Actions
Bug #5565
closedSMPP ESME heap-use-after-free
Start date:
05/16/2022
Due date:
% Done:
100%
Resolution:
Spec Reference:
Description
I'm seeing this when running a custom WIP SMS load test (in TTCN3) when the test exits and disconnects via GSUP/SMPP/etc:
==2277642==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000003ef4 at pc 0x7f3e409cfa8d bp 0x7ffe7f80f8c0 sp 0x7ffe7f80f8b8 READ of size 4 at 0x614000003ef4 thread T0 #0 0x7f3e409cfa8c in osmo_wqueue_bfd_cb /space/home/laforge/projects/git/libosmocore/src/write_queue.c:61 #1 0x7f3e409a28a6 in poll_disp_fds /space/home/laforge/projects/git/libosmocore/src/select.c:361 #2 0x7f3e409a2a33 in _osmo_select_main /space/home/laforge/projects/git/libosmocore/src/select.c:399 #3 0x7f3e409a2b16 in osmo_select_main_ctx /space/home/laforge/projects/git/libosmocore/src/select.c:455 #4 0x5556dead072b in main (/space/home/laforge/projects/git/osmo-msc/src/osmo-msc/osmo-msc+0x45a72b) #5 0x7f3e3d75a7fc in __libc_start_main ../csu/libc-start.c:332 #6 0x5556deacbe09 in _start (/space/home/laforge/projects/git/osmo-msc/src/osmo-msc/osmo-msc+0x455e09) 0x614000003ef4 is located 180 bytes inside of 432-byte region [0x614000003e40,0x614000003ff0) freed by thread T0 here: #0 0x7f3e415bd4d7 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 #1 0x7f3e3e8d7353 in _tc_free_internal ../../talloc.c:1222 #2 0x5556decbe988 in esme_destroy (/space/home/laforge/projects/git/osmo-msc/src/osmo-msc/osmo-msc+0x648988) #3 0x5556decbed1b in smpp_esme_put (/space/home/laforge/projects/git/osmo-msc/src/osmo-msc/osmo-msc+0x648d1b) #4 0x5556decc8b61 in esme_link_read_cb (/space/home/laforge/projects/git/osmo-msc/src/osmo-msc/osmo-msc+0x652b61) #5 0x7f3e409cf94d in osmo_wqueue_bfd_cb /space/home/laforge/projects/git/libosmocore/src/write_queue.c:47 #6 0x7f3e409a28a6 in poll_disp_fds /space/home/laforge/projects/git/libosmocore/src/select.c:361 #7 0x7f3e409a2a33 in _osmo_select_main /space/home/laforge/projects/git/libosmocore/src/select.c:399 #8 0x7f3e409a2b16 in osmo_select_main_ctx /space/home/laforge/projects/git/libosmocore/src/select.c:455 #9 0x5556dead072b in main (/space/home/laforge/projects/git/osmo-msc/src/osmo-msc/osmo-msc+0x45a72b) #10 0x7f3e3d75a7fc in __libc_start_main ../csu/libc-start.c:332 #11 0x5556deacbe09 in _start (/space/home/laforge/projects/git/osmo-msc/src/osmo-msc/osmo-msc+0x455e09) previously allocated by thread T0 here: #0 0x7f3e415bd7cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x7f3e3e8d97ef in __talloc_with_prefix ../../talloc.c:783 #2 0x7f3e3e8da196 in __talloc ../../talloc.c:825 #3 0x7f3e3e8da196 in _talloc_named_const ../../talloc.c:982 #4 0x7f3e3e8da196 in _talloc_zero ../../talloc.c:2421 #5 0x5556decc918e in link_accept_cb (/space/home/laforge/projects/git/osmo-msc/src/osmo-msc/osmo-msc+0x65318e) #6 0x5556decc9d2b in smsc_fd_cb (/space/home/laforge/projects/git/osmo-msc/src/osmo-msc/osmo-msc+0x653d2b) #7 0x7f3e409a28a6 in poll_disp_fds /space/home/laforge/projects/git/libosmocore/src/select.c:361 #8 0x7f3e409a2a33 in _osmo_select_main /space/home/laforge/projects/git/libosmocore/src/select.c:399 #9 0x7f3e409a2b16 in osmo_select_main_ctx /space/home/laforge/projects/git/libosmocore/src/select.c:455 #10 0x5556dead072b in main (/space/home/laforge/projects/git/osmo-msc/src/osmo-msc/osmo-msc+0x45a72b) #11 0x7f3e3d75a7fc in __libc_start_main ../csu/libc-start.c:332 #12 0x5556deacbe09 in _start (/space/home/laforge/projects/git/osmo-msc/src/osmo-msc/osmo-msc+0x455e09) SUMMARY: AddressSanitizer: heap-use-after-free /space/home/laforge/projects/git/libosmocore/src/write_queue.c:61 in osmo_wqueue_bfd_cb
Related issues
Updated by laforge almost 2 years ago
- Status changed from New to In Progress
- Assignee set to laforge
The problem is most likely that we destroy the esme (and its underlying write_queue) in the read_cb() without returning -EBADF from the wqueue read_cb. This means the code proceeds further down to the OSMO_FD_WRITE case, if something is to be written -> boom.
Updated by laforge almost 2 years ago
- % Done changed from 0 to 80
Updated by laforge almost 2 years ago
- Related to Bug #3278: Disconnected ESME socket leaves esme entry in smsc->esme_list added
Updated by laforge almost 2 years ago
- Status changed from In Progress to Resolved
- % Done changed from 80 to 100
Applied in changeset osmo-msc|022193da73230fba5c65599fedcba606b71f9928.
Actions