From ce96928e121fb59ad28e89b3987eaab1566c9a32 Mon Sep 17 00:00:00 2001
From: Harald Welte <laforge@gnumonks.org>
Date: Sat, 14 Apr 2018 15:04:28 +0200
Subject: [PATCH] smpp: Unset esme->acl on socket close

We set acl->esme during _process_bind(), but we don't clear it
in case the TCP connection for the ESME is dead.  This leads to
a stale acl->esme pointer, which we will attempt to dereference
the next time a SMS is delivered to a route pointing to this acl,
where it will be a heap use-after-free.

This was discovered using AddressSanitizer and MSC_Tests.ttcn

Closes: OS#3168
Change-Id: I1f140d7f9c7d89f200ddbcd81a8df66de69fb3e4
---
 src/libmsc/smpp_smsc.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/libmsc/smpp_smsc.c b/src/libmsc/smpp_smsc.c
index b889b5235..7bbb0a4e7 100644
--- a/src/libmsc/smpp_smsc.c
+++ b/src/libmsc/smpp_smsc.c
@@ -249,6 +249,8 @@ static void esme_destroy(struct osmo_esme *esme)
 	}
 	smpp_cmd_flush_pending(esme);
 	llist_del(&esme->list);
+	if (esme->acl)
+		esme->acl->esme = NULL;
 	talloc_free(esme);
 }
 
@@ -875,6 +877,8 @@ dead_socket:
 	osmo_fd_unregister(&esme->wqueue.bfd);
 	close(esme->wqueue.bfd.fd);
 	esme->wqueue.bfd.fd = -1;
+	if (esme->acl)
+		esme->acl->esme = NULL;
 	smpp_esme_put(esme);
 
 	return 0;
@@ -891,6 +895,8 @@ static int esme_link_write_cb(struct osmo_fd *ofd, struct msgb *msg)
 		osmo_fd_unregister(&esme->wqueue.bfd);
 		close(esme->wqueue.bfd.fd);
 		esme->wqueue.bfd.fd = -1;
+		if (esme->acl)
+			esme->acl->esme = NULL;
 		smpp_esme_put(esme);
 	} else if (rc < msgb_length(msg)) {
 		LOGP(DSMPP, LOGL_ERROR, "[%s] Short write\n", esme->system_id);