From 60ce34575542b5a73d967991ba66a792e5fdc0f2 Mon Sep 17 00:00:00 2001
From: Vadim Yanitskiy <axilirator@gmail.com>
Date: Sun, 1 Mar 2020 00:39:05 +0700
Subject: mobile/gsm322: fix use-after-free of cs->si reported by ASan

This pointer cs->si stores an address to the System Information of
a currently selected cell. When we release System Information,
ensure that it does not point to free()d memory.

Change-Id: Ife2ddf7274a48447a9ded9035f9dd01befaf2e6c
---
 src/host/layer23/src/mobile/gsm322.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/host/layer23/src/mobile/gsm322.c b/src/host/layer23/src/mobile/gsm322.c
index ddb3a77a..cc4f0cd0 100644
--- a/src/host/layer23/src/mobile/gsm322.c
+++ b/src/host/layer23/src/mobile/gsm322.c
@@ -2635,6 +2635,8 @@ static int gsm322_c_camp_sysinfo_bcch(struct osmocom_ms *ms, struct msgb *msg)
 			if (cs->list[cs->arfci].sysinfo) {
 				LOGP(DCS, LOGL_DEBUG, "free sysinfo arfcn=%s\n",
 					gsm_print_arfcn(cs->arfcn));
+				if (cs->si == cs->list[cs->arfci].sysinfo)
+					cs->si = NULL;
 				talloc_free(cs->list[cs->arfci].sysinfo);
 				cs->list[cs->arfci].sysinfo = NULL;
 			}
@@ -2752,6 +2754,8 @@ static void gsm322_cs_timeout(void *arg)
 	if (cs->list[cs->arfci].sysinfo) {
 		LOGP(DCS, LOGL_DEBUG, "free sysinfo arfcn=%s\n",
 			gsm_print_arfcn(cs->arfcn));
+		if (cs->si == cs->list[cs->arfci].sysinfo)
+			cs->si = NULL;
 		talloc_free(cs->list[cs->arfci].sysinfo);
 		cs->list[cs->arfci].sysinfo = NULL;
 	}
@@ -2919,6 +2923,8 @@ int gsm322_l1_signal(unsigned int subsys, unsigned int signal,
 			cs->list[i].flags &= ~GSM322_CS_FLAG_SYSINFO;
 			LOGP(DCS, LOGL_DEBUG, "free sysinfo ARFCN=%s\n",
 				gsm_print_arfcn(index2arfcn(i)));
+			if (cs->si == cs->list[i].sysinfo)
+				cs->si = NULL;
 			talloc_free(cs->list[i].sysinfo);
 			cs->list[i].sysinfo = NULL;
 		}
@@ -5145,6 +5151,7 @@ int gsm322_exit(struct osmocom_ms *ms)
 				gsm_print_arfcn(index2arfcn(i)));
 			talloc_free(cs->list[i].sysinfo);
 			cs->list[i].sysinfo = NULL;
+			cs->si = NULL;
 		}
 		cs->list[i].flags = 0;
 	}
-- 
cgit v1.2.3