diff options
author | Pau Espin Pedrol <pespin@sysmocom.de> | 2020-07-31 12:55:01 +0200 |
---|---|---|
committer | Pau Espin Pedrol <pespin@sysmocom.de> | 2020-07-31 13:03:43 +0200 |
commit | deb5c4f7ab24a2fa19200bb117b24b4382cb45f1 (patch) | |
tree | 25fa751f23e8f7929bd78433edd7ba558934d56a /src | |
parent | 8fc8ceff16aa1fdd3b0b6bdcc7659ad7ba7ad591 (diff) |
ipaccess: Fix use-after-free in ipaccess_drop()
Recent commit b8ea0ff521a3e01c22a9dd1948b9a853521f575e introduced a
heap-use-after-free while getting rid of memleaks and clearing up the
reference counting lifecycle of the line object.
In that commit, e1inp_line_put2() was added in ipaccess_drop() which may
potentially free the line object (and its children e1inp_ts objects)
under specific conditions/scenarions. However, the function still used
the child object e1i_ts which in those scenarios would access already
freed memory.
Let's keep a local reference during the life of the function to make
sure the object is non-freed during e1inp_line_put2(), so that we can
notify upper layers that the link is down.
Detected by enabling ASan and running BSC_Tests.TC_chopped_ipa_ping
TTCN3 test.
Related: OS#4688
Change-Id: I4f56af28ad8297846bcdc8ba7afe51fff0f9a00f
Diffstat (limited to 'src')
-rw-r--r-- | src/input/ipaccess.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/input/ipaccess.c b/src/input/ipaccess.c index d81191c..30bcaf9 100644 --- a/src/input/ipaccess.c +++ b/src/input/ipaccess.c @@ -82,6 +82,7 @@ static int ipaccess_drop(struct osmo_fd *bfd, struct e1inp_line *line) { int ret = 1; struct e1inp_ts *e1i_ts = ipaccess_line_ts(bfd, line); + e1inp_line_get2(line, __func__); ipaccess_keepalive_fsm_cleanup(e1i_ts); @@ -108,6 +109,7 @@ static int ipaccess_drop(struct osmo_fd *bfd, struct e1inp_line *line) /* e1inp_sign_link_destroy releases the socket descriptors for us. */ line->ops->sign_link_down(line); + e1inp_line_put2(line, __func__); return ret; } |