diff options
author | Jacob Erlbeck <jerlbeck@sysmocom.de> | 2014-11-10 08:30:31 +0100 |
---|---|---|
committer | Holger Hans Peter Freyther <holger@moiji-mobile.com> | 2014-11-10 08:47:14 +0100 |
commit | 74b2028167ddf04a867ae9f269bfa3435c93f252 (patch) | |
tree | 16a6da9b4fa426172664aff7ec0a9d3b7d913e22 /openbsc/tests/ctrl_test_runner.py | |
parent | 33f2c4d898c59a05c8122fd9897cbd22f643b367 (diff) |
bsc: Fix use-after-free on OML NM messages from the BTS
Currently the sign_link pointer is dereferenced after a call to
osmo_signal_dispatch, which can indirectly call
e1inp_sign_link_destroy. If that happens, accessing *sign_link is
illegal and can lead to a segmentation violation.
Since only the bts pointer is needed from sign_link after the call to
osmo_signal_dispatch, this patch changes abis_nm_rcvmsg_fom to save
that pointer to a local variable earlier.
Addresses:
<0019> input/ipa.c:250 accept()ed new link from 192.168.1.101 to port 3002
SET ATTR NACK CAUSE=Message cannot be performed
<0005> bsc_init.c:52 Got a NACK going to drop the OML links.
<001b> bsc_init.c:319 Lost some E1 TEI link: 1 0xb351a830
=================================================================
==13198== ERROR: AddressSanitizer: heap-use-after-free on address 0xb5d1bc70 at pc 0x80a6e3d bp 0xbfbb33d8 sp 0xbfbb33cc
Sponsored-by: On-Waves ehf
Diffstat (limited to 'openbsc/tests/ctrl_test_runner.py')
0 files changed, 0 insertions, 0 deletions