test/gbproxy: Test for possible memory corruption when link_info is freed

This test is to trigger the use-after free issue in commit bff7b0d80972. If compiled with address-sanitizer the test will abort without the fix. Change-Id: I5e8c6626ba43342740f08d699383bdded739079f Ticket: OW#3049 Sponsored-by: On-Waves ehf
2016-11-08 15:29:30 +01:00 · 2016-11-08 15:29:30 +01:00 · bb42eee113
parent beade314d0
commit bb42eee113
2 changed files with 276 additions and 0 deletions
--- a/openbsc/tests/gbproxy/gbproxy_test.c
+++ b/openbsc/tests/gbproxy/gbproxy_test.c
@ -4817,6 +4817,100 @@ static void test_gbproxy_imsi_matching(void)
 	cleanup_test();
 }

+static void test_gbproxy_stored_messages()
+{
+	struct gprs_ns_inst *nsi = gprs_ns_instantiate(gprs_ns_callback, NULL);
+	struct sockaddr_in bss_peer[1] = {{0},};
+	struct sockaddr_in sgsn_peer= {0};
+	struct  gprs_ra_id rai_bss =
+		{.mcc = 112, .mnc = 332, .lac = 16464, .rac = 96};
+	struct  gprs_ra_id rai_unknown =
+		{.mcc = 1, .mnc = 99, .lac = 99, .rac = 96};
+	uint16_t cell_id = 0x1234;
+
+	const uint32_t ptmsi = 0xefe2b700;
+	const uint32_t local_tlli = 0xefe2b700;
+
+	const uint32_t foreign_tlli1 = 0x8000dead;
+
+	struct gbproxy_peer *peer;
+	unsigned bss_nu = 0;
+	unsigned sgsn_nu = 0;
+
+	OSMO_ASSERT(local_tlli == gprs_tmsi2tlli(ptmsi, TLLI_LOCAL));
+
+	bssgp_nsi = nsi;
+	gbcfg.nsi = bssgp_nsi;
+	gbcfg.nsip_sgsn_nsei = SGSN_NSEI;
+	gbcfg.core_mcc = 0;
+	gbcfg.core_mnc = 0;
+	gbcfg.core_apn = talloc_zero_size(NULL, 100);
+	gbcfg.core_apn_size = gprs_str_to_apn(gbcfg.core_apn, 100, "foo.bar");
+	gbcfg.patch_ptmsi = 0;
+	gbcfg.acquire_imsi = 1;
+	gbcfg.keep_link_infos = 0;
+
+	configure_sgsn_peer(&sgsn_peer);
+	configure_bss_peers(bss_peer, ARRAY_SIZE(bss_peer));
+
+	printf("=== %s ===\n", __func__);
+	printf("--- Initialise SGSN ---\n\n");
+
+	connect_sgsn(nsi, &sgsn_peer, SGSN_NSEI);
+
+	printf("--- Initialise BSS 1 ---\n\n");
+
+	setup_ns(nsi, &bss_peer[0], 0x1001, 0x1000);
+	setup_bssgp(nsi, &bss_peer[0], 0x1002);
+
+	peer = gbproxy_peer_by_nsei(&gbcfg, 0x1000);
+	OSMO_ASSERT(peer != NULL);
+
+	send_bssgp_reset_ack(nsi, &sgsn_peer, 0x1002);
+
+	gprs_dump_nsi(nsi);
+	dump_global(stdout, 0);
+	dump_peers(stdout, 0, 0, &gbcfg);
+
+	printf("--- Establish first LLC connection ---\n\n");
+
+	send_llc_ul_ui(nsi, "ATTACH REQUEST", &bss_peer[0], 0x1002,
+		       foreign_tlli1, &rai_unknown, cell_id,
+		       GPRS_SAPI_GMM, bss_nu++,
+		       dtap_attach_req, sizeof(dtap_attach_req));
+
+	dump_peers(stdout, 0, 0, &gbcfg);
+
+	send_llc_dl_ui(nsi, "IDENT REQUEST", &sgsn_peer, 0x1002,
+		       foreign_tlli1, 0, NULL, 0,
+		       GPRS_SAPI_GMM, sgsn_nu++,
+		       dtap_identity_req, sizeof(dtap_identity_req));
+
+	dump_peers(stdout, 0, 0, &gbcfg);
+
+	send_llc_ul_ui(nsi, "DETACH ACCEPT", &bss_peer[0], 0x1002,
+		       foreign_tlli1, &rai_bss, cell_id,
+		       GPRS_SAPI_GMM, bss_nu++,
+		       dtap_detach_acc, sizeof(dtap_detach_acc));
+
+	dump_peers(stdout, 0, 0, &gbcfg);
+
+	send_llc_ul_ui(nsi, "IDENT RESPONSE", &bss_peer[0], 0x1002,
+		       foreign_tlli1, &rai_bss, cell_id,
+		       GPRS_SAPI_GMM, bss_nu++,
+		       dtap_identity_resp, sizeof(dtap_identity_resp));
+
+	dump_peers(stdout, 0, 0, &gbcfg);
+
+	dump_global(stdout, 0);
+
+	gbprox_reset(&gbcfg);
+	gprs_ns_destroy(nsi);
+	nsi = NULL;
+
+	cleanup_test();
+}
+
 static struct log_info_cat gprs_categories[] = {
 	[DGPRS] = {
 		.name = "DGPRS",
@ -4870,6 +4964,7 @@ int main(int argc, char **argv)
 	test_gbproxy_secondary_sgsn();
 	test_gbproxy_keep_info();
 	test_gbproxy_tlli_expire();
+	test_gbproxy_stored_messages();
 	printf("===== GbProxy test END\n\n");

 	exit(EXIT_SUCCESS);
--- a/openbsc/tests/gbproxy/gbproxy_test.ok
+++ b/openbsc/tests/gbproxy/gbproxy_test.ok
@ -7059,5 +7059,186 @@ Test TLLI expiry, max_len == 2, max_age == 1:
      TLLI-Cache: 1
        TLLI c0000d80, IMSI 12345678, AGE 0, IMSI matches

+=== test_gbproxy_stored_messages ===
+--- Initialise SGSN ---
+
+MESSAGE to SGSN at 0x05060708:32000, msg length 12
+02 00 81 01 01 82 01 01 04 82 01 00 
+
+PROCESSING RESET_ACK from 0x05060708:32000
+03 01 82 01 01 04 82 01 00 
+
+MESSAGE to SGSN at 0x05060708:32000, msg length 1
+0a 
+
+result (RESET_ACK) = 1
+
+PROCESSING ALIVE_ACK from 0x05060708:32000
+0b 
+
+MESSAGE to SGSN at 0x05060708:32000, msg length 1
+06 
+
+result (ALIVE_ACK) = 1
+
+PROCESSING UNBLOCK_ACK from 0x05060708:32000
+07 
+
+==> got signal NS_UNBLOCK, NS-VC 0x0101/5.6.7.8:32000
+
+result (UNBLOCK_ACK) = 0
+
+PROCESSING ALIVE from 0x05060708:32000
+0a 
+
+MESSAGE to SGSN at 0x05060708:32000, msg length 1
+0b 
+
+result (ALIVE) = 1
+
+--- Initialise BSS 1 ---
+
+Setup NS-VC: remote 0x01020304:1111, NSVCI 0x1001(4097), NSEI 0x1000(4096)
+
+PROCESSING RESET from 0x01020304:1111
+02 00 81 01 01 82 10 01 04 82 10 00 
+
+==> got signal NS_RESET, NS-VC 0x1001/1.2.3.4:1111
+
+MESSAGE to BSS at 0x01020304:1111, msg length 9
+03 01 82 10 01 04 82 10 00 
+
+MESSAGE to BSS at 0x01020304:1111, msg length 1
+0a 
+
+result (RESET) = 9
+
+PROCESSING ALIVE from 0x01020304:1111
+0a 
+
+MESSAGE to BSS at 0x01020304:1111, msg length 1
+0b 
+
+result (ALIVE) = 1
+
+PROCESSING UNBLOCK from 0x01020304:1111
+06 
+
+==> got signal NS_UNBLOCK, NS-VC 0x1001/1.2.3.4:1111
+
+MESSAGE to BSS at 0x01020304:1111, msg length 1
+07 
+
+result (UNBLOCK) = 1
+
+PROCESSING ALIVE_ACK from 0x01020304:1111
+0b 
+
+result (ALIVE_ACK) = 0
+
+Setup BSSGP: remote 0x01020304:1111, BVCI 0x1002(4098)
+
+PROCESSING BVC_RESET from 0x01020304:1111
+00 00 00 00 22 04 82 10 02 07 81 08 08 88 11 22 33 40 50 60 10 00 
+
+CALLBACK, event 0, msg length 18, bvci 0x0000
+00 00 00 00 22 04 82 10 02 07 81 08 08 88 11 22 33 40 50 60 10 00 
+
+NS UNITDATA MESSAGE to SGSN, BVCI 0x0000, msg length 18 (gprs_ns_sendmsg)
+MESSAGE to SGSN at 0x05060708:32000, msg length 22
+00 00 00 00 22 04 82 10 02 07 81 08 08 88 11 22 33 40 50 60 10 00 
+
+result (BVC_RESET) = 22
+
+PROCESSING BVC_RESET_ACK from 0x05060708:32000
+00 00 00 00 23 04 82 10 02 
+
+CALLBACK, event 0, msg length 5, bvci 0x0000
+00 00 00 00 23 04 82 10 02 
+
+NS UNITDATA MESSAGE to BSS, BVCI 0x0000, msg length 5 (gprs_ns_sendmsg)
+MESSAGE to BSS at 0x01020304:1111, msg length 9
+00 00 00 00 23 04 82 10 02 
+
+result (BVC_RESET_ACK) = 9
+
+Current NS-VCIs:
+    VCI 0x1001, NSEI 0x1000, peer 0x01020304:1111
+    VCI 0x0101, NSEI 0x0100, peer 0x05060708:32000
+         NS-VC Block count         : 1
+
+Gbproxy global:
+Peers:
+  NSEI 4096, BVCI 4098, not blocked, RAI 112-332-16464-96
+    TLLI-Cache: 0
+--- Establish first LLC connection ---
+
+PROCESSING ATTACH REQUEST from 0x01020304:1111
+00 00 10 02 01 80 00 de ad 00 00 04 08 88 00 f1 99 00 63 60 12 34 00 80 0e 00 34 01 c0 01 08 01 02 f5 e0 21 08 02 05 f4 fb c5 46 79 11 22 33 40 50 60 19 18 b3 43 2b 25 96 62 00 60 80 9a c2 c6 62 00 60 80 ba c8 c6 62 00 60 80 00 16 6d 01 
+
+CALLBACK, event 0, msg length 75, bvci 0x1002
+00 00 10 02 01 80 00 de ad 00 00 04 08 88 00 f1 99 00 63 60 12 34 00 80 0e 00 34 01 c0 01 08 01 02 f5 e0 21 08 02 05 f4 fb c5 46 79 11 22 33 40 50 60 19 18 b3 43 2b 25 96 62 00 60 80 9a c2 c6 62 00 60 80 ba c8 c6 62 00 60 80 00 16 6d 01 
+
+NS UNITDATA MESSAGE to BSS, BVCI 0x1002, msg length 24 (gprs_ns_sendmsg)
+MESSAGE to BSS at 0x01020304:1111, msg length 28
+00 00 10 02 00 80 00 de ad 00 50 20 16 82 02 58 0e 00 09 41 c4 01 08 15 01 b7 f8 36 
+
+result (ATTACH REQUEST) = 0
+
+Peers:
+  NSEI 4096, BVCI 4098, not blocked, RAI 112-332-16464-96
+    Attach Request count            : 1
+    TLLI cache size                 : 1
+    TLLI-Cache: 1
+      TLLI 8000dead -> 8000dead, IMSI (none), AGE 0, STORED 1, IMSI acquisition in progress
+PROCESSING IDENT REQUEST from 0x05060708:32000
+00 00 10 02 00 80 00 de ad 00 50 20 16 82 02 58 0e 89 41 c0 01 08 15 01 ff 6c ba 
+
+CALLBACK, event 0, msg length 23, bvci 0x1002
+00 00 10 02 00 80 00 de ad 00 50 20 16 82 02 58 0e 89 41 c0 01 08 15 01 ff 6c ba 
+
+NS UNITDATA MESSAGE to BSS, BVCI 0x1002, msg length 23 (gprs_ns_sendmsg)
+MESSAGE to BSS at 0x01020304:1111, msg length 27
+00 00 10 02 00 80 00 de ad 00 50 20 16 82 02 58 0e 89 41 c0 01 08 15 01 ff 6c ba 
+
+result (IDENT REQUEST) = 27
+
+Peers:
+  NSEI 4096, BVCI 4098, not blocked, RAI 112-332-16464-96
+    Attach Request count            : 1
+    TLLI cache size                 : 1
+    TLLI-Cache: 1
+      TLLI 8000dead -> 8000dead, IMSI (none), AGE 0, STORED 1, IMSI acquisition in progress
+PROCESSING DETACH ACCEPT from 0x01020304:1111
+00 00 10 02 01 80 00 de ad 00 00 04 08 88 11 22 33 40 50 60 12 34 00 80 0e 00 09 01 c0 05 08 06 00 f8 92 41 
+
+CALLBACK, event 0, msg length 32, bvci 0x1002
+00 00 10 02 01 80 00 de ad 00 00 04 08 88 11 22 33 40 50 60 12 34 00 80 0e 00 09 01 c0 05 08 06 00 f8 92 41 
+
+result (DETACH ACCEPT) = 0
+
+Peers:
+  NSEI 4096, BVCI 4098, not blocked, RAI 112-332-16464-96
+    Attach Request count            : 1
+    TLLI cache size                 : 1
+    TLLI-Cache: 1
+      TLLI 8000dead -> 8000dead, IMSI (none), AGE 0, STORED 2, IMSI acquisition in progress
+PROCESSING IDENT RESPONSE from 0x01020304:1111
+00 00 10 02 01 80 00 de ad 00 00 04 08 88 11 22 33 40 50 60 12 34 00 80 0e 00 11 01 c0 09 08 16 08 11 12 13 14 15 16 17 18 ba 14 c3 
+
+CALLBACK, event 0, msg length 40, bvci 0x1002
+00 00 10 02 01 80 00 de ad 00 00 04 08 88 11 22 33 40 50 60 12 34 00 80 0e 00 11 01 c0 09 08 16 08 11 12 13 14 15 16 17 18 ba 14 c3 
+
+NS UNITDATA MESSAGE to SGSN, BVCI 0x1002, msg length 75 (gprs_ns_sendmsg)
+MESSAGE to SGSN at 0x05060708:32000, msg length 79
+00 00 10 02 01 80 00 de ad 00 00 04 08 88 00 f1 99 00 63 60 12 34 00 80 0e 00 34 01 c0 01 08 01 02 f5 e0 21 08 02 05 f4 fb c5 46 79 11 22 33 40 50 60 19 18 b3 43 2b 25 96 62 00 60 80 9a c2 c6 62 00 60 80 ba c8 c6 62 00 60 80 00 16 6d 01 
+
+result (IDENT RESPONSE) = 0
+
+Peers:
+  NSEI 4096, BVCI 4098, not blocked, RAI 112-332-16464-96
+    Attach Request count            : 1
+    TLLI-Cache: 0
+Gbproxy global:
 ===== GbProxy test END