Actions
Bug #4457
openediting the SCCP address book (global-title) on a running instance may crash the application
Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
03/17/2020
Due date:
% Done:
0%
Spec Reference:
Description
Encountered while crafting examples for the SCCP configuration manual:
OsmoMSC(config-cs7)# sccp-address foo OsmoMSC(config-cs7-sccpaddr)# routing-indicator GT OsmoMSC(config-cs7-sccpaddr)# global-title OsmoMSC(config-cs7-sccpaddr-gt)# digits 1234 OsmoMSC(config-cs7-sccpaddr-gt)# exit OsmoMSC(config-cs7-sccpaddr)# exit Connection closed by foreign host.
../../../src/libosmo-sccp/src/osmo_ss7_vty.c:1829:21: runtime error: member access within null pointer of type 'struct osmo_sccp_addr_entry' !!! Segmentation Fault !!! info.si_signo = 11 info.si_errno = 0 info.si_code = 1 (SEGV_MAPERR) info.si_addr = 0x20 Stack trace: 0: /usr/lib/x86_64-linux-gnu/libasan.so.5(+0xac5fd) [0x7f50b74815fd]+0xac5fd) [0x7f50b74815fd] 1: stacktrace(ucontext_t const&)+0x42) [0x7f50b3347fe2] 2: /usr/lib/titan/libttcn3-dynamic.so(+0x4eb27b) [0x7f50b334827b]+0x4eb27b) [0x7f50b334827b] 3: /lib/x86_64-linux-gnu/libpthread.so.0(+0x12730) [0x7f50b3b49730]+0x12730) [0x7f50b3b49730] 4: /usr/local/lib/libosmo-sigtran.so.5(osmo_ss7_vty_go_parent+0xd0d) [0x7f50b4b6e494]+0xd0d) [0x7f50b4b6e494] 5: osmo-msc(+0x385e4c) [0x55acf4420e4c]+0x385e4c) [0x55acf4420e4c] 6: /usr/local/lib/libosmovty.so.4(vty_go_parent+0x2ac) [0x7f50b6f67e6f]+0x2ac) [0x7f50b6f67e6f] 7: /usr/local/lib/libosmovty.so.4(+0x9f578) [0x7f50b6f6d578]+0x9f578) [0x7f50b6f6d578] 8: /usr/local/lib/libosmovty.so.4(+0x9befe) [0x7f50b6f69efe]+0x9befe) [0x7f50b6f69efe] 9: /usr/local/lib/libosmovty.so.4(cmd_execute_command+0x3aa) [0x7f50b6f6a611]+0x3aa) [0x7f50b6f6a611] 10: /usr/local/lib/libosmovty.so.4(+0xa95f8) [0x7f50b6f775f8]+0xa95f8) [0x7f50b6f775f8] 11: /usr/local/lib/libosmovty.so.4(+0xace39) [0x7f50b6f7ae39]+0xace39) [0x7f50b6f7ae39] 12: /usr/local/lib/libosmovty.so.4(vty_read+0x1c6e) [0x7f50b6f8487c]+0x1c6e) [0x7f50b6f8487c] 13: /usr/local/lib/libosmovty.so.4(+0xc0f8e) [0x7f50b6f8ef8e]+0xc0f8e) [0x7f50b6f8ef8e] 14: /usr/local/lib/libosmocore.so.12(osmo_fd_disp_fds+0xd97) [0x7f50b6789da2]+0xd97) [0x7f50b6789da2] 15: /usr/local/lib/libosmocore.so.12(+0xf9184) [0x7f50b678a184]+0xf9184) [0x7f50b678a184] 16: /usr/local/lib/libosmocore.so.12(osmo_select_main_ctx+0x16) [0x7f50b678a320]+0x16) [0x7f50b678a320] 17: osmo-msc(+0x3880f7) [0x55acf44230f7]+0x3880f7) [0x55acf44230f7] 18: /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xeb) [0x7f50b399a09b]+0xeb) [0x7f50b399a09b] 19: osmo-msc(+0x384c3a) [0x55acf441fc3a]+0x384c3a) [0x55acf441fc3a] Goodbye, cruel world! ================================================================= ==25715==ERROR: LeakSanitizer: detected memory leaks Direct leak of 163 byte(s) in 20 object(s) allocated from: #0 0x7f50b74be330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330) #1 0x7f50b3348079 in stacktrace(ucontext_t const&) (/usr/lib/titan/libttcn3-dynamic.so+0x4eb079) SUMMARY: AddressSanitizer: 163 byte(s) leaked in 20 allocation(s).
Segfault happens on line
vty->index = entry->inst;
in
case L_CS7_SCCPADDR_NODE: entry = vty->index; vty->node = L_CS7_NODE; vty->index = entry->inst; break;
of osmo_ss7_vty_go_parent()
Updated by neels about 4 years ago
Minimal case:
OsmoMSC> enable OsmoMSC# configure terminal OsmoMSC(config)# cs7 instance 0 OsmoMSC(config-cs7)# sccp-address foo OsmoMSC(config-cs7-sccpaddr)# global-title OsmoMSC(config-cs7-sccpaddr-gt)# exit OsmoMSC(config-cs7-sccpaddr)# exit
../../../src/libosmo-sccp/src/osmo_ss7_vty.c:1829:21: runtime error: member access within null pointer of type 'struct osmo_sccp_addr_entry' Program received signal SIGSEGV, Segmentation fault. 0x00007ffff4cf3494 in osmo_ss7_vty_go_parent (vty=0x6140000030a0) at ../../../src/libosmo-sccp/src/osmo_ss7_vty.c:1829 1829 vty->index = entry->inst; (gdb) bt #0 0x00007ffff4cf3494 in osmo_ss7_vty_go_parent (vty=0x6140000030a0) at ../../../src/libosmo-sccp/src/osmo_ss7_vty.c:1829 #1 0x00005555558d9e4c in msc_vty_go_parent (vty=0x6140000030a0) at ../../../../src/osmo-msc/src/osmo-msc/msc_main.c:288 #2 0x00007ffff70eae6f in vty_go_parent (vty=0x6140000030a0) at ../../../../src/libosmocore/src/vty/command.c:2180 #3 0x00007ffff70f0578 in config_exit (self=0x7ffff7168660 <config_exit_cmd>, vty=0x6140000030a0, argc=0, argv=0x7fffffffd430) at ../../../../src/libosmocore/src/vty/command.c:2728 #4 0x00007ffff70ecefe in cmd_execute_command_real (vline=0x60b0001b9750, vty=0x6140000030a0, cmd=0x0) at ../../../../src/libosmocore/src/vty/command.c:2349 #5 0x00007ffff70ed611 in cmd_execute_command (vline=0x60b0001b9750, vty=0x6140000030a0, cmd=0x0, vtysh=0) at ../../../../src/libosmocore/src/vty/command.c:2401 #6 0x00007ffff70fa5f8 in vty_command (vty=0x6140000030a0) at ../../../../src/libosmocore/src/vty/vty.c:437 #7 0x00007ffff70fde39 in vty_execute (vty=0x6140000030a0) at ../../../../src/libosmocore/src/vty/vty.c:701 #8 0x00007ffff710787c in vty_read (vty=0x6140000030a0) at ../../../../src/libosmocore/src/vty/vty.c:1427 #9 0x00007ffff7111f8e in client_data (fd=0x6100000025b8, what=1) at ../../../../src/libosmocore/src/vty/telnet_interface.c:154 #10 0x00007ffff690cda2 in osmo_fd_disp_fds (_rset=0x7fffffffe160, _wset=0x7fffffffe200, _eset=0x7fffffffe2a0) at ../../../src/libosmocore/src/select.c:227 #11 0x00007ffff690d184 in _osmo_select_main (polling=0) at ../../../src/libosmocore/src/select.c:265 #12 0x00007ffff690d320 in osmo_select_main_ctx (polling=0) at ../../../src/libosmocore/src/select.c:291 #13 0x00005555558dc0f7 in main (argc=3, argv=0x7fffffffe5b8) at ../../../../src/osmo-msc/src/osmo-msc/msc_main.c:732 (gdb) p entry $1 = (struct osmo_sccp_addr_entry *) 0x0
Updated by neels about 4 years ago
Since libosmocore I2b32b4fe20732728db6e9cdac7e484d96ab86dc5 http://git.osmocom.org/libosmocore/commit/?id=d31de237582f6fe3315d61bb9a488d4cda92654e
it should be possible to greatly simplify the the osmo_ssy_vty_go_parent() -- possibly the bug would go away by that.
By coincidence, the commit log of that patch already suggested a simplification of that very same function.
Actions