Currently the sign_link pointer is dereferenced after a call to
osmo_signal_dispatch, which can indirectly call
e1inp_sign_link_destroy. If that happens, accessing *sign_link is
illegal and can lead to a segmentation violation.
Since only the bts pointer is needed from sign_link after the call to
osmo_signal_dispatch, this patch changes abis_nm_rcvmsg_fom to save
that pointer to a local variable earlier.
Addresses:
<0019> input/ipa.c:250 accept()ed new link from 192.168.1.101 to port 3002
SET ATTR NACK CAUSE=Message cannot be performed
<0005> bsc_init.c:52 Got a NACK going to drop the OML links.
<001b> bsc_init.c:319 Lost some E1 TEI link: 1 0xb351a830
=================================================================
==13198== ERROR: AddressSanitizer: heap-use-after-free on address 0xb5d1bc70 at
pc 0x80a6e3d bp 0xbfbb33d8 sp 0xbfbb33cc
Sponsored-by: On-Waves ehf
---
openbsc/src/libbsc/abis_nm.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/openbsc/src/libbsc/abis_nm.c b/openbsc/src/libbsc/abis_nm.c
index 3bf55ec..89ffea4 100644
--- a/openbsc/src/libbsc/abis_nm.c
+++ b/openbsc/src/libbsc/abis_nm.c
@@ -565,6 +565,8 @@ static int abis_nm_rcvmsg_fom(struct msgb *mb)
struct abis_om_fom_hdr *foh = msgb_l3(mb);
struct e1inp_sign_link *sign_link = mb->dst;
uint8_t mt = foh->msg_type;
+ /* sign_link might get deleted via osmo_signal_dispatch -> save bts */
+ struct gsm_bts *bts = sign_link->trx->bts;
int ret = 0;
/* check for unsolicited message */
@@ -593,7 +595,7 @@ static int abis_nm_rcvmsg_fom(struct msgb *mb)
nack_data.mt = mt;
nack_data.bts = sign_link->trx->bts;
osmo_signal_dispatch(SS_NM, S_NM_NACK, &nack_data);
- abis_nm_queue_send_next(sign_link->trx->bts);
+ abis_nm_queue_send_next(bts);
return 0;
}
#if 0
@@ -636,7 +638,7 @@ static int abis_nm_rcvmsg_fom(struct msgb *mb)
break;
}
- abis_nm_queue_send_next(sign_link->trx->bts);
+ abis_nm_queue_send_next(bts);
return ret;
}
--
1.9.1
