Actions
Bug #5931
openheap-use-after-free when osmo_stream_srv_destroy() is called inside read_cb()
Start date:
03/02/2023
Due date:
% Done:
0%
Spec Reference:
Description
This can happen in the ipa-stream-server example if the client disconnects unexpectedly (i.e. if there is still data the server wants to send).
<0003> stream.c:1542 message received
<0000> ipa-stream-server.c:53 received message from stream
<0003> stream.c:1864 connection closed with client
<0000> ipa-stream-server.c:61 cannot receive message
=================================================================
==2103936==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000000d58 at pc 0x7f2196d84d24 bp 0x7ffe1b9f4330 sp 0x7ffe1b9f4328
READ of size 8 at 0x611000000d58 thread T0
#0 0x7f2196d84d23 in llist_empty /home/daniel/local/osmo-master/include/osmocom/core/linuxlist.h:171
#1 0x7f2196d84d23 in osmo_stream_srv_write /home/daniel/scm/osmo/libosmo-netif/src/stream.c:1563
#2 0x7f2196d859f7 in osmo_stream_srv_cb /home/daniel/scm/osmo/libosmo-netif/src/stream.c:1629
#3 0x7f219658cbfd in poll_disp_fds /home/daniel/scm/osmo/libosmocore/src/core/select.c:361
#4 0x7f219658ccfd in _osmo_select_main /home/daniel/scm/osmo/libosmocore/src/core/select.c:399
#5 0x7f219658cda6 in osmo_select_main /home/daniel/scm/osmo/libosmocore/src/core/select.c:438
#6 0x5584fc1c390c in main /home/daniel/scm/osmo/libosmo-netif/examples/ipa-stream-server.c:130
#7 0x7f2195a46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0x7f2195a46244 in __libc_start_main_impl ../csu/libc-start.c:381
#9 0x5584fc1c3240 in _start (/home/daniel/scm/osmo/libosmo-netif/examples/.libs/ipa-stream-server+0x2240)
0x611000000d58 is located 152 bytes inside of 200-byte region [0x611000000cc0,0x611000000d88)
freed by thread T0 here:
#0 0x7f2196eb76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x7f21974fa5b1 (/lib/x86_64-linux-gnu/libtalloc.so.2+0x45b1)
#2 0x5584fc1c34c7 in read_cb /home/daniel/scm/osmo/libosmo-netif/examples/ipa-stream-server.c:62
#3 0x7f2196d78877 in osmo_stream_srv_read /home/daniel/scm/osmo/libosmo-netif/src/stream.c:1550
#4 0x7f2196d859df in osmo_stream_srv_cb /home/daniel/scm/osmo/libosmo-netif/src/stream.c:1627
#5 0x7f219658cbfd in poll_disp_fds /home/daniel/scm/osmo/libosmocore/src/core/select.c:361
#6 0x7f219658ccfd in _osmo_select_main /home/daniel/scm/osmo/libosmocore/src/core/select.c:399
#7 0x7f219658cda6 in osmo_select_main /home/daniel/scm/osmo/libosmocore/src/core/select.c:438
#8 0x5584fc1c390c in main /home/daniel/scm/osmo/libosmo-netif/examples/ipa-stream-server.c:130
#9 0x7f2195a46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
previously allocated by thread T0 here:
#0 0x7f2196eb89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7f21974fbe3d (/lib/x86_64-linux-gnu/libtalloc.so.2+0x5e3d)
SUMMARY: AddressSanitizer: heap-use-after-free /home/daniel/local/osmo-master/include/osmocom/core/linuxlist.h:171 in llist_empty
osmo_stream_srv_destroy() frees the complete conn but osmo_stream_srv_cb() could still call osmo_stream_srv_write(conn) after osmo_stream_srv_read() (and by extension the read_cb()) returns.
We need to guard this and delay actually freeing the conn if we are currently in a callback.
No data to display
Actions
