Gitiles
Code Review Sign In
gerrit.osmocom.org / libosmocore / 988f6d72c55a041b9b382143e2548571a3510abc
commit988f6d72c55a041b9b382143e2548571a3510abc[log] [tgz]
authorNeels Hofmeyr <neels@hofmeyr.de>Fri Oct 04 20:37:17 2019 +0200
committerNeels Hofmeyr <neels@hofmeyr.de>Tue Oct 29 16:46:04 2019 +0100
tree0b1e62f1bb028e1b060803dedcd9a20b3fce4e45
parentd4b4edd316df5918f0c04360f05d01e230895e7d [diff]
add osmo_fsm_set_dealloc_ctx(), to help with use-after-free

This is a simpler and more general solution to the problem so far solved by
osmo_fsm_term_safely(true). This extends use-after-free fixes to arbitrary
functions, not only FSM instances during termination.

The aim is to defer talloc_free() until back in the main loop.

Rationale: I discovered an osmo-msc use-after-free crash from an invalid
message, caused by this pattern:

void event_action()
{
       osmo_fsm_inst_dispatch(foo, FOO_EVENT, NULL);
       osmo_fsm_inst_dispatch(bar, BAR_EVENT, NULL);
}

Usually, FOO_EVENT takes successful action, and afterwards we also notify bar.
However, in this particular case, FOO_EVENT caused failure, and the immediate
error handling directly terminated and deallocated bar. In such a case,
dispatching BAR_EVENT causes a use-after-free; this constituted a DoS vector
just from sending messages that cause *any* failure during the first event
dispatch.

Instead, when this is enabled, we do not deallocate 'foo' until event_action()
has returned back to the main loop.

Test: duplicate fsm_dealloc_test.c using this, and print the number of items
deallocated in each test loop, to ensure the feature works. We also verify that
the deallocation safety works simply by fsm_dealloc_test.c not crashing.

We should probably follow up by refusing event dispatch and state transitions
for FSM instances that are terminating or already terminated:
see I0adc13a1a998e953b6c850efa2761350dd07e03a.

Change-Id: Ief4dba9ea587c9b4aea69993e965fbb20fb80e78
4 files changed
tree: 0b1e62f1bb028e1b060803dedcd9a20b3fce4e45
  1. contrib/
  2. debian/
  3. doc/
  4. include/
  5. m4/
  6. src/
  7. tests/
  8. utils/
  9. .gitignore
  10. .gitreview
  11. .mailmap
  12. configure.ac
  13. COPYING
  14. Doxyfile.codec.in
  15. Doxyfile.coding.in
  16. Doxyfile.core.in
  17. Doxyfile.ctrl.in
  18. Doxyfile.gb.in
  19. Doxyfile.gsm.in
  20. Doxyfile.vty.in
  21. git-version-gen
  22. libosmocodec.pc.in
  23. libosmocoding.pc.in
  24. libosmocore.pc.in
  25. libosmoctrl.pc.in
  26. libosmogb.pc.in
  27. libosmogsm.pc.in
  28. libosmosim.pc.in
  29. libosmovty.pc.in
  30. Makefile.am
  31. osmo-release.mk
  32. osmo-release.sh
  33. README.md
  34. TODO-RELEASE
README.md

libosmocore - set of Osmocom core libraries

This repository contains a set of C-language libraries that form the core infrastructure of many Osmocom Open Source Mobile Communications projects.

Historically, a lot of this code was developed as part of the OpenBSC project, but which are of a more generic nature and thus useful to (at least) other programs that we develop in the sphere of Free Software / Open Source mobile communications.

There is no clear scope of it. We simply move all shared code between the various Osmocom projects in this library to avoid code duplication.

The libosmcoore.git repository build multiple libraries:

  • libosmocore contains some general-purpose functions like select-loop abstraction, message buffers, timers, linked lists
  • libosmovty contains routines related to the interactive command-line interface called VTY
  • libosmogsm contains definitions and helper code related to GSM protocols
  • libosmoctrl contains a shared implementation of the Osmocom control interface
  • libosmogb contains an implementation of the Gb interface with its NS/BSSGP protocols
  • libosmocodec contains an implementation of GSM voice codecs
  • libosmocoding contains an implementation of GSM channel coding
  • libosmosim contains infrastructure to interface SIM/UICC/USIM cards
  • libosmotrau contains encoding/decoding functions for A-bis TRAU frames

Homepage

The official homepage of the project is https://osmocom.org/projects/libosmocore/wiki/Libosmocore

GIT Repository

You can clone from the official libosmocore.git repository using

git clone git://git.osmocom.org/libosmocore.git

There is a cgit interface at http://git.osmocom.org/libosmocore/

Documentation

Doxygen-generated API documentation is generated during the build process, but also available online for each of the sub-libraries at http://ftp.osmocom.org/api/latest/libosmocore/

Mailing List

Discussions related to libosmocore are happening on the openbsc@lists.osmocom.org mailing list, please see https://lists.osmocom.org/mailman/listinfo/openbsc for subscription options and the list archive.

Please observe the Osmocom Mailing List Rules when posting.

Contributing

Our coding standards are described at https://osmocom.org/projects/cellular-infrastructure/wiki/Coding_standards

We us a gerrit based patch submission/review process for managing contributions. Please see https://osmocom.org/projects/cellular-infrastructure/wiki/Gerrit for more details

The current patch queue for libosmocore can be seen at https://gerrit.osmocom.org/#/q/project:libosmocore+status:open