aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPau Espin Pedrol <pespin@sysmocom.de>2018-08-22 21:54:12 +0200
committerPau Espin Pedrol <pespin@sysmocom.de>2018-08-22 21:57:15 +0200
commit76461252c7fb2a984101568e5d37476e4350acbe (patch)
tree8714417cf3bf91e37afca0de305de92f795a1e23
parent5f0a63d67833538e78aaa57c4965bf2ecce89035 (diff)
Fix heap-use-after-free due to OML link destructionpespin/fix-oml-asan
-rw-r--r--include/osmocom/bsc/gsm_data.h2
-rw-r--r--include/osmocom/bsc/ipaccess.h1
-rw-r--r--src/osmo-bsc/bts_ipaccess_nanobts.c28
-rw-r--r--src/osmo-bsc/osmo_bsc_main.c2
4 files changed, 31 insertions, 2 deletions
diff --git a/include/osmocom/bsc/gsm_data.h b/include/osmocom/bsc/gsm_data.h
index f85887a..b827d0a 100644
--- a/include/osmocom/bsc/gsm_data.h
+++ b/include/osmocom/bsc/gsm_data.h
@@ -923,6 +923,8 @@ struct gsm_bts {
struct gsm_e1_subslot oml_e1_link;
uint8_t oml_tei;
struct e1inp_sign_link *oml_link;
+ /* Timer to use for deferred drop of OML link, see \ref ipaccess_drop_oml_deferred */
+ struct osmo_timer_list oml_drop_link_timer;
/* when OML link was established */
time_t uptime;
diff --git a/include/osmocom/bsc/ipaccess.h b/include/osmocom/bsc/ipaccess.h
index 3d0f612..692e795 100644
--- a/include/osmocom/bsc/ipaccess.h
+++ b/include/osmocom/bsc/ipaccess.h
@@ -31,6 +31,7 @@ struct ipac_ext_lac_cmd {
} __attribute__((packed));
void ipaccess_drop_oml(struct gsm_bts *bts);
+void ipaccess_drop_oml_deferred(struct gsm_bts *bts);
void ipaccess_drop_rsl(struct gsm_bts_trx *trx);
struct sdp_header_item {
diff --git a/src/osmo-bsc/bts_ipaccess_nanobts.c b/src/osmo-bsc/bts_ipaccess_nanobts.c
index 80f7c9c..fec4147 100644
--- a/src/osmo-bsc/bts_ipaccess_nanobts.c
+++ b/src/osmo-bsc/bts_ipaccess_nanobts.c
@@ -166,7 +166,7 @@ static int nm_statechg_event(int evt, struct nm_statechg_signal_data *nsd)
enum abis_nm_chan_comb ccomb =
abis_nm_chcomb4pchan(ts->pchan_from_config);
if (abis_nm_set_channel_attr(ts, ccomb) == -EINVAL) {
- ipaccess_drop_oml(trx->bts);
+ ipaccess_drop_oml_deferred(trx->bts);
return -1;
}
abis_nm_chg_adm_state(trx->bts, obj_class,
@@ -400,6 +400,9 @@ void ipaccess_drop_oml(struct gsm_bts *bts)
struct gsm_bts *rdep_bts;
struct gsm_bts_trx *trx;
+ /* First of all, remove deferred drop if enabled */
+ osmo_timer_del(&bts->oml_drop_link_timer);
+
if (!bts->oml_link)
return;
@@ -432,6 +435,29 @@ void ipaccess_drop_oml(struct gsm_bts *bts)
}
}
+/*! Callback for \ref ipaccess_drop_oml_deferred_cb.
+ */
+static void ipaccess_drop_oml_deferred_cb(void *data)
+{
+ struct gsm_bts *bts = (struct gsm_bts *) data;
+ ipaccess_drop_oml(bts);
+}
+/*! Deferr \ref ipacces_drop_oml through a timer to avoid dropping structures in
+ * current code context. This may be needed if we want to destroy the OML link
+ * while being called from a lower layer "struct osmo_fd" cb, were it is
+ * mandatory to return -EBADF if the osmo_fd has been destroyed. In case code
+ * destroying an OML link is called through an osmo_signal, it becomes
+ * impossible to return any value, thus deferring the destruction is required.
+ */
+void ipaccess_drop_oml_deferred(struct gsm_bts *bts)
+{
+ if (!osmo_timer_pending(&bts->oml_drop_link_timer) && bts->oml_link) {
+ LOGP(DLINP, LOGL_NOTICE, "(bts=%d) Deferring Drop of OML link.\n", bts->nr);
+ osmo_timer_setup(&bts->oml_drop_link_timer, ipaccess_drop_oml_deferred_cb, bts);
+ osmo_timer_schedule(&bts->oml_drop_link_timer, 0, 0);
+ }
+}
+
/* This function is called once the OML/RSL link becomes up. */
static struct e1inp_sign_link *
ipaccess_sign_link_up(void *unit_data, struct e1inp_line *line,
diff --git a/src/osmo-bsc/osmo_bsc_main.c b/src/osmo-bsc/osmo_bsc_main.c
index 8ff0e8a..0dbe81c 100644
--- a/src/osmo-bsc/osmo_bsc_main.c
+++ b/src/osmo-bsc/osmo_bsc_main.c
@@ -191,7 +191,7 @@ static int oml_msg_nack(struct nm_nack_signal_data *nack)
}
if (is_ipaccess_bts(nack->bts))
- ipaccess_drop_oml(nack->bts);
+ ipaccess_drop_oml_deferred(nack->bts);
return 0;
}