Actions
Bug #4644
closedheap-buffer-overflow on OM2k bring-up with DAHDI
Start date:
07/03/2020
Due date:
% Done:
90%
Spec Reference:
Description
when trying to bring up an RBS2308 with address sanitizer on current osmo-bsc 1.6.0.166-b8425 + libosmo-abis 0.8.0.34.3616, I get the following
<0004> bts_ericsson_rbs2000.c:125 inp_sig_cb(): Input signal 'LINE-INIT' received <0014> input/lapd.c:248 (0:1-T62-S62): LAPD Allocating SAP for SAPI=62 / TEI=62 (dl=0x615000001780, sap=0x615000001760) <0014> input/lapd.c:258 (0:1-T62-S62): k=1 N200=50 N201=260 T200=0.300000 T203=10.0 <0014> input/lapd.c:521 (0:1-T62-S62): LAPD DL-ESTABLISH request TEI=62 SAPI=62 ================================================================= ==20115==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000004de0 at pc 0x7f237ad181e5 bp 0x7ffdd5e42f80 sp 0x7ffdd5e42730 READ of size 5 at 0x612000004de0 thread T0 #0 0x7f237ad181e4 (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x951e4) #1 0x7f237ab6da5d in dahdi_write_msg input/dahdi.c:227 #2 0x7f237ab68a6e in send_ph_data_req input/lapd.c:634 #3 0x7f237abf1c8e in lapd_est_req src/gsm/lapd_core.c:1727 #4 0x7f237ab697dd in lapd_sap_start input/lapd.c:529 #5 0x5634391cc644 in start_sabm_in_line /root/git/osmo-bsc/src/osmo-bsc/bts_ericsson_rbs2000.c:87 #6 0x5634391cd46e in inp_sig_cb /root/git/osmo-bsc/src/osmo-bsc/bts_ericsson_rbs2000.c:159 #7 0x5634391cd46e in inp_sig_cb /root/git/osmo-bsc/src/osmo-bsc/bts_ericsson_rbs2000.c:115 #8 0x7f237aba00bb in osmo_signal_dispatch src/signal.c:118 #9 0x7f237ab61118 in e1inp_line_update src/e1_input.c:878 #10 0x5634391f62c4 in e1_reconfig_bts /root/git/osmo-bsc/src/osmo-bsc/e1_config.c:205 #11 0x5634390582ea in bsc_network_configure /root/git/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:538 #12 0x5634390582ea in main /root/git/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:868 #13 0x7f2379e2309a in __libc_start_main ../csu/libc-start.c:308 #14 0x56343905a2f9 in _start (/root/git/osmo-bsc/src/osmo-bsc/osmo-bsc+0x5322f9) 0x612000004de0 is located 0 bytes to the right of 288-byte region [0x612000004cc0,0x612000004de0) allocated by thread T0 here: #0 0x7f237ad6c330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330) #1 0x7f237ac4fe80 in talloc_named_const (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x8e80) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x951e4) Shadow bytes around the buggy address: 0x0c247fff8960: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c247fff8970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c247fff8980: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa 0x0c247fff8990: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c247fff89a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c247fff89b0: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa 0x0c247fff89c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c247fff89d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c247fff89e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 fa 0x0c247fff89f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff8a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==20115==ABORTING
Actions