Actions
Bug #3300
closedAvoid heap-use-after-free in osmo_wqueue_bfd_cb
Start date:
05/29/2018
Due date:
% Done:
100%
Spec Reference:
Description
<0015> /home/data/pespin/git/openbsc/openbsc/src/osmo-bsc_nat/bsc_filter.c:209 Whitelisted with rule 0 <0015> /home/data/pespin/git/openbsc/openbsc/src/osmo-bsc_nat/bsc_sccp.c:136 Created 0x30006 <-> 0x50006 mapping for con 0x616000052be0 <0015> /home/data/pespin/git/openbsc/openbsc/src/osmo-bsc_nat/bsc_nat.c:1317 The connection to the BSC Nr: -1 was lost. Cleaning it ================================================================= ==27028==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000c521c at pc 0x7ffff606b056 bp 0x7fffffffe170 sp 0x7fffffffe168 READ of size 4 at 0x6160000c521c thread T0 #0 0x7ffff606b055 in osmo_wqueue_bfd_cb /home/data/pespin/git/libosmocore/src/write_queue.c:65 #1 0x7ffff6055c3b in osmo_fd_disp_fds /home/data/pespin/git/libosmocore/src/select.c:217 #2 0x7ffff6055ed5 in osmo_select_main /home/data/pespin/git/libosmocore/src/select.c:257 #3 0x421c82 in main /home/data/pespin/git/openbsc/openbsc/src/osmo-bsc_nat/bsc_nat.c:1713 #4 0x7ffff4803b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #5 0x406438 (/home/data/pespin/build/2g-nitb/out/bin/osmo-bsc_nat+0x406438) 0x6160000c521c is located 156 bytes inside of 568-byte region [0x6160000c5180,0x6160000c53b8) freed by thread T0 here: #0 0x7ffff6f59527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527) #1 0x7ffff69fd522 in _talloc_free (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x3522) previously allocated by thread T0 here: #0 0x7ffff6f5973f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f) #1 0x7ffff6a01630 in _talloc_zero (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x7630) SUMMARY: AddressSanitizer: heap-use-after-free /home/data/pespin/git/libosmocore/src/write_queue.c:65 osmo_wqueue_bfd_cb Shadow bytes around the buggy address: 0x0c2c800109f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c80010a00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c80010a10: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa 0x0c2c80010a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c80010a30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c2c80010a40: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
Required fixed is probably similar to that of #3206
Related issues
Updated by pespin almost 6 years ago
- Related to Bug #3206: osmo-bsc: heap-use-after-free at osmo_wqueue_bfd_cb added
Updated by pespin almost 6 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 90
Should be fixed by https://gerrit.osmocom.org/#/c/openbsc/+/9381/
Updated by pespin almost 6 years ago
- Status changed from Feedback to Resolved
- % Done changed from 90 to 100
Merged, closing.
Actions