test/gbproxy: Test for possible memory corruption when link_info is freed
This test is to trigger the use-after free issue in commit bff7b0d80972. If
compiled with address-sanitizer the test will abort without the fix.
Change-Id: I5e8c6626ba43342740f08d699383bdded739079f
Ticket: OW#3049
Sponsored-by: On-Waves ehf
diff --git a/openbsc/tests/gbproxy/gbproxy_test.c b/openbsc/tests/gbproxy/gbproxy_test.c
index b32ccb5..577daa9 100644
--- a/openbsc/tests/gbproxy/gbproxy_test.c
+++ b/openbsc/tests/gbproxy/gbproxy_test.c
@@ -4817,6 +4817,100 @@
cleanup_test();
}
+static void test_gbproxy_stored_messages()
+{
+ struct gprs_ns_inst *nsi = gprs_ns_instantiate(gprs_ns_callback, NULL);
+ struct sockaddr_in bss_peer[1] = {{0},};
+ struct sockaddr_in sgsn_peer= {0};
+ struct gprs_ra_id rai_bss =
+ {.mcc = 112, .mnc = 332, .lac = 16464, .rac = 96};
+ struct gprs_ra_id rai_unknown =
+ {.mcc = 1, .mnc = 99, .lac = 99, .rac = 96};
+ uint16_t cell_id = 0x1234;
+
+ const uint32_t ptmsi = 0xefe2b700;
+ const uint32_t local_tlli = 0xefe2b700;
+
+ const uint32_t foreign_tlli1 = 0x8000dead;
+
+ struct gbproxy_peer *peer;
+ unsigned bss_nu = 0;
+ unsigned sgsn_nu = 0;
+
+ OSMO_ASSERT(local_tlli == gprs_tmsi2tlli(ptmsi, TLLI_LOCAL));
+
+ bssgp_nsi = nsi;
+ gbcfg.nsi = bssgp_nsi;
+ gbcfg.nsip_sgsn_nsei = SGSN_NSEI;
+ gbcfg.core_mcc = 0;
+ gbcfg.core_mnc = 0;
+ gbcfg.core_apn = talloc_zero_size(NULL, 100);
+ gbcfg.core_apn_size = gprs_str_to_apn(gbcfg.core_apn, 100, "foo.bar");
+ gbcfg.patch_ptmsi = 0;
+ gbcfg.acquire_imsi = 1;
+ gbcfg.keep_link_infos = 0;
+
+ configure_sgsn_peer(&sgsn_peer);
+ configure_bss_peers(bss_peer, ARRAY_SIZE(bss_peer));
+
+ printf("=== %s ===\n", __func__);
+ printf("--- Initialise SGSN ---\n\n");
+
+ connect_sgsn(nsi, &sgsn_peer, SGSN_NSEI);
+
+ printf("--- Initialise BSS 1 ---\n\n");
+
+ setup_ns(nsi, &bss_peer[0], 0x1001, 0x1000);
+ setup_bssgp(nsi, &bss_peer[0], 0x1002);
+
+ peer = gbproxy_peer_by_nsei(&gbcfg, 0x1000);
+ OSMO_ASSERT(peer != NULL);
+
+ send_bssgp_reset_ack(nsi, &sgsn_peer, 0x1002);
+
+ gprs_dump_nsi(nsi);
+ dump_global(stdout, 0);
+ dump_peers(stdout, 0, 0, &gbcfg);
+
+ printf("--- Establish first LLC connection ---\n\n");
+
+ send_llc_ul_ui(nsi, "ATTACH REQUEST", &bss_peer[0], 0x1002,
+ foreign_tlli1, &rai_unknown, cell_id,
+ GPRS_SAPI_GMM, bss_nu++,
+ dtap_attach_req, sizeof(dtap_attach_req));
+
+ dump_peers(stdout, 0, 0, &gbcfg);
+
+ send_llc_dl_ui(nsi, "IDENT REQUEST", &sgsn_peer, 0x1002,
+ foreign_tlli1, 0, NULL, 0,
+ GPRS_SAPI_GMM, sgsn_nu++,
+ dtap_identity_req, sizeof(dtap_identity_req));
+
+ dump_peers(stdout, 0, 0, &gbcfg);
+
+ send_llc_ul_ui(nsi, "DETACH ACCEPT", &bss_peer[0], 0x1002,
+ foreign_tlli1, &rai_bss, cell_id,
+ GPRS_SAPI_GMM, bss_nu++,
+ dtap_detach_acc, sizeof(dtap_detach_acc));
+
+ dump_peers(stdout, 0, 0, &gbcfg);
+
+ send_llc_ul_ui(nsi, "IDENT RESPONSE", &bss_peer[0], 0x1002,
+ foreign_tlli1, &rai_bss, cell_id,
+ GPRS_SAPI_GMM, bss_nu++,
+ dtap_identity_resp, sizeof(dtap_identity_resp));
+
+ dump_peers(stdout, 0, 0, &gbcfg);
+
+ dump_global(stdout, 0);
+
+ gbprox_reset(&gbcfg);
+ gprs_ns_destroy(nsi);
+ nsi = NULL;
+
+ cleanup_test();
+}
+
static struct log_info_cat gprs_categories[] = {
[DGPRS] = {
.name = "DGPRS",
@@ -4870,6 +4964,7 @@
test_gbproxy_secondary_sgsn();
test_gbproxy_keep_info();
test_gbproxy_tlli_expire();
+ test_gbproxy_stored_messages();
printf("===== GbProxy test END\n\n");
exit(EXIT_SUCCESS);