diff options
author | Pau Espin Pedrol <pespin@sysmocom.de> | 2018-06-27 12:47:30 +0200 |
---|---|---|
committer | Pau Espin Pedrol <pespin@sysmocom.de> | 2018-06-27 12:47:44 +0200 |
commit | e239764f5aaf0f9242b569006323f958ae43f78e (patch) | |
tree | 6e9edadedc49015d4390b77e8ba841fb478af52a /openbsc | |
parent | fc08989dc8b9597cefbaa0972446f17b37e34384 (diff) |
bsc-nat: Avoid heap-use-after-free on USSD conn lost
When ussd_read_cb calls bsc_nat_ussd_destroy the osmo_fd struct is
freed, so we need to indicate to osmo_wqueue_bfd_cb that it should not
continue using the fd pointer after we return.
Fixes following AddressSanitizer report:
<0015> osmo-bsc_nat/bsc_ussd.c:273 USSD Connection on 13 with IP: 1.2.3.4
<0015> osmo-bsc_nat/bsc_ussd.c:132 USSD Connection was lost.
=================================================================
==18118==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200047c4b4 at pc 0x7ffff6067540 bp 0x7fffffffe170 sp 0x7fffffffe168
READ of size 4 at 0x61200047c4b4 thread T0
#0 0x7ffff606753f in osmo_wqueue_bfd_cb libosmocore/src/write_queue.c:65
#1 0x7ffff605206b in osmo_fd_disp_fds libosmocore/src/select.c:217
#2 0x7ffff6052305 in osmo_select_main libosmocore/src/select.c:257
#3 0x421dfa in main osmo-bsc_nat/bsc_nat.c:1718
#4 0x7ffff47ffb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#5 0x406438 (/bin/osmo-bsc_nat+0x406438)
Change-Id: I35854c43524714d07f31d71c775ac1cd0a57d22e
Diffstat (limited to 'openbsc')
-rw-r--r-- | openbsc/src/osmo-bsc_nat/bsc_ussd.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/openbsc/src/osmo-bsc_nat/bsc_ussd.c b/openbsc/src/osmo-bsc_nat/bsc_ussd.c index 0ba63270d..ee0b08593 100644 --- a/openbsc/src/osmo-bsc_nat/bsc_ussd.c +++ b/openbsc/src/osmo-bsc_nat/bsc_ussd.c @@ -126,12 +126,11 @@ static int ussd_read_cb(struct osmo_fd *bfd) int ret; ret = ipa_msg_recv_buffered(bfd->fd, &msg, &conn->pending_msg); + if (ret == -EAGAIN) + return 0; if (ret <= 0) { - if (ret == -EAGAIN) - return 0; LOGP(DNAT, LOGL_ERROR, "USSD Connection was lost.\n"); - bsc_nat_ussd_destroy(conn); - return -1; + goto close_fd; } LOGP(DNAT, LOGL_NOTICE, "MSG from USSD: %s proto: %d\n", @@ -168,6 +167,10 @@ static int ussd_read_cb(struct osmo_fd *bfd) } return 0; + +close_fd: + bsc_nat_ussd_destroy(conn); + return -EBADF; } static void ussd_auth_cb(void *_data) |