cellular-infrastructure
/
osmo-sip-connector
mirror of https://gerrit.osmocom.org/osmo-sip-connector
9
0
Fork 0
Code Issues Releases Wiki Activity
osmo-sip-connector/src
History
Holger Hans Peter Freyther 49880ddf74 mncc: Fix use after free on mncc socket disconnection 
When the MNCC socket breaks down we would release all callds but when
there is no remote call the call would be released before

	if (call->remote)
		...

is being executed leading to a use after free. Fix it by copying the
legs first and assuming the call will be gone after that.

==3618== Invalid read of size 4
==3618==    at 0x804A18A: app_mncc_disconnected (app.c:49)
==3618==    by 0x804B52D: close_connection (mncc.c:255)
==3618==    by 0x804BCFA: mncc_rtp_send.constprop.13 (mncc.c:145)
==3618==    by 0x804CC86: check_setup (mncc.c:435)
==3618==    by 0x804CC86: mncc_data (mncc.c:795)
==3618==    by 0x42FCF94: osmo_fd_disp_fds (select.c:167)
==3618==    by 0x804D1F2: evpoll (evpoll.c:92)
==3618==    by 0x4205053: ??? (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1)
==3618==    by 0x4205478: g_main_loop_run (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1)
==3618==    by 0x8049AA6: main (main.c:171)
==3618==  Address 0x47f3258 is 64 bytes inside a block of size 76 free'd
==3618==    at 0x402A3A8: free (vg_replace_malloc.c:473)
==3618==    by 0x42E7FD1: ??? (in /usr/lib/i386-linux-gnu/libtalloc.so.2.1.5)
==3618==    by 0x804A3FD: call_leg_release (call.c:87)
==3618==    by 0x804A186: app_mncc_disconnected (app.c:48)
==3618==    by 0x804B52D: close_connection (mncc.c:255)
==3618==    by 0x804BCFA: mncc_rtp_send.constprop.13 (mncc.c:145)
==3618==    by 0x804CC86: check_setup (mncc.c:435)
==3618==    by 0x804CC86: mncc_data (mncc.c:795)
==3618==    by 0x42FCF94: osmo_fd_disp_fds (select.c:167)
==3618==    by 0x804D1F2: evpoll (evpoll.c:92)
==3618==    by 0x4205053: ??? (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1)
==3618==    by 0x4205478: g_main_loop_run (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1)
==3618==    by 0x8049AA6: main (main.c:171)
==3618==

Change-Id: I1889013ed315f896e4295358f6daf76ce523dc2a
 		2017-03-06 21:10:07 +00:00
..
Makefile.am distcheck: Package the logging.h file as well 2016-04-24 22:30:26 +02:00
app.c mncc: Fix use after free on mncc socket disconnection 2017-03-06 21:10:07 +00:00
app.h app/mncc: Add "use-imsi" to allow calling by IMSI 2016-04-01 15:35:29 +02:00
call.c vty: Add simple VTY output for current calls 2016-04-04 17:09:30 +02:00
call.h sip/call/mncc: Move source/dest into the call structure 2016-04-04 19:52:41 +02:00
evpoll.c evpoll: Don't try to be more smart than g_poll 2017-02-11 13:06:32 +07:00
evpoll.h Initial commit for a MNCC to SIP gateway (and maybe auth GW too) 2016-03-21 09:54:37 +01:00
logging.h call/app: Hook the MNCC disconnect event in the app and release calls 2016-03-22 16:32:48 +01:00
main.c log VTY telnet bind only once 2016-09-26 22:56:27 +02:00
mncc.c vty: Add VTY command about the state of the mncc connection 2016-04-04 20:17:29 +02:00
mncc.h vty: Add VTY command about the state of the mncc connection 2016-04-04 20:17:29 +02:00
mncc_protocol.h mncc: Add the protocol description from OpenBSC 2016-03-21 15:46:53 +01:00
sdp.c sip/sdp: Hack to get a GSM codec call connected 2016-03-31 16:28:21 +02:00
sdp.h sip/sdp: Hack to get a GSM codec call connected 2016-03-31 16:28:21 +02:00
sip.c sip: Treat SIP 183 as progress too 2017-02-11 04:53:16 +01:00
sip.h sip/call/mncc: Move source/dest into the call structure 2016-04-04 19:52:41 +02:00
vty.c vty: Add VTY command about the state of the mncc connection 2016-04-04 20:17:29 +02:00
vty.h mncc: Add code to manage the mncc connection for CC 2016-03-21 17:00:02 +01:00