aboutsummaryrefslogtreecommitdiffstats
path: root/openbsc/src/osmo-bsc_nat/bsc_ussd.c
diff options
context:
space:
mode:
authorPau Espin Pedrol <pespin@sysmocom.de>2018-06-27 12:47:30 +0200
committerPau Espin Pedrol <pespin@sysmocom.de>2018-06-27 12:47:44 +0200
commite239764f5aaf0f9242b569006323f958ae43f78e (patch)
tree6e9edadedc49015d4390b77e8ba841fb478af52a /openbsc/src/osmo-bsc_nat/bsc_ussd.c
parentfc08989dc8b9597cefbaa0972446f17b37e34384 (diff)
bsc-nat: Avoid heap-use-after-free on USSD conn lost
When ussd_read_cb calls bsc_nat_ussd_destroy the osmo_fd struct is freed, so we need to indicate to osmo_wqueue_bfd_cb that it should not continue using the fd pointer after we return. Fixes following AddressSanitizer report: <0015> osmo-bsc_nat/bsc_ussd.c:273 USSD Connection on 13 with IP: 1.2.3.4 <0015> osmo-bsc_nat/bsc_ussd.c:132 USSD Connection was lost. ================================================================= ==18118==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200047c4b4 at pc 0x7ffff6067540 bp 0x7fffffffe170 sp 0x7fffffffe168 READ of size 4 at 0x61200047c4b4 thread T0 #0 0x7ffff606753f in osmo_wqueue_bfd_cb libosmocore/src/write_queue.c:65 #1 0x7ffff605206b in osmo_fd_disp_fds libosmocore/src/select.c:217 #2 0x7ffff6052305 in osmo_select_main libosmocore/src/select.c:257 #3 0x421dfa in main osmo-bsc_nat/bsc_nat.c:1718 #4 0x7ffff47ffb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #5 0x406438 (/bin/osmo-bsc_nat+0x406438) Change-Id: I35854c43524714d07f31d71c775ac1cd0a57d22e
Diffstat (limited to 'openbsc/src/osmo-bsc_nat/bsc_ussd.c')
-rw-r--r--openbsc/src/osmo-bsc_nat/bsc_ussd.c11
1 files changed, 7 insertions, 4 deletions
diff --git a/openbsc/src/osmo-bsc_nat/bsc_ussd.c b/openbsc/src/osmo-bsc_nat/bsc_ussd.c
index 0ba63270d..ee0b08593 100644
--- a/openbsc/src/osmo-bsc_nat/bsc_ussd.c
+++ b/openbsc/src/osmo-bsc_nat/bsc_ussd.c
@@ -126,12 +126,11 @@ static int ussd_read_cb(struct osmo_fd *bfd)
int ret;
ret = ipa_msg_recv_buffered(bfd->fd, &msg, &conn->pending_msg);
+ if (ret == -EAGAIN)
+ return 0;
if (ret <= 0) {
- if (ret == -EAGAIN)
- return 0;
LOGP(DNAT, LOGL_ERROR, "USSD Connection was lost.\n");
- bsc_nat_ussd_destroy(conn);
- return -1;
+ goto close_fd;
}
LOGP(DNAT, LOGL_NOTICE, "MSG from USSD: %s proto: %d\n",
@@ -168,6 +167,10 @@ static int ussd_read_cb(struct osmo_fd *bfd)
}
return 0;
+
+close_fd:
+ bsc_nat_ussd_destroy(conn);
+ return -EBADF;
}
static void ussd_auth_cb(void *_data)