osmocom
/
libosmocore
mirror of https://gerrit.osmocom.org/libosmocore
11
0
Fork 0
Code Issues Releases Wiki Activity

ns2: Avoid use-after-free when SGSN-side non-persistent SNS-NSE fails 

alive_timeout_handler() changes the state to RECOVERING which calls
ns2_st_alive_onenter()->ns2_nse_notify_unblocked(unblocked=false)->
ns2_sns_notify_alive(unblocked=false)

When all (signalling) NSVCs have failed and gss->role is SGSN and not
persistent sns_failed() calls gprs_ns2_free_nse() which talloc_free()s
the nse before returning.

The next line in ns2_nse_notify_unblocked() tries to read nse->alive which then causes the
use-after-free.

Change-Id: I0486a77fd3e21fd3904bd19e4e0225ffbf654935
Related: OS#5302
This commit is contained in:
Daniel Willmann 2021-11-10 16:44:56 +01:00
parent 6b5a533f4d
commit 334cf8759f
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/gb/gprs_ns2.c
View File

@ -1392,11 +1392,16 @@ void ns2_nse_data_sum(struct gprs_ns2_nse *nse)
void ns2_nse_notify_unblocked(struct gprs_ns2_vc *nsvc, bool unblocked)
{
struct gprs_ns2_nse *nse = nsvc->nse;
struct gprs_ns2_inst *nsi = nse->nsi;
uint16_t nsei = nse->nsei;
ns2_nse_data_sum(nse);
ns2_sns_notify_alive(nse, nsvc, unblocked);
if (unblocked == nse->alive)
/* NSE could have been freed, try to get it again */
nse = gprs_ns2_nse_by_nsei(nsi, nsei);
if (!nse || unblocked == nse->alive)
return;
/* wait until both data_weight and sig_weight are != 0 before declaring NSE as alive */