggers a TRAP to be sent. As a
result, the wqueue for the conn has now enabled POLL_WRITE, and message
will be sent next time we go through osmo_main_select().
3- At the same time, we receive the GET cmd from the CTRL client, which
means POLL_READ event will be also triggered next time we call
osmo_main_select().
4- osmo_main_select triggers osmo_wqueue_bfd_cb with both READ/WRITE
flags set.
5- The read_cb of wqueue is executed first. The handler closes the CTRL
conn for some reason, freeing the osmo_fd struct and returns.
6- osmo_qeueue_bfd_cb keeps using the already freed osmo_fd and calls
write_cb.

So in step 6 we get a heap-use-after-free catched by AddressSanitizer:

[0;m20180424135406115 [1;32mDLCTRL[0;m <0018> control_if.c:506 accept()ed new CTRL connection from (r=10.42.42.1:53910<->l=10.42.42.7:4249)
[0;m20180424135406116 [1;34mDLCTRL[0;m <0018> control_cmd.c:378 Command: GET bts.0.oml-connection-state
[0;m20180424135406117 [1;34mDLINP[0;m <0013> bts_ipaccess_nanobts.c:417 Identified BTS 1/0/0
[0;m[1;36m20180424135406118 [1;34mDNM[0;m[1;36m <0005> abis_nm.c:1628 Get Attr (bts=0)
[0;m[1;36m20180424135406118 [1;34mDNM[0;m[1;36m <0005> abis_nm.c:1628 Get Attr (bts=0)
[0;m20180424135406118 [1;34mDCTRL[0;m <000e> osmo_bsc_ctrl.c:158 BTS connection (re)established, sending TRAP.
[0;m20180424135406119 [1;32mDLCTRL[0;m <0018> control_if.c:173 close()d CTRL connection (r=10.42.42.1:53910<->l=10.42.42.7:4249)
[0;m=================================================================
==12301==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000003e04 at pc 0x7f23091c3a2f bp 0x7ffc0cb73ff0 sp 0x7ffc0cb73fe8
READ of size 4 at 0x611000003e04 thread T0
    #0 0x7f23091c3a2e in osmo_wqueue_bfd_cb /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/libosmocore/src/write_queue.c:65
    #1 0x7f23091ad5d8 in osmo_fd_disp_fds /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/libosmocore/src/select.c:216
    #2 0x7f23091ad5d8 in osmo_select_main /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/libosmocore/src/select.c:256
    #3 0x56538bdb7a26 in main /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:532
    #4 0x7f23077532e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #5 0x56538bdb8999 in _start (/home/jenkins/workspace/osmo-gsm-tester_run-prod/trial-896/inst/osmo-bsc/bin/osmo-bsc+0x259999)

Fixes: OS#3206

Change-Id: I84d10caaadcfa6bd46ba8756ca89aa0badcfd2e3

2 files changed

tree: 100ce5f90fd3caf399f0c0c6c7835a9b2489b7c1

README.md

libosmocore - set of Osmocom core libraries

This repository contains a set of C-language libraries that form the core infrastructure of many Osmocom Open Source Mobile Communications projects.

Historically, a lot of this code was developed as part of the OpenBSC project, but which are of a more generic nature and thus useful to (at least) other programs that we develop in the sphere of Free Software / Open Source mobile communications.

There is no clear scope of it. We simply move all shared code between the various Osmocom projects in this library to avoid code duplication.

The libosmcoore.git repository build multiple libraries:

libosmocore contains some general-purpose functions like select-loop abstraction, message buffers, timers, linked lists
libosmovty contains routines related to the interactive command-line interface called VTY
libosmogsm contains definitions and helper code related to GSM protocols
libosmoctrl contains a shared implementation of the Osmocom control interface
libosmogb contains an implementation of the Gb interface with its NS/BSSGP protocols
libosmocodec contains an implementation of GSM voice codecs
libosmocoding contains an implementation of GSM channel coding
libosmosim contains infrastructure to interface SIM/UICC/USIM cards
libosmotrau contains encoding/decoding functions for A-bis TRAU frames

Homepage

The official homepage of the project is https://osmocom.org/projects/libosmocore/wiki/Libosmocore

GIT Repository

You can clone from the official libosmocore.git repository using

git clone git://git.osmocom.org/libosmocore.git

There is a cgit interface at http://git.osmocom.org/libosmocore/

Documentation

Doxygen-generated API documentation is generated during the build process, but also available online for each of the sub-libraries at http://ftp.osmocom.org/api/latest/libosmocore/

Mailing List

Discussions related to libosmocore are happening on the openbsc@lists.osmocom.org mailing list, please see https://lists.osmocom.org/mailman/listinfo/openbsc for subscription options and the list archive.

Please observe the Osmocom Mailing List Rules when posting.

Contributing

Our coding standards are described at https://osmocom.org/projects/cellular-infrastructure/wiki/Coding_standards

We us a gerrit based patch submission/review process for managing contributions. Please see https://osmocom.org/projects/cellular-infrastructure/wiki/Gerrit for more details

The current patch queue for libosmocore can be seen at https://gerrit.osmocom.org/#/q/project:libosmocore+status:open