Actions
Bug #3643
closedosmo-pcu NULL-pointer dereference after socket bind failure
Start date:
10/10/2018
Due date:
% Done:
0%
Spec Reference:
Description
osmo-pcu can crash in the following way if it cannot bind to a particular port:
<000e> telnet_interface.c:104 telnet at 127.0.0.1 4240 <0001> osmobts_sock.cpp:248 Opening OsmoPCU L1 interface to OsmoBTS <0001> osmobts_sock.cpp:311 osmo-bts PCU socket /tmp/pcu_bts has been connected <0001> osmobts_sock.cpp:315 Sending version 0.5.1.6-07612-dirty to BTS. <0001> pcu_l1_if.cpp:113 Sending 0.5.1.6-07612-dirty TXT as PCU_VERSION to BTS <0001> pcu_l1_if.cpp:443 BTS available <000b> gprs_ns.c:266 NSVCI=65534 Creating NS-VC <000e> socket.c:228 unable to bind socket: 0.0.0.0:23000: Address already in use <000e> socket.c:237 no suitable local addr found for: 0.0.0.0:23000 <000b> gprs_ns.c:1622 Listening for nsip packets from 127.0.0.1:23020 on 0.0.0.0:23000 <000c> gprs_bssgp_pcu.cpp:912 Failed to create socket ../include/osmocom/core/linuxlist.h:114:13: runtime error: member access within null pointer of type 'struct llist_head' ASAN:DEADLYSIGNAL ================================================================= ==25074==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7ff61ceb5981 bp 0x7ffc629c4a30 sp 0x7ffc629c4a20 T0) ==25074==The signal is caused by a WRITE memory access. ==25074==Hint: address points to the zero page. #0 0x7ff61ceb5980 in __llist_del ../include/osmocom/core/linuxlist.h:114 #1 0x7ff61ceb5a8f in llist_del ../include/osmocom/core/linuxlist.h:126 #2 0x7ff61ceb621e in osmo_fd_unregister /home/stsp/osmo/libosmocore/src/select.c:140 #3 0x7ff61dc42d7f in gprs_ns_close /home/stsp/osmo/libosmocore/src/gb/gprs_ns.c:1484 #4 0x7ff61dc42df0 in gprs_ns_destroy /home/stsp/osmo/libosmocore/src/gb/gprs_ns.c:1497 #5 0x55a2be9b7b04 in gprs_bssgp_create_and_connect(gprs_rlcmac_bts*, unsigned short, unsigned int, unsigned short, unsigned short, unsigned short, unsigned short, unsigned short, unsigned short, bool, unsigned short, unsigned short, unsigned short) /home/stsp/osmo/osmo-pcu/src/gprs_b ssgp_pcu.cpp:913 #6 0x55a2be9bb2ed in pcu_rx_info_ind /home/stsp/osmo/osmo-pcu/src/pcu_l1_if.cpp:495 #7 0x55a2be9bb95c in pcu_rx(unsigned char, gsm_pcu_if*) /home/stsp/osmo/osmo-pcu/src/pcu_l1_if.cpp:626 #8 0x55a2be9b0736 in pcu_sock_read /home/stsp/osmo/osmo-pcu/src/osmobts_sock.cpp:162 #9 0x55a2be9b0960 in pcu_sock_cb /home/stsp/osmo/osmo-pcu/src/osmobts_sock.cpp:229 #10 0x7ff61ceb7573 in osmo_fd_disp_fds /home/stsp/osmo/libosmocore/src/select.c:217 #11 0x7ff61ceb7874 in osmo_select_main /home/stsp/osmo/libosmocore/src/select.c:257 #12 0x55a2be986efc in main /home/stsp/osmo/osmo-pcu/src/pcu_main.cpp:337 #13 0x7ff61c290b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #14 0x55a2be9864d9 in _start (/home/stsp/osmo/prefix/bin/osmo-pcu+0x1b4d9) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ../include/osmocom/core/linuxlist.h:114 in __llist_del ==25074==ABORTING
Updated by stsp over 5 years ago
This patch to libosmocore fixes the problem: https://gerrit.osmocom.org/c/libosmocore/+/11300
<000e> telnet_interface.c:104 telnet at 127.0.0.1 4240 <0001> osmobts_sock.cpp:248 Opening OsmoPCU L1 interface to OsmoBTS <0001> osmobts_sock.cpp:311 osmo-bts PCU socket /tmp/pcu_bts has been connected <0001> osmobts_sock.cpp:315 Sending version 0.5.1.6-07612-dirty to BTS. <0001> pcu_l1_if.cpp:113 Sending 0.5.1.6-07612-dirty TXT as PCU_VERSION to BTS <0001> pcu_l1_if.cpp:443 BTS available <000b> gprs_ns.c:266 NSVCI=65534 Creating NS-VC <000e> socket.c:228 unable to bind socket: 0.0.0.0:23000: Address already in use <000e> socket.c:237 no suitable local addr found for: 0.0.0.0:23000 <000b> gprs_ns.c:1622 Listening for nsip packets from 127.0.0.1:23020 on 0.0.0.0:23000 <000c> gprs_bssgp_pcu.cpp:912 Failed to create socket <0001> pcu_l1_if.cpp:501 SGSN not available
Actions