From 4a2cc9eb0a0f9424c16b26fcb757483a39d67482 Mon Sep 17 00:00:00 2001
From: Pau Espin Pedrol <pespin@sysmocom.de>
Date: Fri, 12 Oct 2018 20:10:07 +0200
Subject: mgcp: osmux: Improve checks around activating and using enabled osmux

* Refactor code to have unified checks on all paths activating Osmux.
* Improve checkings at activation time and add logging.
* Code now enforces endp osmux status to be enabled before processing
the frame through endp->osmux.out. Before, a delayed or bad pkt could
arrive and be processed by an endp with osmux not enabled, using
endp->osmux.out that was not initialized and ended up crashing:
libosmo-netif/src/osmux.c:281:3: runtime error: member access within null pointer of type 'struct msgb'

This could also happen if a BSC started sending or we received (non legacy dummy) osmux
frames before we received the BSC CRCX ACK agreeing on osmux negotiation
and switching to ACTIVATING state.

Related: SYS#4350
Change-Id: I3536169c94e65f999aaa9c9e43cc7dab8551d30f
---
 openbsc/src/libmgcp/mgcp_osmux.c | 85 ++++++++++++++++++++--------------------
 1 file changed, 43 insertions(+), 42 deletions(-)

(limited to 'openbsc')

diff --git a/openbsc/src/libmgcp/mgcp_osmux.c b/openbsc/src/libmgcp/mgcp_osmux.c
index 6be5eb222..a0ac295c4 100644
--- a/openbsc/src/libmgcp/mgcp_osmux.c
+++ b/openbsc/src/libmgcp/mgcp_osmux.c
@@ -261,6 +261,34 @@ static struct msgb *osmux_recv(struct osmo_fd *ofd, struct sockaddr_in *addr)
 	return msg;
 }
 
+/* Updates endp osmux state and returns 0 if it can process messages, -1 otherwise */
+static int endp_osmux_state_check(struct mgcp_endpoint *endp, struct sockaddr_in *addr, bool sending)
+{
+	switch(endp->osmux.state) {
+	case OSMUX_STATE_ACTIVATING:
+		if (osmux_enable_endpoint(endp, &addr->sin_addr, addr->sin_port) < 0 ) {
+			LOGP(DMGCP, LOGL_ERROR,
+			     "Could not enable osmux in endpoint 0x%x for %s:%u\n",
+			     ENDPOINT_NUMBER(endp), inet_ntoa(addr->sin_addr),
+			     ntohs(addr->sin_port));
+			return -1;
+		}
+		LOGP(DMGCP, LOGL_INFO, "Enabling osmux in endpoint 0x%x for %s:%u\n",
+		     ENDPOINT_NUMBER(endp), inet_ntoa(addr->sin_addr),
+		     ntohs(addr->sin_port));
+		return 0;
+	case OSMUX_STATE_ENABLED:
+		return 0;
+	default:
+		LOGP(DMGCP, LOGL_ERROR,
+		     "Osmux %s in endpoint 0x%x for %s:%u without full negotiation, state %d\n",
+		     sending ? "sent" : "received",
+		     ENDPOINT_NUMBER(endp), inet_ntoa(addr->sin_addr),
+		     ntohs(addr->sin_port), endp->osmux.state);
+		return -1;
+	}
+}
+
 static int osmux_legacy_dummy_parse_cid(struct sockaddr_in *addr, struct msgb *msg,
 					uint8_t *osmux_cid)
 {
@@ -312,11 +340,12 @@ int osmux_read_from_bsc_nat_cb(struct osmo_fd *ofd, unsigned int what)
 			     osmuxh->circuit_id);
 			goto out;
 		}
-		endp->osmux.stats.octets += osmux_chunk_length(msg, rem);
-		endp->osmux.stats.chunks++;
+		if (endp_osmux_state_check(endp, &addr, false) == 0) {
+			endp->osmux.stats.octets += osmux_chunk_length(msg, rem);
+			endp->osmux.stats.chunks++;
+			osmux_xfrm_output_sched(&endp->osmux.out, osmuxh);
+		}
 		rem = msg->len;
-
-		osmux_xfrm_output_sched(&endp->osmux.out, osmuxh);
 	}
 out:
 	msgb_free(msg);
@@ -339,20 +368,8 @@ static int osmux_handle_dummy(struct mgcp_config *cfg, struct sockaddr_in *addr,
 		     "Cannot find endpoint for Osmux CID %d\n", osmux_cid);
 		goto out;
 	}
-
-	if (endp->osmux.state == OSMUX_STATE_ENABLED)
-		goto out;
-
-	if (osmux_enable_endpoint(endp, &addr->sin_addr, addr->sin_port) < 0 ) {
-		LOGP(DMGCP, LOGL_ERROR,
-		     "Could not enable osmux in endpoint 0x%x\n",
-		     ENDPOINT_NUMBER(endp));
-		goto out;
-	}
-
-	LOGP(DMGCP, LOGL_INFO, "Enabling osmux in endpoint 0x%x for %s:%u\n",
-	     ENDPOINT_NUMBER(endp), inet_ntoa(addr->sin_addr),
-	     ntohs(addr->sin_port));
+	endp_osmux_state_check(endp, addr, false);
+	/* Only needed to punch hole in firewall, it can be dropped */
 out:
 	msgb_free(msg);
 	return 0;
@@ -393,11 +410,12 @@ int osmux_read_from_bsc_cb(struct osmo_fd *ofd, unsigned int what)
 			     osmuxh->circuit_id);
 			goto out;
 		}
-		endp->osmux.stats.octets += osmux_chunk_length(msg, rem);
-		endp->osmux.stats.chunks++;
+		if (endp_osmux_state_check(endp, &addr, false) == 0) {
+			endp->osmux.stats.octets += osmux_chunk_length(msg, rem);
+			endp->osmux.stats.chunks++;
+			osmux_xfrm_output_sched(&endp->osmux.out, osmuxh);
+		}
 		rem = msg->len;
-
-		osmux_xfrm_output_sched(&endp->osmux.out, osmuxh);
 	}
 out:
 	msgb_free(msg);
@@ -535,26 +553,9 @@ int osmux_send_dummy(struct mgcp_endpoint *endp)
 	if (memcmp(&endp->net_end.addr, &addr_unset, sizeof(addr_unset)) == 0)
 		return 0;
 
-	if (endp->osmux.state == OSMUX_STATE_ACTIVATING) {
-		if (osmux_enable_endpoint(endp, &endp->net_end.addr,
-					  htons(endp->cfg->osmux_port)) < 0) {
-			LOGP(DMGCP, LOGL_ERROR,
-			     "Could not activate osmux in endpoint 0x%x\n",
-			     ENDPOINT_NUMBER(endp));
-			return 0;
-		}
-		LOGP(DMGCP, LOGL_ERROR,
-		     "Osmux CID %u for %s:%u is now enabled\n",
-		     endp->osmux.cid, inet_ntoa(endp->net_end.addr),
-		     endp->cfg->osmux_port);
-	}
-	if(endp->osmux.state != OSMUX_STATE_ENABLED) {
-		LOGP(DMGCP, LOGL_ERROR,
-		     "OSMUX dummy to %s CID %u: Osmux not enabled on endpoint 0x%x state %d\n",
-		     inet_ntoa(endp->net_end.addr), endp->osmux.cid,
-		     ENDPOINT_NUMBER(endp), endp->osmux.state);
-		     return 0;
-	}
+	if (endp_osmux_state_check(endp, &endp->net_end.addr, true) < 0)
+		return;
+
 	LOGP(DMGCP, LOGL_DEBUG,
 	     "sending OSMUX dummy load to %s CID %u\n",
 	     inet_ntoa(endp->net_end.addr), endp->osmux.cid);
-- 
cgit v1.2.3