cellular-infrastructure
/
openbsc
Archived
9
0
Fork 0
Code Releases Activity

bsc_api: Fix NULL secondary_lchan access in handle_ass_fail 

Related: OW#3893

Program terminated with signal SIGSEGV, Segmentation fault.
0  gsm_lchan_name (lchan=lchan@entry=0x0) at gsm_data_shared.c:342
(gdb) bt
0  gsm_lchan_name (lchan=lchan@entry=0x0) at gsm_data_shared.c:342
1  0x0805ab80 in lchan_release (lchan=0x0, sacch_deact=sacch_deact@entry=0, mode=mode@entry=RSL_REL_LOCAL_END)
    at chan_alloc.c:410
2  0x0805c1dd in handle_ass_fail (msg=0x94142b8, conn=0x9251048) at bsc_api.c:459
3  dispatch_dtap (msg=0x94142b8, link_id=0 '\000', conn=0x9251048) at bsc_api.c:598
4  gsm0408_rcvmsg (msg=msg@entry=0x94142b8, link_id=0 '\000') at bsc_api.c:658
5  0x08058ca2 in abis_rsl_rx_rll (msg=0x94142b8) at abis_rsl.c:1686
6  abis_rsl_rcvmsg (msg=0x94142b8) at abis_rsl.c:2097
7  0xb7e8cf9a in handle_ts1_read (bfd=0x94e8e08) at input/ipaccess.c:271
8  ipaccess_fd_cb (bfd=0x94e8e08, what=1) at input/ipaccess.c:386
9  0xb7ee8434 in osmo_select_main (polling=polling@entry=0) at select.c:158
10 0x0804bd7c in main (argc=6, argv=0xbfc27144) at osmo_bsc_main.c:272
(gdb) print lchan
$2 = (const struct gsm_lchan *) 0x0

Possible scenario in which this crash can appear:
1- gsm0808_assign_req() calls handle_new_assignment() which sends an CHAN
ACTIVATE msg and arms T10 timer.
2- ACTIVATE ACK is received (handle_chan_ack), which calls
gsm48_send_rr_ass_cmd() which sends an ASSIGNMENT CMD, and doesn't
disable/modify T10 timer.
3- T10 timeout is triggered (assignment_t10_timeout()), which sets
conn->secondary_lchan = NULL
4- Immediately after, the ASSIGNMENT FAILURE message (which might have been
already queued) is processed in handle_ass_fail, and then the crash occurs.

This race condition is not an issue for handle_ass_compl() path because there's
this check there which would trigger most probably if secondary_lchan is NULL:
"if (conn->secondary_lchan != msg->lchan)"

Change-Id: Ied5bd90b9c06f27135a2e3c46e40d49d27d9a387
This commit is contained in:
Pau Espin 2017-10-16 10:46:36 +02:00
parent 65c6ddebff
commit 957ceb1b79
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
openbsc/src/libbsc/bsc_api.c
View File

@ -485,8 +485,10 @@ static void handle_ass_fail(struct gsm_subscriber_connection *conn,
/* stop the timer and release it */
osmo_timer_del(&conn->T10);
lchan_release(conn->secondary_lchan, 0, RSL_REL_LOCAL_END);
conn->secondary_lchan = NULL;
if (conn->secondary_lchan) {
lchan_release(conn->secondary_lchan, 0, RSL_REL_LOCAL_END);
conn->secondary_lchan = NULL;
}
gh = msgb_l3(msg);
if (msgb_l3len(msg) - sizeof(*gh) != 1) {