Project

General

Profile

Bug #3643

osmo-pcu NULL-pointer dereference after socket bind failure

Added by stsp 12 days ago. Updated 10 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Target version:
-
Start date:
10/10/2018
Due date:
% Done:

0%

Spec Reference:

Description

osmo-pcu can crash in the following way if it cannot bind to a particular port:

<000e> telnet_interface.c:104 telnet at 127.0.0.1 4240                                 
<0001> osmobts_sock.cpp:248 Opening OsmoPCU L1 interface to OsmoBTS                    
<0001> osmobts_sock.cpp:311 osmo-bts PCU socket /tmp/pcu_bts has been connected
<0001> osmobts_sock.cpp:315 Sending version 0.5.1.6-07612-dirty to BTS.              
<0001> pcu_l1_if.cpp:113 Sending 0.5.1.6-07612-dirty TXT as PCU_VERSION to BTS
<0001> pcu_l1_if.cpp:443 BTS available
<000b> gprs_ns.c:266 NSVCI=65534 Creating NS-VC
<000e> socket.c:228 unable to bind socket: 0.0.0.0:23000: Address already in use      
<000e> socket.c:237 no suitable local addr found for: 0.0.0.0:23000
<000b> gprs_ns.c:1622 Listening for nsip packets from 127.0.0.1:23020 on 0.0.0.0:23000
<000c> gprs_bssgp_pcu.cpp:912 Failed to create socket
../include/osmocom/core/linuxlist.h:114:13: runtime error: member access within null pointer of type 'struct llist_head'
ASAN:DEADLYSIGNAL
=================================================================
==25074==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7ff61ceb5981 bp 0x7ffc629c4a30 sp 0x7ffc629c4a20 T0)
==25074==The signal is caused by a WRITE memory access.
==25074==Hint: address points to the zero page.
    #0 0x7ff61ceb5980 in __llist_del ../include/osmocom/core/linuxlist.h:114
    #1 0x7ff61ceb5a8f in llist_del ../include/osmocom/core/linuxlist.h:126
    #2 0x7ff61ceb621e in osmo_fd_unregister /home/stsp/osmo/libosmocore/src/select.c:140
    #3 0x7ff61dc42d7f in gprs_ns_close /home/stsp/osmo/libosmocore/src/gb/gprs_ns.c:1484
    #4 0x7ff61dc42df0 in gprs_ns_destroy /home/stsp/osmo/libosmocore/src/gb/gprs_ns.c:1497
    #5 0x55a2be9b7b04 in gprs_bssgp_create_and_connect(gprs_rlcmac_bts*, unsigned short, unsigned int, unsigned short, unsigned short, unsigned
short, unsigned short, unsigned short, unsigned short, bool, unsigned short, unsigned short, unsigned short) /home/stsp/osmo/osmo-pcu/src/gprs_b
ssgp_pcu.cpp:913
    #6 0x55a2be9bb2ed in pcu_rx_info_ind /home/stsp/osmo/osmo-pcu/src/pcu_l1_if.cpp:495
    #7 0x55a2be9bb95c in pcu_rx(unsigned char, gsm_pcu_if*) /home/stsp/osmo/osmo-pcu/src/pcu_l1_if.cpp:626
    #8 0x55a2be9b0736 in pcu_sock_read /home/stsp/osmo/osmo-pcu/src/osmobts_sock.cpp:162
    #9 0x55a2be9b0960 in pcu_sock_cb /home/stsp/osmo/osmo-pcu/src/osmobts_sock.cpp:229
    #10 0x7ff61ceb7573 in osmo_fd_disp_fds /home/stsp/osmo/libosmocore/src/select.c:217
    #11 0x7ff61ceb7874 in osmo_select_main /home/stsp/osmo/libosmocore/src/select.c:257
    #12 0x55a2be986efc in main /home/stsp/osmo/osmo-pcu/src/pcu_main.cpp:337
    #13 0x7ff61c290b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #14 0x55a2be9864d9 in _start (/home/stsp/osmo/prefix/bin/osmo-pcu+0x1b4d9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../include/osmocom/core/linuxlist.h:114 in __llist_del
==25074==ABORTING

History

#1 Updated by stsp 12 days ago

This patch to libosmocore fixes the problem: https://gerrit.osmocom.org/c/libosmocore/+/11300

<000e> telnet_interface.c:104 telnet at 127.0.0.1 4240
<0001> osmobts_sock.cpp:248 Opening OsmoPCU L1 interface to OsmoBTS
<0001> osmobts_sock.cpp:311 osmo-bts PCU socket /tmp/pcu_bts has been connected
<0001> osmobts_sock.cpp:315 Sending version 0.5.1.6-07612-dirty to BTS.
<0001> pcu_l1_if.cpp:113 Sending 0.5.1.6-07612-dirty TXT as PCU_VERSION to BTS
<0001> pcu_l1_if.cpp:443 BTS available
<000b> gprs_ns.c:266 NSVCI=65534 Creating NS-VC
<000e> socket.c:228 unable to bind socket: 0.0.0.0:23000: Address already in use
<000e> socket.c:237 no suitable local addr found for: 0.0.0.0:23000
<000b> gprs_ns.c:1622 Listening for nsip packets from 127.0.0.1:23020 on 0.0.0.0:23000
<000c> gprs_bssgp_pcu.cpp:912 Failed to create socket
<0001> pcu_l1_if.cpp:501 SGSN not available

#2 Updated by stsp 10 days ago

  • Status changed from New to Resolved

Above patch has been merged.

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)