From 74b2028167ddf04a867ae9f269bfa3435c93f252 Mon Sep 17 00:00:00 2001 From: Jacob Erlbeck Date: Mon, 10 Nov 2014 08:30:31 +0100 Subject: bsc: Fix use-after-free on OML NM messages from the BTS Currently the sign_link pointer is dereferenced after a call to osmo_signal_dispatch, which can indirectly call e1inp_sign_link_destroy. If that happens, accessing *sign_link is illegal and can lead to a segmentation violation. Since only the bts pointer is needed from sign_link after the call to osmo_signal_dispatch, this patch changes abis_nm_rcvmsg_fom to save that pointer to a local variable earlier. Addresses: <0019> input/ipa.c:250 accept()ed new link from 192.168.1.101 to port 3002 SET ATTR NACK CAUSE=Message cannot be performed <0005> bsc_init.c:52 Got a NACK going to drop the OML links. <001b> bsc_init.c:319 Lost some E1 TEI link: 1 0xb351a830 ================================================================= ==13198== ERROR: AddressSanitizer: heap-use-after-free on address 0xb5d1bc70 at pc 0x80a6e3d bp 0xbfbb33d8 sp 0xbfbb33cc Sponsored-by: On-Waves ehf --- openbsc/src/libbsc/abis_nm.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'openbsc/src/libbsc') diff --git a/openbsc/src/libbsc/abis_nm.c b/openbsc/src/libbsc/abis_nm.c index 3bf55ec56..c05e2f94f 100644 --- a/openbsc/src/libbsc/abis_nm.c +++ b/openbsc/src/libbsc/abis_nm.c @@ -565,6 +565,8 @@ static int abis_nm_rcvmsg_fom(struct msgb *mb) struct abis_om_fom_hdr *foh = msgb_l3(mb); struct e1inp_sign_link *sign_link = mb->dst; uint8_t mt = foh->msg_type; + /* sign_link might get deleted via osmo_signal_dispatch -> save bts */ + struct gsm_bts *bts = sign_link->trx->bts; int ret = 0; /* check for unsolicited message */ @@ -582,7 +584,7 @@ static int abis_nm_rcvmsg_fom(struct msgb *mb) DEBUGPC(DNM, "%s NACK ", abis_nm_nack_name(mt)); - abis_nm_tlv_parse(&tp, sign_link->trx->bts, foh->data, oh->length-sizeof(*foh)); + abis_nm_tlv_parse(&tp, bts, foh->data, oh->length-sizeof(*foh)); if (TLVP_PRESENT(&tp, NM_ATT_NACK_CAUSES)) DEBUGPC(DNM, "CAUSE=%s\n", abis_nm_nack_cause_name(*TLVP_VAL(&tp, NM_ATT_NACK_CAUSES))); @@ -591,9 +593,9 @@ static int abis_nm_rcvmsg_fom(struct msgb *mb) nack_data.msg = mb; nack_data.mt = mt; - nack_data.bts = sign_link->trx->bts; + nack_data.bts = bts; osmo_signal_dispatch(SS_NM, S_NM_NACK, &nack_data); - abis_nm_queue_send_next(sign_link->trx->bts); + abis_nm_queue_send_next(bts); return 0; } #if 0 @@ -636,7 +638,7 @@ static int abis_nm_rcvmsg_fom(struct msgb *mb) break; } - abis_nm_queue_send_next(sign_link->trx->bts); + abis_nm_queue_send_next(bts); return ret; } -- cgit v1.2.3