test/gbproxy: Test for possible memory corruption when link_info is freed
This test is to trigger the use-after free issue in commit bff7b0d80972. If compiled with address-sanitizer the test will abort without the fix. Change-Id: I5e8c6626ba43342740f08d699383bdded739079f Ticket: OW#3049 Sponsored-by: On-Waves ehf
This commit is contained in:
parent
f810d4f8a0
commit
9f98d7bb35
|
@ -4817,6 +4817,100 @@ static void test_gbproxy_imsi_matching(void)
|
|||
cleanup_test();
|
||||
}
|
||||
|
||||
static void test_gbproxy_stored_messages()
|
||||
{
|
||||
struct gprs_ns_inst *nsi = gprs_ns_instantiate(gprs_ns_callback, NULL);
|
||||
struct sockaddr_in bss_peer[1] = {{0},};
|
||||
struct sockaddr_in sgsn_peer= {0};
|
||||
struct gprs_ra_id rai_bss =
|
||||
{.mcc = 112, .mnc = 332, .lac = 16464, .rac = 96};
|
||||
struct gprs_ra_id rai_unknown =
|
||||
{.mcc = 1, .mnc = 99, .lac = 99, .rac = 96};
|
||||
uint16_t cell_id = 0x1234;
|
||||
|
||||
const uint32_t ptmsi = 0xefe2b700;
|
||||
const uint32_t local_tlli = 0xefe2b700;
|
||||
|
||||
const uint32_t foreign_tlli1 = 0x8000dead;
|
||||
|
||||
struct gbproxy_peer *peer;
|
||||
unsigned bss_nu = 0;
|
||||
unsigned sgsn_nu = 0;
|
||||
|
||||
OSMO_ASSERT(local_tlli == gprs_tmsi2tlli(ptmsi, TLLI_LOCAL));
|
||||
|
||||
bssgp_nsi = nsi;
|
||||
gbcfg.nsi = bssgp_nsi;
|
||||
gbcfg.nsip_sgsn_nsei = SGSN_NSEI;
|
||||
gbcfg.core_mcc = 0;
|
||||
gbcfg.core_mnc = 0;
|
||||
gbcfg.core_apn = talloc_zero_size(NULL, 100);
|
||||
gbcfg.core_apn_size = gprs_str_to_apn(gbcfg.core_apn, 100, "foo.bar");
|
||||
gbcfg.patch_ptmsi = 0;
|
||||
gbcfg.acquire_imsi = 1;
|
||||
gbcfg.keep_link_infos = 0;
|
||||
|
||||
configure_sgsn_peer(&sgsn_peer);
|
||||
configure_bss_peers(bss_peer, ARRAY_SIZE(bss_peer));
|
||||
|
||||
printf("=== %s ===\n", __func__);
|
||||
printf("--- Initialise SGSN ---\n\n");
|
||||
|
||||
connect_sgsn(nsi, &sgsn_peer, SGSN_NSEI);
|
||||
|
||||
printf("--- Initialise BSS 1 ---\n\n");
|
||||
|
||||
setup_ns(nsi, &bss_peer[0], 0x1001, 0x1000);
|
||||
setup_bssgp(nsi, &bss_peer[0], 0x1002);
|
||||
|
||||
peer = gbproxy_peer_by_nsei(&gbcfg, 0x1000);
|
||||
OSMO_ASSERT(peer != NULL);
|
||||
|
||||
send_bssgp_reset_ack(nsi, &sgsn_peer, 0x1002);
|
||||
|
||||
gprs_dump_nsi(nsi);
|
||||
dump_global(stdout, 0);
|
||||
dump_peers(stdout, 0, 0, &gbcfg);
|
||||
|
||||
printf("--- Establish first LLC connection ---\n\n");
|
||||
|
||||
send_llc_ul_ui(nsi, "ATTACH REQUEST", &bss_peer[0], 0x1002,
|
||||
foreign_tlli1, &rai_unknown, cell_id,
|
||||
GPRS_SAPI_GMM, bss_nu++,
|
||||
dtap_attach_req, sizeof(dtap_attach_req));
|
||||
|
||||
dump_peers(stdout, 0, 0, &gbcfg);
|
||||
|
||||
send_llc_dl_ui(nsi, "IDENT REQUEST", &sgsn_peer, 0x1002,
|
||||
foreign_tlli1, 0, NULL, 0,
|
||||
GPRS_SAPI_GMM, sgsn_nu++,
|
||||
dtap_identity_req, sizeof(dtap_identity_req));
|
||||
|
||||
dump_peers(stdout, 0, 0, &gbcfg);
|
||||
|
||||
send_llc_ul_ui(nsi, "DETACH ACCEPT", &bss_peer[0], 0x1002,
|
||||
foreign_tlli1, &rai_bss, cell_id,
|
||||
GPRS_SAPI_GMM, bss_nu++,
|
||||
dtap_detach_acc, sizeof(dtap_detach_acc));
|
||||
|
||||
dump_peers(stdout, 0, 0, &gbcfg);
|
||||
|
||||
send_llc_ul_ui(nsi, "IDENT RESPONSE", &bss_peer[0], 0x1002,
|
||||
foreign_tlli1, &rai_bss, cell_id,
|
||||
GPRS_SAPI_GMM, bss_nu++,
|
||||
dtap_identity_resp, sizeof(dtap_identity_resp));
|
||||
|
||||
dump_peers(stdout, 0, 0, &gbcfg);
|
||||
|
||||
dump_global(stdout, 0);
|
||||
|
||||
gbprox_reset(&gbcfg);
|
||||
gprs_ns_destroy(nsi);
|
||||
nsi = NULL;
|
||||
|
||||
cleanup_test();
|
||||
}
|
||||
|
||||
static struct log_info_cat gprs_categories[] = {
|
||||
[DGPRS] = {
|
||||
.name = "DGPRS",
|
||||
|
@ -4870,6 +4964,7 @@ int main(int argc, char **argv)
|
|||
test_gbproxy_secondary_sgsn();
|
||||
test_gbproxy_keep_info();
|
||||
test_gbproxy_tlli_expire();
|
||||
test_gbproxy_stored_messages();
|
||||
printf("===== GbProxy test END\n\n");
|
||||
|
||||
exit(EXIT_SUCCESS);
|
||||
|
|
|
@ -7059,5 +7059,186 @@ Test TLLI expiry, max_len == 2, max_age == 1:
|
|||
TLLI-Cache: 1
|
||||
TLLI c0000d80, IMSI 12345678, AGE 0, IMSI matches
|
||||
|
||||
=== test_gbproxy_stored_messages ===
|
||||
--- Initialise SGSN ---
|
||||
|
||||
MESSAGE to SGSN at 0x05060708:32000, msg length 12
|
||||
02 00 81 01 01 82 01 01 04 82 01 00
|
||||
|
||||
PROCESSING RESET_ACK from 0x05060708:32000
|
||||
03 01 82 01 01 04 82 01 00
|
||||
|
||||
MESSAGE to SGSN at 0x05060708:32000, msg length 1
|
||||
0a
|
||||
|
||||
result (RESET_ACK) = 1
|
||||
|
||||
PROCESSING ALIVE_ACK from 0x05060708:32000
|
||||
0b
|
||||
|
||||
MESSAGE to SGSN at 0x05060708:32000, msg length 1
|
||||
06
|
||||
|
||||
result (ALIVE_ACK) = 1
|
||||
|
||||
PROCESSING UNBLOCK_ACK from 0x05060708:32000
|
||||
07
|
||||
|
||||
==> got signal NS_UNBLOCK, NS-VC 0x0101/5.6.7.8:32000
|
||||
|
||||
result (UNBLOCK_ACK) = 0
|
||||
|
||||
PROCESSING ALIVE from 0x05060708:32000
|
||||
0a
|
||||
|
||||
MESSAGE to SGSN at 0x05060708:32000, msg length 1
|
||||
0b
|
||||
|
||||
result (ALIVE) = 1
|
||||
|
||||
--- Initialise BSS 1 ---
|
||||
|
||||
Setup NS-VC: remote 0x01020304:1111, NSVCI 0x1001(4097), NSEI 0x1000(4096)
|
||||
|
||||
PROCESSING RESET from 0x01020304:1111
|
||||
02 00 81 01 01 82 10 01 04 82 10 00
|
||||
|
||||
==> got signal NS_RESET, NS-VC 0x1001/1.2.3.4:1111
|
||||
|
||||
MESSAGE to BSS at 0x01020304:1111, msg length 9
|
||||
03 01 82 10 01 04 82 10 00
|
||||
|
||||
MESSAGE to BSS at 0x01020304:1111, msg length 1
|
||||
0a
|
||||
|
||||
result (RESET) = 9
|
||||
|
||||
PROCESSING ALIVE from 0x01020304:1111
|
||||
0a
|
||||
|
||||
MESSAGE to BSS at 0x01020304:1111, msg length 1
|
||||
0b
|
||||
|
||||
result (ALIVE) = 1
|
||||
|
||||
PROCESSING UNBLOCK from 0x01020304:1111
|
||||
06
|
||||
|
||||
==> got signal NS_UNBLOCK, NS-VC 0x1001/1.2.3.4:1111
|
||||
|
||||
MESSAGE to BSS at 0x01020304:1111, msg length 1
|
||||
07
|
||||
|
||||
result (UNBLOCK) = 1
|
||||
|
||||
PROCESSING ALIVE_ACK from 0x01020304:1111
|
||||
0b
|
||||
|
||||
result (ALIVE_ACK) = 0
|
||||
|
||||
Setup BSSGP: remote 0x01020304:1111, BVCI 0x1002(4098)
|
||||
|
||||
PROCESSING BVC_RESET from 0x01020304:1111
|
||||
00 00 00 00 22 04 82 10 02 07 81 08 08 88 11 22 33 40 50 60 10 00
|
||||
|
||||
CALLBACK, event 0, msg length 18, bvci 0x0000
|
||||
00 00 00 00 22 04 82 10 02 07 81 08 08 88 11 22 33 40 50 60 10 00
|
||||
|
||||
NS UNITDATA MESSAGE to SGSN, BVCI 0x0000, msg length 18 (gprs_ns_sendmsg)
|
||||
MESSAGE to SGSN at 0x05060708:32000, msg length 22
|
||||
00 00 00 00 22 04 82 10 02 07 81 08 08 88 11 22 33 40 50 60 10 00
|
||||
|
||||
result (BVC_RESET) = 22
|
||||
|
||||
PROCESSING BVC_RESET_ACK from 0x05060708:32000
|
||||
00 00 00 00 23 04 82 10 02
|
||||
|
||||
CALLBACK, event 0, msg length 5, bvci 0x0000
|
||||
00 00 00 00 23 04 82 10 02
|
||||
|
||||
NS UNITDATA MESSAGE to BSS, BVCI 0x0000, msg length 5 (gprs_ns_sendmsg)
|
||||
MESSAGE to BSS at 0x01020304:1111, msg length 9
|
||||
00 00 00 00 23 04 82 10 02
|
||||
|
||||
result (BVC_RESET_ACK) = 9
|
||||
|
||||
Current NS-VCIs:
|
||||
VCI 0x1001, NSEI 0x1000, peer 0x01020304:1111
|
||||
VCI 0x0101, NSEI 0x0100, peer 0x05060708:32000
|
||||
NS-VC Block count : 1
|
||||
|
||||
Gbproxy global:
|
||||
Peers:
|
||||
NSEI 4096, BVCI 4098, not blocked, RAI 112-332-16464-96
|
||||
TLLI-Cache: 0
|
||||
--- Establish first LLC connection ---
|
||||
|
||||
PROCESSING ATTACH REQUEST from 0x01020304:1111
|
||||
00 00 10 02 01 80 00 de ad 00 00 04 08 88 00 f1 99 00 63 60 12 34 00 80 0e 00 34 01 c0 01 08 01 02 f5 e0 21 08 02 05 f4 fb c5 46 79 11 22 33 40 50 60 19 18 b3 43 2b 25 96 62 00 60 80 9a c2 c6 62 00 60 80 ba c8 c6 62 00 60 80 00 16 6d 01
|
||||
|
||||
CALLBACK, event 0, msg length 75, bvci 0x1002
|
||||
00 00 10 02 01 80 00 de ad 00 00 04 08 88 00 f1 99 00 63 60 12 34 00 80 0e 00 34 01 c0 01 08 01 02 f5 e0 21 08 02 05 f4 fb c5 46 79 11 22 33 40 50 60 19 18 b3 43 2b 25 96 62 00 60 80 9a c2 c6 62 00 60 80 ba c8 c6 62 00 60 80 00 16 6d 01
|
||||
|
||||
NS UNITDATA MESSAGE to BSS, BVCI 0x1002, msg length 24 (gprs_ns_sendmsg)
|
||||
MESSAGE to BSS at 0x01020304:1111, msg length 28
|
||||
00 00 10 02 00 80 00 de ad 00 50 20 16 82 02 58 0e 00 09 41 c4 01 08 15 01 b7 f8 36
|
||||
|
||||
result (ATTACH REQUEST) = 0
|
||||
|
||||
Peers:
|
||||
NSEI 4096, BVCI 4098, not blocked, RAI 112-332-16464-96
|
||||
Attach Request count : 1
|
||||
TLLI cache size : 1
|
||||
TLLI-Cache: 1
|
||||
TLLI 8000dead -> 8000dead, IMSI (none), AGE 0, STORED 1, IMSI acquisition in progress
|
||||
PROCESSING IDENT REQUEST from 0x05060708:32000
|
||||
00 00 10 02 00 80 00 de ad 00 50 20 16 82 02 58 0e 89 41 c0 01 08 15 01 ff 6c ba
|
||||
|
||||
CALLBACK, event 0, msg length 23, bvci 0x1002
|
||||
00 00 10 02 00 80 00 de ad 00 50 20 16 82 02 58 0e 89 41 c0 01 08 15 01 ff 6c ba
|
||||
|
||||
NS UNITDATA MESSAGE to BSS, BVCI 0x1002, msg length 23 (gprs_ns_sendmsg)
|
||||
MESSAGE to BSS at 0x01020304:1111, msg length 27
|
||||
00 00 10 02 00 80 00 de ad 00 50 20 16 82 02 58 0e 89 41 c0 01 08 15 01 ff 6c ba
|
||||
|
||||
result (IDENT REQUEST) = 27
|
||||
|
||||
Peers:
|
||||
NSEI 4096, BVCI 4098, not blocked, RAI 112-332-16464-96
|
||||
Attach Request count : 1
|
||||
TLLI cache size : 1
|
||||
TLLI-Cache: 1
|
||||
TLLI 8000dead -> 8000dead, IMSI (none), AGE 0, STORED 1, IMSI acquisition in progress
|
||||
PROCESSING DETACH ACCEPT from 0x01020304:1111
|
||||
00 00 10 02 01 80 00 de ad 00 00 04 08 88 11 22 33 40 50 60 12 34 00 80 0e 00 09 01 c0 05 08 06 00 f8 92 41
|
||||
|
||||
CALLBACK, event 0, msg length 32, bvci 0x1002
|
||||
00 00 10 02 01 80 00 de ad 00 00 04 08 88 11 22 33 40 50 60 12 34 00 80 0e 00 09 01 c0 05 08 06 00 f8 92 41
|
||||
|
||||
result (DETACH ACCEPT) = 0
|
||||
|
||||
Peers:
|
||||
NSEI 4096, BVCI 4098, not blocked, RAI 112-332-16464-96
|
||||
Attach Request count : 1
|
||||
TLLI cache size : 1
|
||||
TLLI-Cache: 1
|
||||
TLLI 8000dead -> 8000dead, IMSI (none), AGE 0, STORED 2, IMSI acquisition in progress
|
||||
PROCESSING IDENT RESPONSE from 0x01020304:1111
|
||||
00 00 10 02 01 80 00 de ad 00 00 04 08 88 11 22 33 40 50 60 12 34 00 80 0e 00 11 01 c0 09 08 16 08 11 12 13 14 15 16 17 18 ba 14 c3
|
||||
|
||||
CALLBACK, event 0, msg length 40, bvci 0x1002
|
||||
00 00 10 02 01 80 00 de ad 00 00 04 08 88 11 22 33 40 50 60 12 34 00 80 0e 00 11 01 c0 09 08 16 08 11 12 13 14 15 16 17 18 ba 14 c3
|
||||
|
||||
NS UNITDATA MESSAGE to SGSN, BVCI 0x1002, msg length 75 (gprs_ns_sendmsg)
|
||||
MESSAGE to SGSN at 0x05060708:32000, msg length 79
|
||||
00 00 10 02 01 80 00 de ad 00 00 04 08 88 00 f1 99 00 63 60 12 34 00 80 0e 00 34 01 c0 01 08 01 02 f5 e0 21 08 02 05 f4 fb c5 46 79 11 22 33 40 50 60 19 18 b3 43 2b 25 96 62 00 60 80 9a c2 c6 62 00 60 80 ba c8 c6 62 00 60 80 00 16 6d 01
|
||||
|
||||
result (IDENT RESPONSE) = 0
|
||||
|
||||
Peers:
|
||||
NSEI 4096, BVCI 4098, not blocked, RAI 112-332-16464-96
|
||||
Attach Request count : 1
|
||||
TLLI-Cache: 0
|
||||
Gbproxy global:
|
||||
===== GbProxy test END
|
||||
|
||||
|
|
Loading…
Reference in New Issue