Project

General

Profile

Actions

Bug #4094

closed

multiple crashes due to connection failures / drops

Added by Hoernchen over 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
07/09/2019
Due date:
% Done:

0%

Resolution:
Spec Reference:

Description

osmo-bsc offers some new and exciting crashes when interfering with rsl/oml connections, they all appear to be related to improper removal of old links from linked lists after a line was e1inp_line_put().


Related issues

Related to OsmoBTS - Bug #3612: osmo-bts-trx: heap-use-after-free in e1inp_sign_link_destroyResolvedpespin10/02/2018

Actions
Related to OsmoBTS - Bug #4709: osmo-bts-trx (latest version 1.2.1) crashes in ttcn3-bts-test-latestResolved08/13/2020

Actions
Actions #1

Updated by Hoernchen over 4 years ago

The first free happens within the same call of ipaccess_sign_link_down as the second erroneous free.

<0015> input/ipa.c:270 0.0.0.0:3002 accept()ed new link from 127.0.0.1:39984
<0015> ipa.c:481 Cannot send ID_ACK message. Reason: Broken pipe
<0015> input/ipaccess.c:154 Unexpected return from ipa_ccm_rcvmsg_base (ret=-32)
<0015> input/ipaccess.c:440 failed to send A-bis IPA signalling message. Reason: Broken pipe
<0015> input/ipaccess.c:87 Forcing socket shutdown with no signal link set
<0015> bts_ipaccess_nanobts.c:416 (bts=0) Dropping OML link: link down
<0015> bts_ipaccess_nanobts.c:397 (bts=0,trx=0) Dropping RSL link: OML link drop
=================================================================
==22092==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e00000caa8 at pc 0x7ffff592a5cd bp 0x7fffffffd510 sp 0x7fffffffd500
WRITE of size 8 at 0x62e00000caa8 thread T0
    #0 0x7ffff592a5cc in __llist_del /usr/local/include/osmocom/core/linuxlist.h:117
    #1 0x7ffff592a6e3 in llist_del /usr/local/include/osmocom/core/linuxlist.h:129
    #2 0x7ffff592def4 in e1inp_sign_link_destroy /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:551
    #3 0x5555559cdb82 in ipaccess_drop_rsl /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:398
    #4 0x5555559cdfda in ipaccess_drop_oml /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:423
    #5 0x5555559d0bf5 in ipaccess_sign_link_down /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:612
    #6 0x7ffff5947329 in ipaccess_drop input/ipaccess.c:98
    #7 0x7ffff594af22 in __handle_ts1_write input/ipaccess.c:457
    #8 0x7ffff594aff9 in handle_ts1_write input/ipaccess.c:466
    #9 0x7ffff594b106 in ipaccess_fd_cb input/ipaccess.c:484
    #10 0x7ffff5c86658 in osmo_fd_disp_fds /home/phi/sysmo/lime/libosmocore/src/select.c:223
    #11 0x7ffff5c86959 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:263
    #12 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932
    #13 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #14 0x5555558e7109 in _start (/usr/local/bin/osmo-bsc+0x393109)

0x62e00000caa8 is located 1704 bytes inside of 48080-byte region [0x62e00000c400,0x62e000017fd0)
freed by thread T0 here:
    #0 0x7ffff6ef87b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
    #1 0x7ffff67e114f in _talloc_free (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x7b14f)
    #2 0x7ffff592d7c1 in e1inp_line_put /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:448
    #3 0x7ffff592e2f4 in e1inp_sign_link_destroy /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:563
    #4 0x5555559cde54 in ipaccess_drop_oml /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:417
    #5 0x5555559d0bf5 in ipaccess_sign_link_down /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:612
    #6 0x7ffff5947329 in ipaccess_drop input/ipaccess.c:98
    #7 0x7ffff594af22 in __handle_ts1_write input/ipaccess.c:457
    #8 0x7ffff594aff9 in handle_ts1_write input/ipaccess.c:466
    #9 0x7ffff594b106 in ipaccess_fd_cb input/ipaccess.c:484
    #10 0x7ffff5c86658 in osmo_fd_disp_fds /home/phi/sysmo/lime/libosmocore/src/select.c:223
    #11 0x7ffff5c86959 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:263
    #12 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932
    #13 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

previously allocated by thread T0 here:
    #0 0x7ffff6ef8b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x7ffff67f38f5 in _talloc_zero (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x8d8f5)
    #2 0x7ffff592cec2 in e1inp_line_clone /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:392
    #3 0x7ffff594bc8d in ipaccess_bsc_oml_cb input/ipaccess.c:569
    #4 0x7ffff59425ab in ipa_server_fd_cb input/ipa.c:272
    #5 0x7ffff5c86658 in osmo_fd_disp_fds /home/phi/sysmo/lime/libosmocore/src/select.c:223
    #6 0x7ffff5c86959 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:263
    #7 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932
    #8 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/local/include/osmocom/core/linuxlist.h:117 in __llist_del
Shadow bytes around the buggy address:
  0x0c5c7fff9900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7fff9910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7fff9920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7fff9930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7fff9940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c5c7fff9950: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c5c7fff9960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7fff9970: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7fff9980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7fff9990: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7fff99a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==22092==ABORTING

Actions #2

Updated by Hoernchen over 4 years ago

<0004> abis_nm.c:472 BTS0 reported variant: omso-bts-trx
<0004> abis_nm.c:494 BTS0 Attribute Manufacturer Dependent State is unreported
<0004> abis_nm.c:560 OC=BASEBAND-TRANSCEIVER(04) INST=(00,00,ff): BTS0: ARI reported sw[0/1]: TRX_PHY_VERSION is Unknown
<0004> abis_nm.c:2884 (bts=0,trx=0) IPA RSL CONNECT IP=0.0.0.0 PORT=3003 STREAM=0x00
<0015> input/ipa.c:270 0.0.0.0:3003 accept()ed new link from 127.0.0.1:59734
<0003> osmo_bsc_main.c:285 bootstrapping RSL for BTS/TRX (0/0) on ARFCN 871 using MCC-MNC 001-01 LAC=1 CID=0 BSIC=63
<0000> chan_alloc.c:128 (bts=0) bogus channel load sample (used=0 / total=0)
<0015> input/ipa.c:270 0.0.0.0:3002 accept()ed new link from 127.0.0.1:40070
<0015> ipa.c:481 Cannot send ID_ACK message. Reason: Broken pipe
<0015> input/ipaccess.c:154 Unexpected return from ipa_ccm_rcvmsg_base (ret=-32)
<0015> input/ipaccess.c:87 Forcing socket shutdown with no signal link set
<0015> bts_ipaccess_nanobts.c:416 (bts=0) Dropping OML link: link down
<0015> bts_ipaccess_nanobts.c:397 (bts=0,trx=0) Dropping RSL link: OML link drop
=================================================================
==23613==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e00003caa8 at pc 0x7ffff592a5cd bp 0x7fffffffd460 sp 0x7fffffffd450
WRITE of size 8 at 0x62e00003caa8 thread T0
    #0 0x7ffff592a5cc in __llist_del /usr/local/include/osmocom/core/linuxlist.h:117
    #1 0x7ffff592a6e3 in llist_del /usr/local/include/osmocom/core/linuxlist.h:129
    #2 0x7ffff592def4 in e1inp_sign_link_destroy /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:551
    #3 0x5555559cdb82 in ipaccess_drop_rsl /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:398
    #4 0x5555559cdfda in ipaccess_drop_oml /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:423
    #5 0x5555559d0bf5 in ipaccess_sign_link_down /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:612
    #6 0x7ffff5947329 in ipaccess_drop input/ipaccess.c:98
    #7 0x7ffff5947581 in ipa_bsc_keepalive_timeout_cb input/ipaccess.c:116
    #8 0x7ffff5945f95 in ipa_ka_fsm_timer_cb input/ipa_keepalive.c:162
    #9 0x7ffff5c9ac05 in fsm_tmr_cb /home/phi/sysmo/lime/libosmocore/src/fsm.c:287
    #10 0x7ffff5c83c30 in osmo_timers_update /home/phi/sysmo/lime/libosmocore/src/timer.c:257
    #11 0x7ffff5c86939 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:260
    #12 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932
    #13 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #14 0x5555558e7109 in _start (/usr/local/bin/osmo-bsc+0x393109)

0x62e00003caa8 is located 1704 bytes inside of 48080-byte region [0x62e00003c400,0x62e000047fd0)
freed by thread T0 here:
    #0 0x7ffff6ef87b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
    #1 0x7ffff67e114f in _talloc_free (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x7b14f)
    #2 0x7ffff592d7c1 in e1inp_line_put /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:448
    #3 0x7ffff592e2f4 in e1inp_sign_link_destroy /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:563
    #4 0x5555559cde54 in ipaccess_drop_oml /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:417
    #5 0x5555559d0bf5 in ipaccess_sign_link_down /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:612
    #6 0x7ffff5947329 in ipaccess_drop input/ipaccess.c:98
    #7 0x7ffff5947581 in ipa_bsc_keepalive_timeout_cb input/ipaccess.c:116
    #8 0x7ffff5945f95 in ipa_ka_fsm_timer_cb input/ipa_keepalive.c:162
    #9 0x7ffff5c9ac05 in fsm_tmr_cb /home/phi/sysmo/lime/libosmocore/src/fsm.c:287
    #10 0x7ffff5c83c30 in osmo_timers_update /home/phi/sysmo/lime/libosmocore/src/timer.c:257
    #11 0x7ffff5c86939 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:260
    #12 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932
    #13 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

previously allocated by thread T0 here:
    #0 0x7ffff6ef8b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x7ffff67f38f5 in _talloc_zero (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x8d8f5)
    #2 0x7ffff592cec2 in e1inp_line_clone /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:392
    #3 0x7ffff594bc8d in ipaccess_bsc_oml_cb input/ipaccess.c:569
    #4 0x7ffff59425ab in ipa_server_fd_cb input/ipa.c:272
    #5 0x7ffff5c86658 in osmo_fd_disp_fds /home/phi/sysmo/lime/libosmocore/src/select.c:223
    #6 0x7ffff5c86959 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:263
    #7 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932
    #8 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/local/include/osmocom/core/linuxlist.h:117 in __llist_del
Shadow bytes around the buggy address:
  0x0c5c7ffff900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7ffff910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7ffff920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7ffff930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7ffff940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c5c7ffff950: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c5c7ffff960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7ffff970: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7ffff980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7ffff990: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7ffff9a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==23613==ABORTING
Actions #3

Updated by Hoernchen over 4 years ago

This one is different, ipaccess_sign_link_up instead of ipaccess_sign_link_down, dropping the "old" oml link fails.

0015> input/ipa.c:270 0.0.0.0:3002 accept()ed new link from 127.0.0.1:40312
<0007> a_reset.c:106 A-RESET(msc-0)[0x612000004720]{DISC}: (re)sending BSSMAP RESET message...
<0007> osmo_bsc_sigtran.c:101 Sending RESET to MSC: RI=SSN_PC,PC=0.23.1,SSN=BSSAP
<001f> m3ua.c:507 XUA_AS(as-clnt-msc-0)[0x612000003fa0]{AS_INACTIVE}: Event AS-TRANSFER.req not permitted
<0015> input/ipa.c:270 0.0.0.0:3002 accept()ed new link from 127.0.0.1:40314
<0015> ipa.c:481 Cannot send ID_ACK message. Reason: Broken pipe 
<0015> input/ipaccess.c:158 Unexpected return from ipa_ccm_rcvmsg_base (ret=-32) 
<0007> a_reset.c:106 A-RESET(msc-0)[0x612000004720]{DISC}: (re)sending BSSMAP RESET message...
<0007> osmo_bsc_sigtran.c:101 Sending RESET to MSC: RI=SSN_PC,PC=0.23.1,SSN=BSSAP
<001f> m3ua.c:507 XUA_AS(as-clnt-msc-0)[0x612000003fa0]{AS_INACTIVE}: Event AS-TRANSFER.req not permitted
<0015> bts_ipaccess_nanobts.c:416 (bts=0) Dropping OML link: new OML link
=================================================================
==28715==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e00000c4d0 at pc 0x7ffff592a64d bp 0x7fffffffc3a0 sp 0x7fffffffc390
WRITE of size 8 at 0x62e00000c4d0 thread T0
    #0 0x7ffff592a64c in __llist_del /usr/local/include/osmocom/core/linuxlist.h:117
    #1 0x7ffff592a763 in llist_del /usr/local/include/osmocom/core/linuxlist.h:129
    #2 0x7ffff592df74 in e1inp_sign_link_destroy /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:551
    #3 0x5555559cde54 in ipaccess_drop_oml /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:417
    #4 0x5555559cf465 in ipaccess_sign_link_up /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:540
    #5 0x7ffff59481d7 in ipaccess_rcvmsg input/ipaccess.c:197
    #6 0x7ffff59499ac in handle_ts1_read input/ipaccess.c:325
    #7 0x7ffff594b1d5 in ipaccess_fd_cb input/ipaccess.c:486
    #8 0x7ffff5c86658 in osmo_fd_disp_fds /home/phi/sysmo/lime/libosmocore/src/select.c:223
    #9 0x7ffff5c86959 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:263
    #10 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932
    #11 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #12 0x5555558e7109 in _start (/usr/local/bin/osmo-bsc+0x393109)

0x62e00000c4d0 is located 208 bytes inside of 48080-byte region [0x62e00000c400,0x62e000017fd0)
freed by thread T0 here:
    #0 0x7ffff6ef87b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
    #1 0x7ffff67e114f in _talloc_free (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x7b14f)
    #2 0x7ffff592d841 in e1inp_line_put /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:448 <------------------------------------------
    #3 0x7ffff5949259 in ipaccess_rcvmsg input/ipaccess.c:287
    #4 0x7ffff59499ac in handle_ts1_read input/ipaccess.c:325
    #5 0x7ffff594b1d5 in ipaccess_fd_cb input/ipaccess.c:486
    #6 0x7ffff5c86658 in osmo_fd_disp_fds /home/phi/sysmo/lime/libosmocore/src/select.c:223
    #7 0x7ffff5c86959 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:263
    #8 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932
    #9 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

previously allocated by thread T0 here:
    #0 0x7ffff6ef8b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x7ffff67f38f5 in _talloc_zero (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x8d8f5)
    #2 0x7ffff592cf42 in e1inp_line_clone /home/phi/sysmo/lime/libosmo-abis/src/e1_input.c:392
    #3 0x7ffff594bd7b in ipaccess_bsc_oml_cb input/ipaccess.c:573
    #4 0x7ffff594262b in ipa_server_fd_cb input/ipa.c:272
    #5 0x7ffff5c86658 in osmo_fd_disp_fds /home/phi/sysmo/lime/libosmocore/src/select.c:223
    #6 0x7ffff5c86959 in osmo_select_main /home/phi/sysmo/lime/libosmocore/src/select.c:263
    #7 0x555555ae65d4 in main /home/phi/sysmo/lime/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932
    #8 0x7ffff413bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/local/include/osmocom/core/linuxlist.h:117 in __llist_del
Shadow bytes around the buggy address:
  0x0c5c7fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff9860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff9870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff9880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c5c7fff9890: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
  0x0c5c7fff98a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7fff98b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7fff98c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7fff98d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7fff98e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==28715==ABORTING

Actions #4

Updated by Hoernchen over 4 years ago

  • Related to Bug #3612: osmo-bts-trx: heap-use-after-free in e1inp_sign_link_destroy added
Actions #5

Updated by pespin almost 4 years ago

  • Status changed from New to Closed

Fixed by:
https://gerrit.osmocom.org/c/libosmo-abis/+/18730 e1_input: refcount inc line during e1_sign_link_create, not during line update

Since this ticket is a duplicate of an older one (#3612), I'm closing this one and keeping the other open until fix is merged.

Actions #6

Updated by laforge over 3 years ago

  • Related to Bug #4709: osmo-bts-trx (latest version 1.2.1) crashes in ttcn3-bts-test-latest added
Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)