Bug #4094
closedmultiple crashes due to connection failures / drops
Added by Hoernchen almost 5 years ago. Updated almost 4 years ago.
0%
Description
osmo-bsc offers some new and exciting crashes when interfering with rsl/oml connections, they all appear to be related to improper removal of old links from linked lists after a line was e1inp_line_put().
Related issues
Updated by Hoernchen almost 5 years ago
The first free happens within the same call of ipaccess_sign_link_down as the second erroneous free.
<0015> input/ipa.c:270 0.0.0.0:3002 accept()ed new link from 127.0.0.1:39984 <0015> ipa.c:481 Cannot send ID_ACK message. Reason: Broken pipe <0015> input/ipaccess.c:154 Unexpected return from ipa_ccm_rcvmsg_base (ret=-32) <0015> input/ipaccess.c:440 failed to send A-bis IPA signalling message. Reason: Broken pipe <0015> input/ipaccess.c:87 Forcing socket shutdown with no signal link set <0015> bts_ipaccess_nanobts.c:416 (bts=0) Dropping OML link: link down <0015> bts_ipaccess_nanobts.c:397 (bts=0,trx=0) Dropping RSL link: OML link drop ================================================================= ==22092==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e00000caa8 at pc 0x7ffff592a5cd bp 0x7fffffffd510 sp 0x7fffffffd500 WRITE of size 8 at 0x62e00000caa8 thread T0 #0 0x7ffff592a5cc in __llist_del /usr/local/include/osmocom/core/linuxlist.h:117 #1 0x7ffff592a6e3 in llist_del /usr/local/include/osmocom/core/linuxlist.h:129 #2 0x7ffff592def4 in e1inp_sign_link_destroy /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:551 #3 0x5555559cdb82 in ipaccess_drop_rsl /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:398 #4 0x5555559cdfda in ipaccess_drop_oml /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:423 #5 0x5555559d0bf5 in ipaccess_sign_link_down /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:612 #6 0x7ffff5947329 in ipaccess_drop input/ipaccess.c:98 #7 0x7ffff594af22 in __handle_ts1_write input/ipaccess.c:457 #8 0x7ffff594aff9 in handle_ts1_write input/ipaccess.c:466 #9 0x7ffff594b106 in ipaccess_fd_cb input/ipaccess.c:484 #10 0x7ffff5c86658 in osmo_fd_disp_fds /home/phi/sysmo/lime/libosmocore/src/select.c:223 #11 0x7ffff5c86959 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:263 #12 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932 #13 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #14 0x5555558e7109 in _start (/usr/local/bin/osmo-bsc+0x393109) 0x62e00000caa8 is located 1704 bytes inside of 48080-byte region [0x62e00000c400,0x62e000017fd0) freed by thread T0 here: #0 0x7ffff6ef87b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8) #1 0x7ffff67e114f in _talloc_free (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x7b14f) #2 0x7ffff592d7c1 in e1inp_line_put /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:448 #3 0x7ffff592e2f4 in e1inp_sign_link_destroy /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:563 #4 0x5555559cde54 in ipaccess_drop_oml /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:417 #5 0x5555559d0bf5 in ipaccess_sign_link_down /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:612 #6 0x7ffff5947329 in ipaccess_drop input/ipaccess.c:98 #7 0x7ffff594af22 in __handle_ts1_write input/ipaccess.c:457 #8 0x7ffff594aff9 in handle_ts1_write input/ipaccess.c:466 #9 0x7ffff594b106 in ipaccess_fd_cb input/ipaccess.c:484 #10 0x7ffff5c86658 in osmo_fd_disp_fds /home/phi/sysmo/lime/libosmocore/src/select.c:223 #11 0x7ffff5c86959 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:263 #12 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932 #13 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) previously allocated by thread T0 here: #0 0x7ffff6ef8b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50) #1 0x7ffff67f38f5 in _talloc_zero (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x8d8f5) #2 0x7ffff592cec2 in e1inp_line_clone /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:392 #3 0x7ffff594bc8d in ipaccess_bsc_oml_cb input/ipaccess.c:569 #4 0x7ffff59425ab in ipa_server_fd_cb input/ipa.c:272 #5 0x7ffff5c86658 in osmo_fd_disp_fds /home/phi/sysmo/lime/libosmocore/src/select.c:223 #6 0x7ffff5c86959 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:263 #7 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932 #8 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) SUMMARY: AddressSanitizer: heap-use-after-free /usr/local/include/osmocom/core/linuxlist.h:117 in __llist_del Shadow bytes around the buggy address: 0x0c5c7fff9900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c7fff9910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c7fff9920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c7fff9930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c7fff9940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c5c7fff9950: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd 0x0c5c7fff9960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c7fff9970: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c7fff9980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c7fff9990: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c7fff99a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==22092==ABORTING
Updated by Hoernchen almost 5 years ago
<0004> abis_nm.c:472 BTS0 reported variant: omso-bts-trx <0004> abis_nm.c:494 BTS0 Attribute Manufacturer Dependent State is unreported <0004> abis_nm.c:560 OC=BASEBAND-TRANSCEIVER(04) INST=(00,00,ff): BTS0: ARI reported sw[0/1]: TRX_PHY_VERSION is Unknown <0004> abis_nm.c:2884 (bts=0,trx=0) IPA RSL CONNECT IP=0.0.0.0 PORT=3003 STREAM=0x00 <0015> input/ipa.c:270 0.0.0.0:3003 accept()ed new link from 127.0.0.1:59734 <0003> osmo_bsc_main.c:285 bootstrapping RSL for BTS/TRX (0/0) on ARFCN 871 using MCC-MNC 001-01 LAC=1 CID=0 BSIC=63 <0000> chan_alloc.c:128 (bts=0) bogus channel load sample (used=0 / total=0) <0015> input/ipa.c:270 0.0.0.0:3002 accept()ed new link from 127.0.0.1:40070 <0015> ipa.c:481 Cannot send ID_ACK message. Reason: Broken pipe <0015> input/ipaccess.c:154 Unexpected return from ipa_ccm_rcvmsg_base (ret=-32) <0015> input/ipaccess.c:87 Forcing socket shutdown with no signal link set <0015> bts_ipaccess_nanobts.c:416 (bts=0) Dropping OML link: link down <0015> bts_ipaccess_nanobts.c:397 (bts=0,trx=0) Dropping RSL link: OML link drop ================================================================= ==23613==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e00003caa8 at pc 0x7ffff592a5cd bp 0x7fffffffd460 sp 0x7fffffffd450 WRITE of size 8 at 0x62e00003caa8 thread T0 #0 0x7ffff592a5cc in __llist_del /usr/local/include/osmocom/core/linuxlist.h:117 #1 0x7ffff592a6e3 in llist_del /usr/local/include/osmocom/core/linuxlist.h:129 #2 0x7ffff592def4 in e1inp_sign_link_destroy /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:551 #3 0x5555559cdb82 in ipaccess_drop_rsl /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:398 #4 0x5555559cdfda in ipaccess_drop_oml /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:423 #5 0x5555559d0bf5 in ipaccess_sign_link_down /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:612 #6 0x7ffff5947329 in ipaccess_drop input/ipaccess.c:98 #7 0x7ffff5947581 in ipa_bsc_keepalive_timeout_cb input/ipaccess.c:116 #8 0x7ffff5945f95 in ipa_ka_fsm_timer_cb input/ipa_keepalive.c:162 #9 0x7ffff5c9ac05 in fsm_tmr_cb /home/phi/sysmo/lime/libosmocore/src/fsm.c:287 #10 0x7ffff5c83c30 in osmo_timers_update /home/phi/sysmo/lime/libosmocore/src/timer.c:257 #11 0x7ffff5c86939 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:260 #12 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932 #13 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #14 0x5555558e7109 in _start (/usr/local/bin/osmo-bsc+0x393109) 0x62e00003caa8 is located 1704 bytes inside of 48080-byte region [0x62e00003c400,0x62e000047fd0) freed by thread T0 here: #0 0x7ffff6ef87b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8) #1 0x7ffff67e114f in _talloc_free (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x7b14f) #2 0x7ffff592d7c1 in e1inp_line_put /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:448 #3 0x7ffff592e2f4 in e1inp_sign_link_destroy /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:563 #4 0x5555559cde54 in ipaccess_drop_oml /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:417 #5 0x5555559d0bf5 in ipaccess_sign_link_down /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:612 #6 0x7ffff5947329 in ipaccess_drop input/ipaccess.c:98 #7 0x7ffff5947581 in ipa_bsc_keepalive_timeout_cb input/ipaccess.c:116 #8 0x7ffff5945f95 in ipa_ka_fsm_timer_cb input/ipa_keepalive.c:162 #9 0x7ffff5c9ac05 in fsm_tmr_cb /home/phi/sysmo/lime/libosmocore/src/fsm.c:287 #10 0x7ffff5c83c30 in osmo_timers_update /home/phi/sysmo/lime/libosmocore/src/timer.c:257 #11 0x7ffff5c86939 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:260 #12 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932 #13 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) previously allocated by thread T0 here: #0 0x7ffff6ef8b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50) #1 0x7ffff67f38f5 in _talloc_zero (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x8d8f5) #2 0x7ffff592cec2 in e1inp_line_clone /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:392 #3 0x7ffff594bc8d in ipaccess_bsc_oml_cb input/ipaccess.c:569 #4 0x7ffff59425ab in ipa_server_fd_cb input/ipa.c:272 #5 0x7ffff5c86658 in osmo_fd_disp_fds /home/phi/sysmo/lime/libosmocore/src/select.c:223 #6 0x7ffff5c86959 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:263 #7 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932 #8 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) SUMMARY: AddressSanitizer: heap-use-after-free /usr/local/include/osmocom/core/linuxlist.h:117 in __llist_del Shadow bytes around the buggy address: 0x0c5c7ffff900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c7ffff910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c7ffff920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c7ffff930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c7ffff940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c5c7ffff950: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd 0x0c5c7ffff960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c7ffff970: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c7ffff980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c7ffff990: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c7ffff9a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==23613==ABORTING
Updated by Hoernchen almost 5 years ago
This one is different, ipaccess_sign_link_up instead of ipaccess_sign_link_down, dropping the "old" oml link fails.
0015> input/ipa.c:270 0.0.0.0:3002 accept()ed new link from 127.0.0.1:40312 <0007> a_reset.c:106 A-RESET(msc-0)[0x612000004720]{DISC}: (re)sending BSSMAP RESET message... <0007> osmo_bsc_sigtran.c:101 Sending RESET to MSC: RI=SSN_PC,PC=0.23.1,SSN=BSSAP <001f> m3ua.c:507 XUA_AS(as-clnt-msc-0)[0x612000003fa0]{AS_INACTIVE}: Event AS-TRANSFER.req not permitted <0015> input/ipa.c:270 0.0.0.0:3002 accept()ed new link from 127.0.0.1:40314 <0015> ipa.c:481 Cannot send ID_ACK message. Reason: Broken pipe <0015> input/ipaccess.c:158 Unexpected return from ipa_ccm_rcvmsg_base (ret=-32) <0007> a_reset.c:106 A-RESET(msc-0)[0x612000004720]{DISC}: (re)sending BSSMAP RESET message... <0007> osmo_bsc_sigtran.c:101 Sending RESET to MSC: RI=SSN_PC,PC=0.23.1,SSN=BSSAP <001f> m3ua.c:507 XUA_AS(as-clnt-msc-0)[0x612000003fa0]{AS_INACTIVE}: Event AS-TRANSFER.req not permitted <0015> bts_ipaccess_nanobts.c:416 (bts=0) Dropping OML link: new OML link ================================================================= ==28715==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e00000c4d0 at pc 0x7ffff592a64d bp 0x7fffffffc3a0 sp 0x7fffffffc390 WRITE of size 8 at 0x62e00000c4d0 thread T0 #0 0x7ffff592a64c in __llist_del /usr/local/include/osmocom/core/linuxlist.h:117 #1 0x7ffff592a763 in llist_del /usr/local/include/osmocom/core/linuxlist.h:129 #2 0x7ffff592df74 in e1inp_sign_link_destroy /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:551 #3 0x5555559cde54 in ipaccess_drop_oml /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:417 #4 0x5555559cf465 in ipaccess_sign_link_up /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:540 #5 0x7ffff59481d7 in ipaccess_rcvmsg input/ipaccess.c:197 #6 0x7ffff59499ac in handle_ts1_read input/ipaccess.c:325 #7 0x7ffff594b1d5 in ipaccess_fd_cb input/ipaccess.c:486 #8 0x7ffff5c86658 in osmo_fd_disp_fds /home/phi/sysmo/lime/libosmocore/src/select.c:223 #9 0x7ffff5c86959 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:263 #10 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932 #11 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #12 0x5555558e7109 in _start (/usr/local/bin/osmo-bsc+0x393109) 0x62e00000c4d0 is located 208 bytes inside of 48080-byte region [0x62e00000c400,0x62e000017fd0) freed by thread T0 here: #0 0x7ffff6ef87b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8) #1 0x7ffff67e114f in _talloc_free (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x7b14f) #2 0x7ffff592d841 in e1inp_line_put /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:448 <------------------------------------------ #3 0x7ffff5949259 in ipaccess_rcvmsg input/ipaccess.c:287 #4 0x7ffff59499ac in handle_ts1_read input/ipaccess.c:325 #5 0x7ffff594b1d5 in ipaccess_fd_cb input/ipaccess.c:486 #6 0x7ffff5c86658 in osmo_fd_disp_fds /home/phi/sysmo/lime/libosmocore/src/select.c:223 #7 0x7ffff5c86959 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:263 #8 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932 #9 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) previously allocated by thread T0 here: #0 0x7ffff6ef8b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50) #1 0x7ffff67f38f5 in _talloc_zero (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x8d8f5) #2 0x7ffff592cf42 in e1inp_line_clone /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:392 #3 0x7ffff594bd7b in ipaccess_bsc_oml_cb input/ipaccess.c:573 #4 0x7ffff594262b in ipa_server_fd_cb input/ipa.c:272 #5 0x7ffff5c86658 in osmo_fd_disp_fds /home/phi/sysmo/lime/libosmocore/src/select.c:223 #6 0x7ffff5c86959 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:263 #7 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932 #8 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) SUMMARY: AddressSanitizer: heap-use-after-free /usr/local/include/osmocom/core/linuxlist.h:117 in __llist_del Shadow bytes around the buggy address: 0x0c5c7fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c5c7fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c5c7fff9860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c5c7fff9870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c5c7fff9880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c5c7fff9890: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd 0x0c5c7fff98a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c7fff98b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c7fff98c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c7fff98d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c7fff98e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==28715==ABORTING
Updated by Hoernchen almost 5 years ago
- Related to Bug #3612: osmo-bts-trx: heap-use-after-free in e1inp_sign_link_destroy added
Updated by pespin almost 4 years ago
- Status changed from New to Closed
Fixed by:
https://gerrit.osmocom.org/c/libosmo-abis/+/18730 e1_input: refcount inc line during e1_sign_link_create, not during line update
Since this ticket is a duplicate of an older one (#3612), I'm closing this one and keeping the other open until fix is merged.
Updated by laforge over 3 years ago
- Related to Bug #4709: osmo-bts-trx (latest version 1.2.1) crashes in ttcn3-bts-test-latest added
IMPORTANT NOTICE: This page contains information about a legacy version of the Osmocom software. This legacy version is no longer maintained. If you use it, don't be surprised if it doesn't work. It was your choice to ignore man-years worth of developments, improvements and fixes. Please migrate to the active/supported software (Osmocom CNI, consisting of OsmoBSC, OsmoMSC, OsmoHLR, OsmoSTP, OsmoMGW - a NITB style setup is described at Osmocom_Network_In_The_Box).