Gitiles
Code Review Sign In
gerrit.osmocom.org / osmo-mgw / ca2aec02352c30a7913c85ae065a610ea5a131ed
commitca2aec02352c30a7913c85ae065a610ea5a131ed[log] [tgz]
authorNeels Hofmeyr <neels@hofmeyr.de>Fri Oct 04 22:47:31 2019 +0200
committerNeels Hofmeyr <neels@hofmeyr.de>Fri Nov 01 17:37:59 2019 +0100
tree5573b46fcff5c9860add499b6e2fbb488e11749e
parente8278315146e8567bdc15c091297ccf65ba5aa11 [diff]
fix use-after-free: require new fsm deferred dealloc, check for term

API doc: require osmo_fsm_set_dealloc_ctx().

mgcp_client during delete: do not reparent the FSM when it is already
terminating.

I have recently discovered a vulnerability: if an endpoint FSM deallocates
during event handling of a successful MGCP response, this causes a
use-after-free; and once that is fixed, a state change on the already
terminated FSM causes a pointer corruption by using already cleaned data
structures. osmo_fsm_set_dealloc_ctx() fixes the use-after-free, and
osmo_fsm_set_term_stops_actions() fixes the pointer corruption.

Related: Ib7fce7b7d54dfb87af97544796680919e5929a50 (osmo-bsc),
         I08c03946605aa12e0a5ce8b3c773704ef5327a7a (osmo-msc)
Depends: Ief4dba9ea587c9b4aea69993e965fbb20fb80e78 (libosmocore),
         I0adc13a1a998e953b6c850efa2761350dd07e03a (libosmocore)
Change-Id: I7df2e9202b04e7ca7366bb0a8ec53cf3bb14faf3
2 files changed
tree: 5573b46fcff5c9860add499b6e2fbb488e11749e
  1. contrib/
  2. debian/
  3. doc/
  4. include/
  5. m4/
  6. src/
  7. tests/
  8. .gitignore
  9. .gitreview
  10. .mailmap
  11. AUTHORS
  12. configure.ac
  13. COPYING
  14. git-version-gen
  15. libosmo-mgcp-client.pc.in
  16. Makefile.am
  17. osmoappdesc.py
  18. README
  19. README.vty-tests
  20. TODO-RELEASE