cbsp: Fix heap-use-after-free closing cli conn in connecting state

if conn is not in STREAM_CLI_STATE_CONNECTED state, it won't call disconnect_cb during
osmo_stream_cli_destroy(), hence the osmo-cbc pointers holding are not
nullified correctly.

"""
20220801174147247 DCBSP NOTICE ttcn3-bsc-server: Disconnected. (cbsp_link.c:101)
20220801174147247 DCBSP NOTICE ttcn3-bsc-server: Reconnecting... (cbsp_link.c:102)
20220801174147247 DLINP INFO [WAIT_RECONNECT] osmo_stream_cli_reconnect(): retrying in 5 seconds... (stream.c:287)
20220801174152235 DCBSP DEBUG CBSP-Link[0x612000002c20]{RESET_PENDING}: Timeout of T3 (fsm.c:317)
20220801174152236 DCBSP DEBUG CBSP-Link[0x612000002c20]{RESET_PENDING}: timer_cb requested termination (fsm.c:327)
20220801174152236 DCBSP DEBUG CBSP-Link[0x612000002c20]{RESET_PENDING}: Terminating (cause = OSMO_FSM_TERM_TIMEOUT) (fsm.c:332)
=================================================================
==17==ERROR: AddressSanitizer: heap-use-after-free on address 0x6180000024f0 at pc 0x7fbd28a05d01 bp 0x7ffe247352b0 sp 0x7ffe247352a8
READ of size 4 at 0x6180000024f0 thread T0
    #0 0x7fbd28a05d00 in osmo_stream_cli_close /tmp/libosmo-netif/src/stream.c:307
    #1 0x7fbd28a0a5b3 in osmo_stream_cli_destroy /tmp/libosmo-netif/src/stream.c:714
    #2 0x55c3534a0322 in cbc_cbsp_link_close /tmp/osmo-cbc/src/cbsp_link.c:356
    #3 0x55c3534a16e1 in cbsp_link_fsm_cleanup /tmp/osmo-cbc/src/cbsp_link_fsm.c:199
    #4 0x7fbd28bf5085 in _osmo_fsm_inst_term /tmp/libosmocore/src/fsm.c:947
    #5 0x7fbd28be6881 in fsm_tmr_cb /tmp/libosmocore/src/fsm.c:332
    #6 0x7fbd28bc70ab in osmo_timers_update /tmp/libosmocore/src/timer.c:269
    #7 0x7fbd28bcba5b in _osmo_select_main /tmp/libosmocore/src/select.c:394
    #8 0x7fbd28bcbb31 in osmo_select_main /tmp/libosmocore/src/select.c:438
    #9 0x55c35348bce8 in main /tmp/osmo-cbc/src/cbc_main.c:314
    #10 0x7fbd27a4cd09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26d09)
    #11 0x55c353488ce9 in _start (/usr/local/bin/osmo-cbc+0x68ce9)
"""

Change-Id: Ic13578e958345207892465644b5e1f28537c032d
This commit is contained in:
Pau Espin 2022-08-01 20:23:30 +02:00
parent a76d15048d
commit cb4e11f984
2 changed files with 19 additions and 4 deletions

View File

@ -352,10 +352,17 @@ void cbc_cbsp_link_close(struct cbc_cbsp_link *link)
if (!link->conn)
return;
if (link->is_client)
if (link->is_client) {
osmo_stream_cli_destroy(link->cli_conn);
else
if (link->peer)
link->peer->link.cbsp = NULL;
link->cli_conn = NULL;
if (link->fi)
osmo_fsm_inst_dispatch(link->fi, CBSP_LINK_E_CMD_CLOSE, NULL);
} else {
osmo_stream_srv_destroy(link->srv_conn);
/* Same as waht's done for cli is done for srv in closed_cb() */
}
}
/*

View File

@ -420,10 +420,18 @@ void cbc_sbcap_link_close(struct cbc_sbcap_link *link)
if (!link->conn)
return;
if (link->is_client)
if (link->is_client) {
osmo_stream_cli_destroy(link->cli_conn);
else
osmo_stream_cli_destroy(link->cli_conn);
if (link->peer)
link->peer->link.sbcap = NULL;
link->cli_conn = NULL;
if (link->fi)
osmo_fsm_inst_dispatch(link->fi, SBcAP_LINK_E_CMD_CLOSE, NULL);
} else {
osmo_stream_srv_destroy(link->srv_conn);
/* Same as waht's done for cli is done for srv in closed_cb() */
}
}
/*