https://osmocom.org/
https://osmocom.org/favicon.ico?1664741409
2019-07-09T19:39:54Z
Open Source Mobile Communications
OpenBSC - Bug #4094: multiple crashes due to connection failures / drops
https://osmocom.org/issues/4094?journal_id=15099
2019-07-09T19:39:54Z
Hoernchen
<ul></ul><p>The first free happens within the same call of ipaccess_sign_link_down as the second erroneous free.<br /><pre>
<0015> input/ipa.c:270 0.0.0.0:3002 accept()ed new link from 127.0.0.1:39984
<0015> ipa.c:481 Cannot send ID_ACK message. Reason: Broken pipe
<0015> input/ipaccess.c:154 Unexpected return from ipa_ccm_rcvmsg_base (ret=-32)
<0015> input/ipaccess.c:440 failed to send A-bis IPA signalling message. Reason: Broken pipe
<0015> input/ipaccess.c:87 Forcing socket shutdown with no signal link set
<0015> bts_ipaccess_nanobts.c:416 (bts=0) Dropping OML link: link down
<0015> bts_ipaccess_nanobts.c:397 (bts=0,trx=0) Dropping RSL link: OML link drop
=================================================================
==22092==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e00000caa8 at pc 0x7ffff592a5cd bp 0x7fffffffd510 sp 0x7fffffffd500
WRITE of size 8 at 0x62e00000caa8 thread T0
#0 0x7ffff592a5cc in __llist_del /usr/local/include/osmocom/core/linuxlist.h:117
#1 0x7ffff592a6e3 in llist_del /usr/local/include/osmocom/core/linuxlist.h:129
#2 0x7ffff592def4 in e1inp_sign_link_destroy /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:551
#3 0x5555559cdb82 in ipaccess_drop_rsl /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:398
#4 0x5555559cdfda in ipaccess_drop_oml /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:423
#5 0x5555559d0bf5 in ipaccess_sign_link_down /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:612
#6 0x7ffff5947329 in ipaccess_drop input/ipaccess.c:98
#7 0x7ffff594af22 in __handle_ts1_write input/ipaccess.c:457
#8 0x7ffff594aff9 in handle_ts1_write input/ipaccess.c:466
#9 0x7ffff594b106 in ipaccess_fd_cb input/ipaccess.c:484
#10 0x7ffff5c86658 in osmo_fd_disp_fds /home/phi/sysmo/lime/libosmocore/src/select.c:223
#11 0x7ffff5c86959 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:263
#12 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932
#13 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#14 0x5555558e7109 in _start (/usr/local/bin/osmo-bsc+0x393109)
0x62e00000caa8 is located 1704 bytes inside of 48080-byte region [0x62e00000c400,0x62e000017fd0)
freed by thread T0 here:
#0 0x7ffff6ef87b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
#1 0x7ffff67e114f in _talloc_free (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x7b14f)
#2 0x7ffff592d7c1 in e1inp_line_put /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:448
#3 0x7ffff592e2f4 in e1inp_sign_link_destroy /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:563
#4 0x5555559cde54 in ipaccess_drop_oml /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:417
#5 0x5555559d0bf5 in ipaccess_sign_link_down /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:612
#6 0x7ffff5947329 in ipaccess_drop input/ipaccess.c:98
#7 0x7ffff594af22 in __handle_ts1_write input/ipaccess.c:457
#8 0x7ffff594aff9 in handle_ts1_write input/ipaccess.c:466
#9 0x7ffff594b106 in ipaccess_fd_cb input/ipaccess.c:484
#10 0x7ffff5c86658 in osmo_fd_disp_fds /home/phi/sysmo/lime/libosmocore/src/select.c:223
#11 0x7ffff5c86959 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:263
#12 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932
#13 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
previously allocated by thread T0 here:
#0 0x7ffff6ef8b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x7ffff67f38f5 in _talloc_zero (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x8d8f5)
#2 0x7ffff592cec2 in e1inp_line_clone /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:392
#3 0x7ffff594bc8d in ipaccess_bsc_oml_cb input/ipaccess.c:569
#4 0x7ffff59425ab in ipa_server_fd_cb input/ipa.c:272
#5 0x7ffff5c86658 in osmo_fd_disp_fds /home/phi/sysmo/lime/libosmocore/src/select.c:223
#6 0x7ffff5c86959 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:263
#7 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932
#8 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
SUMMARY: AddressSanitizer: heap-use-after-free /usr/local/include/osmocom/core/linuxlist.h:117 in __llist_del
Shadow bytes around the buggy address:
0x0c5c7fff9900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c7fff9910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c7fff9920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c7fff9930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c7fff9940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c5c7fff9950: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
0x0c5c7fff9960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c7fff9970: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c7fff9980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c7fff9990: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c7fff99a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==22092==ABORTING
</pre></p>
OpenBSC - Bug #4094: multiple crashes due to connection failures / drops
https://osmocom.org/issues/4094?journal_id=15100
2019-07-09T19:40:46Z
Hoernchen
<ul></ul><pre>
<0004> abis_nm.c:472 BTS0 reported variant: omso-bts-trx
<0004> abis_nm.c:494 BTS0 Attribute Manufacturer Dependent State is unreported
<0004> abis_nm.c:560 OC=BASEBAND-TRANSCEIVER(04) INST=(00,00,ff): BTS0: ARI reported sw[0/1]: TRX_PHY_VERSION is Unknown
<0004> abis_nm.c:2884 (bts=0,trx=0) IPA RSL CONNECT IP=0.0.0.0 PORT=3003 STREAM=0x00
<0015> input/ipa.c:270 0.0.0.0:3003 accept()ed new link from 127.0.0.1:59734
<0003> osmo_bsc_main.c:285 bootstrapping RSL for BTS/TRX (0/0) on ARFCN 871 using MCC-MNC 001-01 LAC=1 CID=0 BSIC=63
<0000> chan_alloc.c:128 (bts=0) bogus channel load sample (used=0 / total=0)
<0015> input/ipa.c:270 0.0.0.0:3002 accept()ed new link from 127.0.0.1:40070
<0015> ipa.c:481 Cannot send ID_ACK message. Reason: Broken pipe
<0015> input/ipaccess.c:154 Unexpected return from ipa_ccm_rcvmsg_base (ret=-32)
<0015> input/ipaccess.c:87 Forcing socket shutdown with no signal link set
<0015> bts_ipaccess_nanobts.c:416 (bts=0) Dropping OML link: link down
<0015> bts_ipaccess_nanobts.c:397 (bts=0,trx=0) Dropping RSL link: OML link drop
=================================================================
==23613==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e00003caa8 at pc 0x7ffff592a5cd bp 0x7fffffffd460 sp 0x7fffffffd450
WRITE of size 8 at 0x62e00003caa8 thread T0
#0 0x7ffff592a5cc in __llist_del /usr/local/include/osmocom/core/linuxlist.h:117
#1 0x7ffff592a6e3 in llist_del /usr/local/include/osmocom/core/linuxlist.h:129
#2 0x7ffff592def4 in e1inp_sign_link_destroy /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:551
#3 0x5555559cdb82 in ipaccess_drop_rsl /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:398
#4 0x5555559cdfda in ipaccess_drop_oml /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:423
#5 0x5555559d0bf5 in ipaccess_sign_link_down /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:612
#6 0x7ffff5947329 in ipaccess_drop input/ipaccess.c:98
#7 0x7ffff5947581 in ipa_bsc_keepalive_timeout_cb input/ipaccess.c:116
#8 0x7ffff5945f95 in ipa_ka_fsm_timer_cb input/ipa_keepalive.c:162
#9 0x7ffff5c9ac05 in fsm_tmr_cb /home/phi/sysmo/lime/libosmocore/src/fsm.c:287
#10 0x7ffff5c83c30 in osmo_timers_update /home/phi/sysmo/lime/libosmocore/src/timer.c:257
#11 0x7ffff5c86939 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:260
#12 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932
#13 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#14 0x5555558e7109 in _start (/usr/local/bin/osmo-bsc+0x393109)
0x62e00003caa8 is located 1704 bytes inside of 48080-byte region [0x62e00003c400,0x62e000047fd0)
freed by thread T0 here:
#0 0x7ffff6ef87b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
#1 0x7ffff67e114f in _talloc_free (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x7b14f)
#2 0x7ffff592d7c1 in e1inp_line_put /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:448
#3 0x7ffff592e2f4 in e1inp_sign_link_destroy /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:563
#4 0x5555559cde54 in ipaccess_drop_oml /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:417
#5 0x5555559d0bf5 in ipaccess_sign_link_down /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:612
#6 0x7ffff5947329 in ipaccess_drop input/ipaccess.c:98
#7 0x7ffff5947581 in ipa_bsc_keepalive_timeout_cb input/ipaccess.c:116
#8 0x7ffff5945f95 in ipa_ka_fsm_timer_cb input/ipa_keepalive.c:162
#9 0x7ffff5c9ac05 in fsm_tmr_cb /home/phi/sysmo/lime/libosmocore/src/fsm.c:287
#10 0x7ffff5c83c30 in osmo_timers_update /home/phi/sysmo/lime/libosmocore/src/timer.c:257
#11 0x7ffff5c86939 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:260
#12 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932
#13 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
previously allocated by thread T0 here:
#0 0x7ffff6ef8b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x7ffff67f38f5 in _talloc_zero (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x8d8f5)
#2 0x7ffff592cec2 in e1inp_line_clone /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:392
#3 0x7ffff594bc8d in ipaccess_bsc_oml_cb input/ipaccess.c:569
#4 0x7ffff59425ab in ipa_server_fd_cb input/ipa.c:272
#5 0x7ffff5c86658 in osmo_fd_disp_fds /home/phi/sysmo/lime/libosmocore/src/select.c:223
#6 0x7ffff5c86959 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:263
#7 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932
#8 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
SUMMARY: AddressSanitizer: heap-use-after-free /usr/local/include/osmocom/core/linuxlist.h:117 in __llist_del
Shadow bytes around the buggy address:
0x0c5c7ffff900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c7ffff910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c7ffff920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c7ffff930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c7ffff940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c5c7ffff950: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
0x0c5c7ffff960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c7ffff970: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c7ffff980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c7ffff990: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c7ffff9a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==23613==ABORTING</pre>
OpenBSC - Bug #4094: multiple crashes due to connection failures / drops
https://osmocom.org/issues/4094?journal_id=15101
2019-07-09T19:41:49Z
Hoernchen
<ul></ul><p>This one is different, ipaccess_sign_link_up instead of ipaccess_sign_link_down, dropping the "old" oml link fails.<br /><pre>
0015> input/ipa.c:270 0.0.0.0:3002 accept()ed new link from 127.0.0.1:40312
<0007> a_reset.c:106 A-RESET(msc-0)[0x612000004720]{DISC}: (re)sending BSSMAP RESET message...
<0007> osmo_bsc_sigtran.c:101 Sending RESET to MSC: RI=SSN_PC,PC=0.23.1,SSN=BSSAP
<001f> m3ua.c:507 XUA_AS(as-clnt-msc-0)[0x612000003fa0]{AS_INACTIVE}: Event AS-TRANSFER.req not permitted
<0015> input/ipa.c:270 0.0.0.0:3002 accept()ed new link from 127.0.0.1:40314
<0015> ipa.c:481 Cannot send ID_ACK message. Reason: Broken pipe
<0015> input/ipaccess.c:158 Unexpected return from ipa_ccm_rcvmsg_base (ret=-32)
<0007> a_reset.c:106 A-RESET(msc-0)[0x612000004720]{DISC}: (re)sending BSSMAP RESET message...
<0007> osmo_bsc_sigtran.c:101 Sending RESET to MSC: RI=SSN_PC,PC=0.23.1,SSN=BSSAP
<001f> m3ua.c:507 XUA_AS(as-clnt-msc-0)[0x612000003fa0]{AS_INACTIVE}: Event AS-TRANSFER.req not permitted
<0015> bts_ipaccess_nanobts.c:416 (bts=0) Dropping OML link: new OML link
=================================================================
==28715==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e00000c4d0 at pc 0x7ffff592a64d bp 0x7fffffffc3a0 sp 0x7fffffffc390
WRITE of size 8 at 0x62e00000c4d0 thread T0
#0 0x7ffff592a64c in __llist_del /usr/local/include/osmocom/core/linuxlist.h:117
#1 0x7ffff592a763 in llist_del /usr/local/include/osmocom/core/linuxlist.h:129
#2 0x7ffff592df74 in e1inp_sign_link_destroy /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:551
#3 0x5555559cde54 in ipaccess_drop_oml /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:417
#4 0x5555559cf465 in ipaccess_sign_link_up /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:540
#5 0x7ffff59481d7 in ipaccess_rcvmsg input/ipaccess.c:197
#6 0x7ffff59499ac in handle_ts1_read input/ipaccess.c:325
#7 0x7ffff594b1d5 in ipaccess_fd_cb input/ipaccess.c:486
#8 0x7ffff5c86658 in osmo_fd_disp_fds /home/phi/sysmo/lime/libosmocore/src/select.c:223
#9 0x7ffff5c86959 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:263
#10 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932
#11 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#12 0x5555558e7109 in _start (/usr/local/bin/osmo-bsc+0x393109)
0x62e00000c4d0 is located 208 bytes inside of 48080-byte region [0x62e00000c400,0x62e000017fd0)
freed by thread T0 here:
#0 0x7ffff6ef87b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
#1 0x7ffff67e114f in _talloc_free (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x7b14f)
#2 0x7ffff592d841 in e1inp_line_put /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:448 <------------------------------------------
#3 0x7ffff5949259 in ipaccess_rcvmsg input/ipaccess.c:287
#4 0x7ffff59499ac in handle_ts1_read input/ipaccess.c:325
#5 0x7ffff594b1d5 in ipaccess_fd_cb input/ipaccess.c:486
#6 0x7ffff5c86658 in osmo_fd_disp_fds /home/phi/sysmo/lime/libosmocore/src/select.c:223
#7 0x7ffff5c86959 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:263
#8 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932
#9 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
previously allocated by thread T0 here:
#0 0x7ffff6ef8b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x7ffff67f38f5 in _talloc_zero (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x8d8f5)
#2 0x7ffff592cf42 in e1inp_line_clone /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:392
#3 0x7ffff594bd7b in ipaccess_bsc_oml_cb input/ipaccess.c:573
#4 0x7ffff594262b in ipa_server_fd_cb input/ipa.c:272
#5 0x7ffff5c86658 in osmo_fd_disp_fds /home/phi/sysmo/lime/libosmocore/src/select.c:223
#6 0x7ffff5c86959 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:263
#7 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932
#8 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
SUMMARY: AddressSanitizer: heap-use-after-free /usr/local/include/osmocom/core/linuxlist.h:117 in __llist_del
Shadow bytes around the buggy address:
0x0c5c7fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c7fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c7fff9860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c7fff9870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c7fff9880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c5c7fff9890: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
0x0c5c7fff98a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c7fff98b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c7fff98c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c7fff98d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c7fff98e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==28715==ABORTING
</pre></p>
OpenBSC - Bug #4094: multiple crashes due to connection failures / drops
https://osmocom.org/issues/4094?journal_id=15103
2019-07-09T19:45:38Z
Hoernchen
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-3 priority-2 priority-default closed" href="/issues/3612">Bug #3612</a>: osmo-bts-trx: heap-use-after-free in e1inp_sign_link_destroy</i> added</li></ul>
OpenBSC - Bug #4094: multiple crashes due to connection failures / drops
https://osmocom.org/issues/4094?journal_id=18615
2020-06-08T18:42:26Z
pespin
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li></ul><p>Fixed by:<br /><a class="external" href="https://gerrit.osmocom.org/c/libosmo-abis/+/18730">https://gerrit.osmocom.org/c/libosmo-abis/+/18730</a> e1_input: refcount inc line during e1_sign_link_create, not during line update</p>
<p>Since this ticket is a duplicate of an older one (<a class="issue tracker-1 status-3 priority-2 priority-default closed" title="Bug: osmo-bts-trx: heap-use-after-free in e1inp_sign_link_destroy (Resolved)" href="https://osmocom.org/issues/3612">#3612</a>), I'm closing this one and keeping the other open until fix is merged.</p>
OpenBSC - Bug #4094: multiple crashes due to connection failures / drops
https://osmocom.org/issues/4094?journal_id=19340
2020-08-13T07:52:26Z
laforge
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-3 priority-3 priority-high3 closed" href="/issues/4709">Bug #4709</a>: osmo-bts-trx (latest version 1.2.1) crashes in ttcn3-bts-test-latest</i> added</li></ul>