fix use-after-free: require new fsm deferred dealloc, check for term
API doc: require osmo_fsm_set_dealloc_ctx(). mgcp_client during delete: do not reparent the FSM when it is already terminating. I have recently discovered a vulnerability: if an endpoint FSM deallocates during event handling of a successful MGCP response, this causes a use-after-free; and once that is fixed, a state change on the already terminated FSM causes a pointer corruption by using already cleaned data structures. osmo_fsm_set_dealloc_ctx() fixes the use-after-free, and osmo_fsm_set_term_stops_actions() fixes the pointer corruption. Related: Ib7fce7b7d54dfb87af97544796680919e5929a50 (osmo-bsc), I08c03946605aa12e0a5ce8b3c773704ef5327a7a (osmo-msc) Depends: Ief4dba9ea587c9b4aea69993e965fbb20fb80e78 (libosmocore), I0adc13a1a998e953b6c850efa2761350dd07e03a (libosmocore) Change-Id: I7df2e9202b04e7ca7366bb0a8ec53cf3bb14faf3
This commit is contained in:
parent
e827831514
commit
ca2aec0235
|
@ -255,6 +255,9 @@ struct osmo_mgcpc_ep *osmo_mgcpc_ep_fi_mgwep(struct osmo_fsm_inst *fi)
|
|||
* MGCP messages to set up the endpoint will be sent on the given mgcp_client, as soon as the first
|
||||
* osmo_mgcpc_ep_ci_request() is invoked.
|
||||
*
|
||||
* IMPORTANT: To avoid use-after-free problems, using this FSM requires use of deferred FSM deallocation using
|
||||
* osmo_fsm_set_dealloc_ctx(), e.g. using osmo_select_main_ctx(OTC_SELECT) with osmo_select_main_ctx() as main loop.
|
||||
*
|
||||
* A typical sequence of events would be:
|
||||
*
|
||||
* ep = osmo_mgcpc_ep_alloc(..., mgcp_client_rtpbridge_wildcard(client));
|
||||
|
|
|
@ -708,6 +708,9 @@ void mgcp_conn_delete(struct osmo_fsm_inst *fi)
|
|||
|
||||
OSMO_ASSERT(mgcp_ctx);
|
||||
|
||||
if (fi->proc.terminating)
|
||||
return;
|
||||
|
||||
/* Unlink FSM from parent */
|
||||
osmo_fsm_inst_unlink_parent(fi, NULL);
|
||||
|
||||
|
|
Loading…
Reference in New Issue