Skip to content

Commit

Permalink
Fix double free during RAU with unexpected Old RAI
Browse files Browse the repository at this point in the history
If an MS which had an MMCTX at the SGSN sent RAU update with an
unexpected Old RA field, the RAU was rejected and LLME (LLC layer)
unassigned (freed), because no MMCTX was found matching the wrong old
RA.
However, an MMCTX may actually exist pointing to that LLME, and hence
when the LLME is freed, it stayed unnoticed with a dangling pointer to
the freed LLME in ctx->gb.llme.
Let's try to harder to avoid this kind of bugs which make osmo-sgsn
crash.

Once we properly split the code into separate independent layers (LLC,
MMCTX, etc.) each holding their own structs, this kind of bugs shouldn't
happen anymore.

Related: OS#6441
Change-Id: I5a4328c6e945b85dd815215724feecadba59c435
  • Loading branch information
pespin committed Aug 19, 2024
1 parent 140017e commit 868d818
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 0 deletions.
1 change: 1 addition & 0 deletions include/osmocom/sgsn/mmctx.h
Original file line number Diff line number Diff line change
Expand Up @@ -257,6 +257,7 @@ struct sgsn_mm_ctx *sgsn_mm_ctx_by_tlli(uint32_t tlli,
struct sgsn_mm_ctx *sgsn_mm_ctx_by_ptmsi(uint32_t tmsi);
struct sgsn_mm_ctx *sgsn_mm_ctx_by_imsi(const char *imsi);
struct sgsn_mm_ctx *sgsn_mm_ctx_by_ue_ctx(const void *uectx);
struct sgsn_mm_ctx *sgsn_mm_ctx_by_llme(const struct gprs_llc_llme *llme);

/* look-up by matching TLLI and P-TMSI (think twice before using this) */
struct sgsn_mm_ctx *sgsn_mm_ctx_by_tlli_and_ptmsi(uint32_t tlli,
Expand Down
15 changes: 15 additions & 0 deletions src/sgsn/gprs_gmm.c
Original file line number Diff line number Diff line change
Expand Up @@ -1748,6 +1748,21 @@ static int gsm48_rx_gmm_ra_upd_req(struct sgsn_mm_ctx *mmctx, struct msgb *msg,
* in the MS */
LOGGBP(llme, DMM, LOGL_NOTICE, "LLC XID RESET\n");
gprs_llgmm_reset_oldmsg(msg, GPRS_SAPI_GMM, llme);

/* The RAU didn't come from expected TLLI+RAI, so it's for sure bad and should be rejected.
* In any case, before unassigning (freeing) the LLME during the REJECT below, make sure
* beforehand that if there's an mmctx relating to that llme it is also freed.
* Otherwise it would be kept pointining at a dangling freed llme object.
*/
mmctx = sgsn_mm_ctx_by_llme(llme);
if (mmctx) {
char old_ra_id_name[32];
osmo_rai_name_buf(old_ra_id_name, sizeof(old_ra_id_name), &old_ra_id);
LOGMMCTXP(LOGL_NOTICE, mmctx,
"Rx RA Update Request with unexpected TLLI=%08x Old RA=%s (expected Old RA: %s)!\n",
msgb_tlli(msg), old_ra_id_name, osmo_rai_name(&mmctx->ra));
/* mmctx will be released (and its llme un assigned) after REJECT below. */
}
}
/* The MS has to perform GPRS attach */
/* Device is still IMSI attached for CS but initiate GPRS ATTACH,
Expand Down
15 changes: 15 additions & 0 deletions src/sgsn/mmctx.c
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,21 @@ struct sgsn_mm_ctx *sgsn_mm_ctx_by_ue_ctx(const void *uectx)
return NULL;
}


/* look-up an SGSN MM context based on Gb LLME context (struct gprs_llc_llme)*/
struct sgsn_mm_ctx *sgsn_mm_ctx_by_llme(const struct gprs_llc_llme *llme)
{
struct sgsn_mm_ctx *ctx;

llist_for_each_entry (ctx, &sgsn->mm_list, list) {
if (ctx->ran_type == MM_CTX_T_GERAN_Gb
&& llme == ctx->gb.llme)
return ctx;
}

return NULL;
}

/* look-up a SGSN MM context based on TLLI + RAI */
struct sgsn_mm_ctx *sgsn_mm_ctx_by_tlli(uint32_t tlli,
const struct gprs_ra_id *raid)
Expand Down

0 comments on commit 868d818

Please sign in to comment.