commit | ca2aec02352c30a7913c85ae065a610ea5a131ed | [log] [tgz] |
---|---|---|
author | Neels Hofmeyr <neels@hofmeyr.de> | Fri Oct 04 22:47:31 2019 +0200 |
committer | Neels Hofmeyr <neels@hofmeyr.de> | Fri Nov 01 17:37:59 2019 +0100 |
tree | 5573b46fcff5c9860add499b6e2fbb488e11749e | |
parent | e8278315146e8567bdc15c091297ccf65ba5aa11 [diff] |
fix use-after-free: require new fsm deferred dealloc, check for term API doc: require osmo_fsm_set_dealloc_ctx(). mgcp_client during delete: do not reparent the FSM when it is already terminating. I have recently discovered a vulnerability: if an endpoint FSM deallocates during event handling of a successful MGCP response, this causes a use-after-free; and once that is fixed, a state change on the already terminated FSM causes a pointer corruption by using already cleaned data structures. osmo_fsm_set_dealloc_ctx() fixes the use-after-free, and osmo_fsm_set_term_stops_actions() fixes the pointer corruption. Related: Ib7fce7b7d54dfb87af97544796680919e5929a50 (osmo-bsc), I08c03946605aa12e0a5ce8b3c773704ef5327a7a (osmo-msc) Depends: Ief4dba9ea587c9b4aea69993e965fbb20fb80e78 (libosmocore), I0adc13a1a998e953b6c850efa2761350dd07e03a (libosmocore) Change-Id: I7df2e9202b04e7ca7366bb0a8ec53cf3bb14faf3