cbsp: Fix heap-use-after-free closing cli conn in connecting state
if conn is not in STREAM_CLI_STATE_CONNECTED state, it won't call disconnect_cb during osmo_stream_cli_destroy(), hence the osmo-cbc pointers holding are not nullified correctly. """ 20220801174147247 DCBSP NOTICE ttcn3-bsc-server: Disconnected. (cbsp_link.c:101) 20220801174147247 DCBSP NOTICE ttcn3-bsc-server: Reconnecting... (cbsp_link.c:102) 20220801174147247 DLINP INFO [WAIT_RECONNECT] osmo_stream_cli_reconnect(): retrying in 5 seconds... (stream.c:287) 20220801174152235 DCBSP DEBUG CBSP-Link[0x612000002c20]{RESET_PENDING}: Timeout of T3 (fsm.c:317) 20220801174152236 DCBSP DEBUG CBSP-Link[0x612000002c20]{RESET_PENDING}: timer_cb requested termination (fsm.c:327) 20220801174152236 DCBSP DEBUG CBSP-Link[0x612000002c20]{RESET_PENDING}: Terminating (cause = OSMO_FSM_TERM_TIMEOUT) (fsm.c:332) ================================================================= ==17==ERROR: AddressSanitizer: heap-use-after-free on address 0x6180000024f0 at pc 0x7fbd28a05d01 bp 0x7ffe247352b0 sp 0x7ffe247352a8 READ of size 4 at 0x6180000024f0 thread T0 #0 0x7fbd28a05d00 in osmo_stream_cli_close /tmp/libosmo-netif/src/stream.c:307 #1 0x7fbd28a0a5b3 in osmo_stream_cli_destroy /tmp/libosmo-netif/src/stream.c:714 #2 0x55c3534a0322 in cbc_cbsp_link_close /tmp/osmo-cbc/src/cbsp_link.c:356 #3 0x55c3534a16e1 in cbsp_link_fsm_cleanup /tmp/osmo-cbc/src/cbsp_link_fsm.c:199 #4 0x7fbd28bf5085 in _osmo_fsm_inst_term /tmp/libosmocore/src/fsm.c:947 #5 0x7fbd28be6881 in fsm_tmr_cb /tmp/libosmocore/src/fsm.c:332 #6 0x7fbd28bc70ab in osmo_timers_update /tmp/libosmocore/src/timer.c:269 #7 0x7fbd28bcba5b in _osmo_select_main /tmp/libosmocore/src/select.c:394 #8 0x7fbd28bcbb31 in osmo_select_main /tmp/libosmocore/src/select.c:438 #9 0x55c35348bce8 in main /tmp/osmo-cbc/src/cbc_main.c:314 #10 0x7fbd27a4cd09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26d09) #11 0x55c353488ce9 in _start (/usr/local/bin/osmo-cbc+0x68ce9) """ Change-Id: Ic13578e958345207892465644b5e1f28537c032d
This commit is contained in:
parent
a76d15048d
commit
cb4e11f984
|
@ -352,10 +352,17 @@ void cbc_cbsp_link_close(struct cbc_cbsp_link *link)
|
|||
if (!link->conn)
|
||||
return;
|
||||
|
||||
if (link->is_client)
|
||||
if (link->is_client) {
|
||||
osmo_stream_cli_destroy(link->cli_conn);
|
||||
else
|
||||
if (link->peer)
|
||||
link->peer->link.cbsp = NULL;
|
||||
link->cli_conn = NULL;
|
||||
if (link->fi)
|
||||
osmo_fsm_inst_dispatch(link->fi, CBSP_LINK_E_CMD_CLOSE, NULL);
|
||||
} else {
|
||||
osmo_stream_srv_destroy(link->srv_conn);
|
||||
/* Same as waht's done for cli is done for srv in closed_cb() */
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
|
@ -420,10 +420,18 @@ void cbc_sbcap_link_close(struct cbc_sbcap_link *link)
|
|||
if (!link->conn)
|
||||
return;
|
||||
|
||||
if (link->is_client)
|
||||
if (link->is_client) {
|
||||
osmo_stream_cli_destroy(link->cli_conn);
|
||||
else
|
||||
osmo_stream_cli_destroy(link->cli_conn);
|
||||
if (link->peer)
|
||||
link->peer->link.sbcap = NULL;
|
||||
link->cli_conn = NULL;
|
||||
if (link->fi)
|
||||
osmo_fsm_inst_dispatch(link->fi, SBcAP_LINK_E_CMD_CLOSE, NULL);
|
||||
} else {
|
||||
osmo_stream_srv_destroy(link->srv_conn);
|
||||
/* Same as waht's done for cli is done for srv in closed_cb() */
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
Loading…
Reference in New Issue