osmo-bsc: Fix use-after-free OML NM messages from the BTS

Currently the sign_link pointer is dereferenced after a call to
osmo_signal_dispatch, which can indirectly call
e1inp_sign_link_destroy. If that happens, accessing *sign_link is
illegal and can lead to a segmentation violation.

Since only the bts pointer is needed from sign_link after the call to
osmo_signal_dispatch, this patch changes abis_nm_rcvmsg_fom to save
that pointer to a local variable earlier.

Addresses:
<0019> input/ipa.c:250 accept()ed new link from 192.168.1.101 to port 3002
SET ATTR NACK  CAUSE=Message cannot be performed
<0005> bsc_init.c:52 Got a NACK going to drop the OML links.
<001b> bsc_init.c:319 Lost some E1 TEI link: 1 0xb351a830
=================================================================
==13198== ERROR: AddressSanitizer: heap-use-after-free on address 0xb5d1bc70 at pc 0x80a6e3d bp 0xbfbb33d8 sp 0xbfbb33cc

Sponsored-by: On-Waves ehf

1 files changed, 4 insertions, 2 deletions

diff --git a/openbsc/src/libbsc/abis_nm.c b/openbsc/src/libbsc/abis_nm.c
index 3bf55ec56..89ffea412 100644
--- a/openbsc/src/libbsc/abis_nm.c
+++ b/openbsc/src/libbsc/abis_nm.c
@@ -565,6 +565,8 @@ static int abis_nm_rcvmsg_fom(struct msgb *mb)
 	struct abis_om_fom_hdr *foh = msgb_l3(mb);
 	struct e1inp_sign_link *sign_link = mb->dst;
 	uint8_t mt = foh->msg_type;
+	/* sign_link might get deleted via osmo_signal_dispatch -> save bts */
+	struct gsm_bts *bts = sign_link->trx->bts;
 	int ret = 0;
 
 	/* check for unsolicited message */
@@ -593,7 +595,7 @@ static int abis_nm_rcvmsg_fom(struct msgb *mb)
 		nack_data.mt = mt;
 		nack_data.bts = sign_link->trx->bts;
 		osmo_signal_dispatch(SS_NM, S_NM_NACK, &nack_data);
-		abis_nm_queue_send_next(sign_link->trx->bts);
+		abis_nm_queue_send_next(bts);
 		return 0;
 	}
 #if 0
@@ -636,7 +638,7 @@ static int abis_nm_rcvmsg_fom(struct msgb *mb)
 		break;
 	}
 
-	abis_nm_queue_send_next(sign_link->trx->bts);
+	abis_nm_queue_send_next(bts);
 	return ret;
 }