From c518e3fa0678d1d233645b3913032e56c67481b1 Mon Sep 17 00:00:00 2001 From: Neels Janosch Hofmeyr Date: Thu, 9 Feb 2023 00:06:41 +0100 Subject: [PATCH] clarify API doc for osmo_pfcp_endpoint_tx() I recently discovered some use-after-free in osmo-upf by wrong API usage of osmo_pfcp_endpoint_tx(). Highlight this pitfall in API doc. Change-Id: I637e7bb5d1296b5ad8db8ab0b8151fdbb9e7be03 --- src/libosmo-pfcp/pfcp_endpoint.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/libosmo-pfcp/pfcp_endpoint.c b/src/libosmo-pfcp/pfcp_endpoint.c index 83a689f..7e08d8e 100644 --- a/src/libosmo-pfcp/pfcp_endpoint.c +++ b/src/libosmo-pfcp/pfcp_endpoint.c @@ -326,7 +326,12 @@ static int osmo_pfcp_endpoint_retrans_queue_add(struct osmo_pfcp_endpoint *endpo * Store the message in the local message queue for possible retransmissions. * On success, return zero, and pass ownership of m to ep. ep deallocates m when all retransmissions are done / a reply * has been received. - * On error, return nonzero, and immediately deallocate m. */ + * On error, return nonzero, and immediately deallocate m. + * + * WARNING: Do not access the osmo_pfcp_msg m after calling this function! In most cases, m will still remain allocated, + * and accessing it will work, but especially when an error occurs, m will be deallocated immediately. Hence, you will + * see no problem during normal successful operation, but your program will crash with use-after-free on any error! + */ int osmo_pfcp_endpoint_tx(struct osmo_pfcp_endpoint *ep, struct osmo_pfcp_msg *m) { struct osmo_pfcp_ie_node_id *node_id;