diff options
author | Daniel Willmann <dwillmann@sysmocom.de> | 2016-11-07 17:54:29 +0100 |
---|---|---|
committer | Harald Welte <laforge@gnumonks.org> | 2016-11-15 22:32:02 +0000 |
commit | beade314d0f747fa6e77df85931fd7f4251ff2df (patch) | |
tree | 39bc49845a1fb8319230b7e33807a681d4b25139 /openbsc/src/gprs/gb_proxy.c | |
parent | 58273f4b885326fc9ae65b70ddc44f1fe655cf5e (diff) |
gbproxy: Check whether gbproxy_update_link_state_after() deletes the link_info
In case the link_info is deleted we have to stop handling the stored messages
inside link_info. Not doing so can lead to invalid memory being accessed.
Change-Id: Ieb8503e9e94e7a5ac450ad8aa1713ec4f21cdea5
Ticket: OW#3049
Sponsored-by: On-Waves ehf
Diffstat (limited to 'openbsc/src/gprs/gb_proxy.c')
-rw-r--r-- | openbsc/src/gprs/gb_proxy.c | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/openbsc/src/gprs/gb_proxy.c b/openbsc/src/gprs/gb_proxy.c index 111f05208..d95139f8d 100644 --- a/openbsc/src/gprs/gb_proxy.c +++ b/openbsc/src/gprs/gb_proxy.c @@ -318,7 +318,7 @@ static void gbproxy_reset_imsi_acquisition(struct gbproxy_link_info* link_info) link_info->vu_gen_tx_bss = GBPROXY_INIT_VU_GEN_TX; } -static void gbproxy_flush_stored_messages(struct gbproxy_peer *peer, +static int gbproxy_flush_stored_messages(struct gbproxy_peer *peer, struct msgb *msg, time_t now, struct gbproxy_link_info* link_info, @@ -349,8 +349,13 @@ static void gbproxy_flush_stored_messages(struct gbproxy_peer *peer, peer, link_info, &len_change, &tmp_parse_ctx); - gbproxy_update_link_state_after(peer, link_info, now, - &tmp_parse_ctx); + rc = gbproxy_update_link_state_after(peer, link_info, now, + &tmp_parse_ctx); + if (rc == 1) { + LOGP(DLLC, LOGL_NOTICE, "link_info deleted while flushing stored messages\n"); + msgb_free(stored_msg); + return -1; + } rc = gbprox_relay2sgsn(peer->cfg, stored_msg, msgb_bvci(msg), link_info->sgsn_nsei); @@ -364,6 +369,8 @@ static void gbproxy_flush_stored_messages(struct gbproxy_peer *peer, parse_ctx->llc_msg_name : "BSSGP"); msgb_free(stored_msg); } + + return 0; } static int gbproxy_gsm48_to_peer(struct gbproxy_peer *peer, @@ -465,9 +472,12 @@ static int gbproxy_imsi_acquisition(struct gbproxy_peer *peer, gsm48_hdr_pdisc(parse_ctx->g48_hdr) == GSM48_PDISC_MM_GPRS && gsm48_hdr_msg_type(parse_ctx->g48_hdr) == GSM48_MT_GMM_ID_RESP; - /* The IMSI is now available */ - gbproxy_flush_stored_messages(peer, msg, now, link_info, - parse_ctx); + /* The IMSI is now available. If flushing the messages fails, + * then link_info has been deleted and we should return + * immediately. */ + if (gbproxy_flush_stored_messages(peer, msg, now, link_info, + parse_ctx) < 0) + return 0; gbproxy_reset_imsi_acquisition(link_info); |