Project

General

Profile

Actions
Copy link

Bug #6264

closed

osmo_iofd_write_msgb unconditionally dereferences io_ops.write_cb

Added by laforge 5 months ago. Updated 5 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
daniel
Category:
-
Target version:
-
Start date:
11/20/2023
Due date:
% Done:

100%

Spec Reference:
Tags:
osmo_io

Description

int osmo_iofd_write_msgb(struct osmo_io_fd *iofd, struct msgb *msg)
{
        int rc;

        if (OSMO_UNLIKELY(!iofd->io_ops.write_cb)) {
                LOGPIO(iofd, LOGL_ERROR, "write_cb not set, Rejecting msgb\n");
                return -EINVAL;
        }

Unlike the sendto variant, there's no OSMO_ASSERT for the correct mode...

int osmo_iofd_sendto_msgb(struct osmo_io_fd *iofd, struct msgb *msg, int sendto_flags, const struct osmo_sockaddr *dest)
{  
        int rc; 

        OSMO_ASSERT(iofd->mode == OSMO_IO_FD_MODE_RECVFROM_SENDTO);
        if (OSMO_UNLIKELY(!iofd->io_ops.sendto_cb)) {
                LOGPIO(iofd, LOGL_ERROR, "sendto_cb not set, Rejecting msgb\n");
                return -EINVAL;
        }

Related issues

Related to libosmo-sccp + libosmo-sigtran - Bug #6262: use-after-free when io_uring backend is usedResolvedjolly11/20/2023

Actions
Actions
Copy link
 #1

Updated by laforge 5 months ago

  • Related to Bug #6262: use-after-free when io_uring backend is used added
Actions
Copy link
 #2

Updated by daniel 5 months ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 60
Actions
Copy link
 #3

Updated by daniel 5 months ago

  • Status changed from In Progress to Resolved
  • % Done changed from 60 to 100
Actions
Copy link

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)