summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Willmann <dwillmann@sysmocom.de>2016-11-08 15:29:30 +0100
committerHarald Welte <laforge@gnumonks.org>2016-11-15 22:32:03 +0000
commitbb42eee11310eb03526138d38a8af7d705500253 (patch)
tree6bff3272e9fb3389ac5887826863c870e472dd56
parentbeade314d0f747fa6e77df85931fd7f4251ff2df (diff)
test/gbproxy: Test for possible memory corruption when link_info is freed
This test is to trigger the use-after free issue in commit bff7b0d80972. If compiled with address-sanitizer the test will abort without the fix. Change-Id: I5e8c6626ba43342740f08d699383bdded739079f Ticket: OW#3049 Sponsored-by: On-Waves ehf
-rw-r--r--openbsc/tests/gbproxy/gbproxy_test.c95
-rw-r--r--openbsc/tests/gbproxy/gbproxy_test.ok181
2 files changed, 276 insertions, 0 deletions
diff --git a/openbsc/tests/gbproxy/gbproxy_test.c b/openbsc/tests/gbproxy/gbproxy_test.c
index b32ccb5d4..577daa95e 100644
--- a/openbsc/tests/gbproxy/gbproxy_test.c
+++ b/openbsc/tests/gbproxy/gbproxy_test.c
@@ -4817,6 +4817,100 @@ static void test_gbproxy_imsi_matching(void)
cleanup_test();
}
+static void test_gbproxy_stored_messages()
+{
+ struct gprs_ns_inst *nsi = gprs_ns_instantiate(gprs_ns_callback, NULL);
+ struct sockaddr_in bss_peer[1] = {{0},};
+ struct sockaddr_in sgsn_peer= {0};
+ struct gprs_ra_id rai_bss =
+ {.mcc = 112, .mnc = 332, .lac = 16464, .rac = 96};
+ struct gprs_ra_id rai_unknown =
+ {.mcc = 1, .mnc = 99, .lac = 99, .rac = 96};
+ uint16_t cell_id = 0x1234;
+
+ const uint32_t ptmsi = 0xefe2b700;
+ const uint32_t local_tlli = 0xefe2b700;
+
+ const uint32_t foreign_tlli1 = 0x8000dead;
+
+ struct gbproxy_peer *peer;
+ unsigned bss_nu = 0;
+ unsigned sgsn_nu = 0;
+
+ OSMO_ASSERT(local_tlli == gprs_tmsi2tlli(ptmsi, TLLI_LOCAL));
+
+ bssgp_nsi = nsi;
+ gbcfg.nsi = bssgp_nsi;
+ gbcfg.nsip_sgsn_nsei = SGSN_NSEI;
+ gbcfg.core_mcc = 0;
+ gbcfg.core_mnc = 0;
+ gbcfg.core_apn = talloc_zero_size(NULL, 100);
+ gbcfg.core_apn_size = gprs_str_to_apn(gbcfg.core_apn, 100, "foo.bar");
+ gbcfg.patch_ptmsi = 0;
+ gbcfg.acquire_imsi = 1;
+ gbcfg.keep_link_infos = 0;
+
+ configure_sgsn_peer(&sgsn_peer);
+ configure_bss_peers(bss_peer, ARRAY_SIZE(bss_peer));
+
+ printf("=== %s ===\n", __func__);
+ printf("--- Initialise SGSN ---\n\n");
+
+ connect_sgsn(nsi, &sgsn_peer, SGSN_NSEI);
+
+ printf("--- Initialise BSS 1 ---\n\n");
+
+ setup_ns(nsi, &bss_peer[0], 0x1001, 0x1000);
+ setup_bssgp(nsi, &bss_peer[0], 0x1002);
+
+ peer = gbproxy_peer_by_nsei(&gbcfg, 0x1000);
+ OSMO_ASSERT(peer != NULL);
+
+ send_bssgp_reset_ack(nsi, &sgsn_peer, 0x1002);
+
+ gprs_dump_nsi(nsi);
+ dump_global(stdout, 0);
+ dump_peers(stdout, 0, 0, &gbcfg);
+
+ printf("--- Establish first LLC connection ---\n\n");
+
+ send_llc_ul_ui(nsi, "ATTACH REQUEST", &bss_peer[0], 0x1002,
+ foreign_tlli1, &rai_unknown, cell_id,
+ GPRS_SAPI_GMM, bss_nu++,
+ dtap_attach_req, sizeof(dtap_attach_req));
+
+ dump_peers(stdout, 0, 0, &gbcfg);
+
+ send_llc_dl_ui(nsi, "IDENT REQUEST", &sgsn_peer, 0x1002,
+ foreign_tlli1, 0, NULL, 0,
+ GPRS_SAPI_GMM, sgsn_nu++,
+ dtap_identity_req, sizeof(dtap_identity_req));
+
+ dump_peers(stdout, 0, 0, &gbcfg);
+
+ send_llc_ul_ui(nsi, "DETACH ACCEPT", &bss_peer[0], 0x1002,
+ foreign_tlli1, &rai_bss, cell_id,
+ GPRS_SAPI_GMM, bss_nu++,
+ dtap_detach_acc, sizeof(dtap_detach_acc));
+
+ dump_peers(stdout, 0, 0, &gbcfg);
+
+ send_llc_ul_ui(nsi, "IDENT RESPONSE", &bss_peer[0], 0x1002,
+ foreign_tlli1, &rai_bss, cell_id,
+ GPRS_SAPI_GMM, bss_nu++,
+ dtap_identity_resp, sizeof(dtap_identity_resp));
+
+ dump_peers(stdout, 0, 0, &gbcfg);
+
+ dump_global(stdout, 0);
+
+ gbprox_reset(&gbcfg);
+ gprs_ns_destroy(nsi);
+ nsi = NULL;
+
+ cleanup_test();
+}
+
static struct log_info_cat gprs_categories[] = {
[DGPRS] = {
.name = "DGPRS",
@@ -4870,6 +4964,7 @@ int main(int argc, char **argv)
test_gbproxy_secondary_sgsn();
test_gbproxy_keep_info();
test_gbproxy_tlli_expire();
+ test_gbproxy_stored_messages();
printf("===== GbProxy test END\n\n");
exit(EXIT_SUCCESS);
diff --git a/openbsc/tests/gbproxy/gbproxy_test.ok b/openbsc/tests/gbproxy/gbproxy_test.ok
index 0ef976f0e..737aec0ba 100644
--- a/openbsc/tests/gbproxy/gbproxy_test.ok
+++ b/openbsc/tests/gbproxy/gbproxy_test.ok
@@ -7059,5 +7059,186 @@ Test TLLI expiry, max_len == 2, max_age == 1:
TLLI-Cache: 1
TLLI c0000d80, IMSI 12345678, AGE 0, IMSI matches
+=== test_gbproxy_stored_messages ===
+--- Initialise SGSN ---
+
+MESSAGE to SGSN at 0x05060708:32000, msg length 12
+02 00 81 01 01 82 01 01 04 82 01 00
+
+PROCESSING RESET_ACK from 0x05060708:32000
+03 01 82 01 01 04 82 01 00
+
+MESSAGE to SGSN at 0x05060708:32000, msg length 1
+0a
+
+result (RESET_ACK) = 1
+
+PROCESSING ALIVE_ACK from 0x05060708:32000
+0b
+
+MESSAGE to SGSN at 0x05060708:32000, msg length 1
+06
+
+result (ALIVE_ACK) = 1
+
+PROCESSING UNBLOCK_ACK from 0x05060708:32000
+07
+
+==> got signal NS_UNBLOCK, NS-VC 0x0101/5.6.7.8:32000
+
+result (UNBLOCK_ACK) = 0
+
+PROCESSING ALIVE from 0x05060708:32000
+0a
+
+MESSAGE to SGSN at 0x05060708:32000, msg length 1
+0b
+
+result (ALIVE) = 1
+
+--- Initialise BSS 1 ---
+
+Setup NS-VC: remote 0x01020304:1111, NSVCI 0x1001(4097), NSEI 0x1000(4096)
+
+PROCESSING RESET from 0x01020304:1111
+02 00 81 01 01 82 10 01 04 82 10 00
+
+==> got signal NS_RESET, NS-VC 0x1001/1.2.3.4:1111
+
+MESSAGE to BSS at 0x01020304:1111, msg length 9
+03 01 82 10 01 04 82 10 00
+
+MESSAGE to BSS at 0x01020304:1111, msg length 1
+0a
+
+result (RESET) = 9
+
+PROCESSING ALIVE from 0x01020304:1111
+0a
+
+MESSAGE to BSS at 0x01020304:1111, msg length 1
+0b
+
+result (ALIVE) = 1
+
+PROCESSING UNBLOCK from 0x01020304:1111
+06
+
+==> got signal NS_UNBLOCK, NS-VC 0x1001/1.2.3.4:1111
+
+MESSAGE to BSS at 0x01020304:1111, msg length 1
+07
+
+result (UNBLOCK) = 1
+
+PROCESSING ALIVE_ACK from 0x01020304:1111
+0b
+
+result (ALIVE_ACK) = 0
+
+Setup BSSGP: remote 0x01020304:1111, BVCI 0x1002(4098)
+
+PROCESSING BVC_RESET from 0x01020304:1111
+00 00 00 00 22 04 82 10 02 07 81 08 08 88 11 22 33 40 50 60 10 00
+
+CALLBACK, event 0, msg length 18, bvci 0x0000
+00 00 00 00 22 04 82 10 02 07 81 08 08 88 11 22 33 40 50 60 10 00
+
+NS UNITDATA MESSAGE to SGSN, BVCI 0x0000, msg length 18 (gprs_ns_sendmsg)
+MESSAGE to SGSN at 0x05060708:32000, msg length 22
+00 00 00 00 22 04 82 10 02 07 81 08 08 88 11 22 33 40 50 60 10 00
+
+result (BVC_RESET) = 22
+
+PROCESSING BVC_RESET_ACK from 0x05060708:32000
+00 00 00 00 23 04 82 10 02
+
+CALLBACK, event 0, msg length 5, bvci 0x0000
+00 00 00 00 23 04 82 10 02
+
+NS UNITDATA MESSAGE to BSS, BVCI 0x0000, msg length 5 (gprs_ns_sendmsg)
+MESSAGE to BSS at 0x01020304:1111, msg length 9
+00 00 00 00 23 04 82 10 02
+
+result (BVC_RESET_ACK) = 9
+
+Current NS-VCIs:
+ VCI 0x1001, NSEI 0x1000, peer 0x01020304:1111
+ VCI 0x0101, NSEI 0x0100, peer 0x05060708:32000
+ NS-VC Block count : 1
+
+Gbproxy global:
+Peers:
+ NSEI 4096, BVCI 4098, not blocked, RAI 112-332-16464-96
+ TLLI-Cache: 0
+--- Establish first LLC connection ---
+
+PROCESSING ATTACH REQUEST from 0x01020304:1111
+00 00 10 02 01 80 00 de ad 00 00 04 08 88 00 f1 99 00 63 60 12 34 00 80 0e 00 34 01 c0 01 08 01 02 f5 e0 21 08 02 05 f4 fb c5 46 79 11 22 33 40 50 60 19 18 b3 43 2b 25 96 62 00 60 80 9a c2 c6 62 00 60 80 ba c8 c6 62 00 60 80 00 16 6d 01
+
+CALLBACK, event 0, msg length 75, bvci 0x1002
+00 00 10 02 01 80 00 de ad 00 00 04 08 88 00 f1 99 00 63 60 12 34 00 80 0e 00 34 01 c0 01 08 01 02 f5 e0 21 08 02 05 f4 fb c5 46 79 11 22 33 40 50 60 19 18 b3 43 2b 25 96 62 00 60 80 9a c2 c6 62 00 60 80 ba c8 c6 62 00 60 80 00 16 6d 01
+
+NS UNITDATA MESSAGE to BSS, BVCI 0x1002, msg length 24 (gprs_ns_sendmsg)
+MESSAGE to BSS at 0x01020304:1111, msg length 28
+00 00 10 02 00 80 00 de ad 00 50 20 16 82 02 58 0e 00 09 41 c4 01 08 15 01 b7 f8 36
+
+result (ATTACH REQUEST) = 0
+
+Peers:
+ NSEI 4096, BVCI 4098, not blocked, RAI 112-332-16464-96
+ Attach Request count : 1
+ TLLI cache size : 1
+ TLLI-Cache: 1
+ TLLI 8000dead -> 8000dead, IMSI (none), AGE 0, STORED 1, IMSI acquisition in progress
+PROCESSING IDENT REQUEST from 0x05060708:32000
+00 00 10 02 00 80 00 de ad 00 50 20 16 82 02 58 0e 89 41 c0 01 08 15 01 ff 6c ba
+
+CALLBACK, event 0, msg length 23, bvci 0x1002
+00 00 10 02 00 80 00 de ad 00 50 20 16 82 02 58 0e 89 41 c0 01 08 15 01 ff 6c ba
+
+NS UNITDATA MESSAGE to BSS, BVCI 0x1002, msg length 23 (gprs_ns_sendmsg)
+MESSAGE to BSS at 0x01020304:1111, msg length 27
+00 00 10 02 00 80 00 de ad 00 50 20 16 82 02 58 0e 89 41 c0 01 08 15 01 ff 6c ba
+
+result (IDENT REQUEST) = 27
+
+Peers:
+ NSEI 4096, BVCI 4098, not blocked, RAI 112-332-16464-96
+ Attach Request count : 1
+ TLLI cache size : 1
+ TLLI-Cache: 1
+ TLLI 8000dead -> 8000dead, IMSI (none), AGE 0, STORED 1, IMSI acquisition in progress
+PROCESSING DETACH ACCEPT from 0x01020304:1111
+00 00 10 02 01 80 00 de ad 00 00 04 08 88 11 22 33 40 50 60 12 34 00 80 0e 00 09 01 c0 05 08 06 00 f8 92 41
+
+CALLBACK, event 0, msg length 32, bvci 0x1002
+00 00 10 02 01 80 00 de ad 00 00 04 08 88 11 22 33 40 50 60 12 34 00 80 0e 00 09 01 c0 05 08 06 00 f8 92 41
+
+result (DETACH ACCEPT) = 0
+
+Peers:
+ NSEI 4096, BVCI 4098, not blocked, RAI 112-332-16464-96
+ Attach Request count : 1
+ TLLI cache size : 1
+ TLLI-Cache: 1
+ TLLI 8000dead -> 8000dead, IMSI (none), AGE 0, STORED 2, IMSI acquisition in progress
+PROCESSING IDENT RESPONSE from 0x01020304:1111
+00 00 10 02 01 80 00 de ad 00 00 04 08 88 11 22 33 40 50 60 12 34 00 80 0e 00 11 01 c0 09 08 16 08 11 12 13 14 15 16 17 18 ba 14 c3
+
+CALLBACK, event 0, msg length 40, bvci 0x1002
+00 00 10 02 01 80 00 de ad 00 00 04 08 88 11 22 33 40 50 60 12 34 00 80 0e 00 11 01 c0 09 08 16 08 11 12 13 14 15 16 17 18 ba 14 c3
+
+NS UNITDATA MESSAGE to SGSN, BVCI 0x1002, msg length 75 (gprs_ns_sendmsg)
+MESSAGE to SGSN at 0x05060708:32000, msg length 79
+00 00 10 02 01 80 00 de ad 00 00 04 08 88 00 f1 99 00 63 60 12 34 00 80 0e 00 34 01 c0 01 08 01 02 f5 e0 21 08 02 05 f4 fb c5 46 79 11 22 33 40 50 60 19 18 b3 43 2b 25 96 62 00 60 80 9a c2 c6 62 00 60 80 ba c8 c6 62 00 60 80 00 16 6d 01
+
+result (IDENT RESPONSE) = 0
+
+Peers:
+ NSEI 4096, BVCI 4098, not blocked, RAI 112-332-16464-96
+ Attach Request count : 1
+ TLLI-Cache: 0
+Gbproxy global:
===== GbProxy test END