Change in libosmo-abis[master]: ipaccess: Fix use-after-free in ipaccess_drop()

Sat, 01 Aug 2020 00:21:43 -0700 

laforge has submitted this change. ( 
https://gerrit.osmocom.org/c/libosmo-abis/+/19478 )

Change subject: ipaccess: Fix use-after-free in ipaccess_drop()
......................................................................

ipaccess: Fix use-after-free in ipaccess_drop()

Recent commit b8ea0ff521a3e01c22a9dd1948b9a853521f575e introduced a
heap-use-after-free while getting rid of memleaks and clearing up the
reference counting lifecycle of the line object.

In that commit, e1inp_line_put2() was added in ipaccess_drop() which may
potentially free the line object (and its children e1inp_ts objects)
under specific conditions/scenarions. However, the function still used
the child object e1i_ts which in those scenarios would access already
freed memory.

Let's keep a local reference during the life of the function to make
sure the object is non-freed during e1inp_line_put2(), so that we can
notify upper layers that the link is down.

Detected by enabling ASan and running BSC_Tests.TC_chopped_ipa_ping
TTCN3 test.

Related: OS#4688
Change-Id: I4f56af28ad8297846bcdc8ba7afe51fff0f9a00f
---
M src/input/ipaccess.c
1 file changed, 2 insertions(+), 0 deletions(-)

Approvals:
  Jenkins Builder: Verified
  laforge: Looks good to me, approved



diff --git a/src/input/ipaccess.c b/src/input/ipaccess.c
index d81191c..30bcaf9 100644
--- a/src/input/ipaccess.c
+++ b/src/input/ipaccess.c
@@ -82,6 +82,7 @@
 {
        int ret = 1;
        struct e1inp_ts *e1i_ts = ipaccess_line_ts(bfd, line);
+       e1inp_line_get2(line, __func__);

        ipaccess_keepalive_fsm_cleanup(e1i_ts);

@@ -108,6 +109,7 @@
        /* e1inp_sign_link_destroy releases the socket descriptors for us. */
        line->ops->sign_link_down(line);

+       e1inp_line_put2(line, __func__);
        return ret;
 }


--
To view, visit https://gerrit.osmocom.org/c/libosmo-abis/+/19478
To unsubscribe, or for help writing mail filters, visit 
https://gerrit.osmocom.org/settings

Gerrit-Project: libosmo-abis
Gerrit-Branch: master
Gerrit-Change-Id: I4f56af28ad8297846bcdc8ba7afe51fff0f9a00f
Gerrit-Change-Number: 19478
Gerrit-PatchSet: 1
Gerrit-Owner: pespin <pes...@sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <lafo...@osmocom.org>
Gerrit-MessageType: merged

Reply via email to