Project

General

Profile

Bug #3181

osmo-msc: heap-use-after-free in smpp_smsc_conf

Added by pespin over 2 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
SMPP Interface
Target version:
-
Start date:
04/17/2018
Due date:
% Done:

100%

Resolution:
Spec Reference:

Description

Triggered in all tests run by osmo-gsm-tester since we enabled address sanitizer.

(launched: 2018-04-17_14:59:20.358770)
20180417145920479 DLSS7 <001d> osmo_ss7.c:362 0: Creating SS7 Instance
20180417145920480 DLSS7 <001d> osmo_ss7.c:686 0: Creating Route Table system
20180417145920480 DLSS7 <001d> osmo_ss7.c:1220 0: Restarting ASP asp0
20180417145920480 DLSS7 <001d> osmo_ss7.c:1269 0: ASP Restart for server not implemented yet!
20180417145920480 DLSS7 <001d> fsm.c:299 XUA_ASP(asp0)[0x61200000bc20]{ASP_DOWN}: Allocated
20180417145920480 DLSS7 <001d> osmo_ss7.c:935 0: Creating AS as0
20180417145920481 DLSS7 <001d> fsm.c:299 XUA_AS(as0)[0x61200000b920]{AS_DOWN}: Allocated
20180417145920481 DLSS7 <001d> osmo_ss7.c:967 0: Adding ASP asp0 to AS as0
20180417145920482 DMNCC <0004> msc_main.c:585 Using internal MNCC handler.
20180417145920482 DLGLOBAL <0011> telnet_interface.c:104 telnet at 10.42.42.6 4254
20180417145920482 DSMPP <000c> smpp_smsc.c:1006 SMPP at 10.42.42.6 2775
=================================================================
==20792==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000122610 at pc 0x7f9c9c3fe063 bp 0x7ffd2e68f600 sp 0x7ffd2e68edb0
READ of size 11 at 0x60b000122610 thread T0
    #0 0x7f9c9c3fe062  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062)
    #1 0x7f9c9beb8ee4 in talloc_strdup (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x6ee4)
    #2 0x56096a7cf75b in smpp_smsc_conf /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-msc/osmo-msc/src/libmsc/smpp_smsc.c:983
    #3 0x56096a7cf9df in smpp_smsc_start /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-msc/osmo-msc/src/libmsc/smpp_smsc.c:1015
    #4 0x56096a7d4935 in smpp_openbsc_start /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-msc/osmo-msc/src/libmsc/smpp_openbsc.c:785
    #5 0x56096a755ad0 in main /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-msc/osmo-msc/src/osmo-msc/msc_main.c:598
    #6 0x7f9c9927b2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #7 0x56096a756979 in _start (/home/jenkins/workspace/osmo-gsm-tester_run-prod/trial-805/inst/osmo-msc/bin/osmo-msc+0xf0979)

0x60b000122610 is located 96 bytes inside of 107-byte region [0x60b0001225b0,0x60b00012261b)
freed by thread T0 here:
    #0 0x7f9c9c483a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
    #1 0x7f9c9beb686a in _talloc_free (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x486a)

previously allocated by thread T0 here:
    #0 0x7f9c9c483d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    #1 0x7f9c9beb9211 in talloc_strdup (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x7211)

SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062) 
Shadow bytes around the buggy address:
  0x0c168001c470: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c168001c480: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c168001c490: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c168001c4a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c168001c4b0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
=>0x0c168001c4c0: fd fd[fd]fd fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c168001c4d0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c168001c4e0: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c168001c4f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c168001c500: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
  0x0c168001c510: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==20792==ABORTING

History

#1 Updated by pespin over 2 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 90

#2 Updated by pespin over 2 years ago

Backport to openbsc available in https://gerrit.osmocom.org/7859

#3 Updated by pespin over 2 years ago

  • Status changed from Feedback to Resolved
  • % Done changed from 90 to 100

Merged, clsoing.

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)