Bug #2632
closedosmo-mgw's VTY config modifies the length used for internal endpoints array without reallocating the array
100%
Description
the option 'mgcp' / 'number endpoints 123' currently tells osmo-mgw how many endpoints to keep ready. So far it does so by allocating an array of endpoint structs, upon reading the config file, in mgcp_parse_config().
However, the 'number endpoints' command, when issued on a telnet VTY, will modify g_cfg->trunk.number_endpoints, which is used everywhere as the length indicator for the endpoints array. This VTY command does not reallocate the endpoints array, so it could easily make osmo-mgw believe it had 10000 endpoints even though only 32 have been allocated, and it would happily iterate over that memory it doesn't own.
The first fix is to separately store the configuration gotten from VTY and the actual length of the endpoints array. My preference would also be to keep the allocate_trunk() function outside of mgcp_vty.c, so that the VTY is plain for parsing config items, and the actions are separate ... but that might just be my taste.
A more profound fix would be #2631 -- but until we implement that, this issue here needs to be fixed urgently.
Related issues