Bug #5201

use after free during make check in osmo-mgw since commit 'mgcp_ratectr: add stats items to monitor trunk usage'

Added by neels 5 days ago. Updated about 7 hours ago.

Target version:
Start date:
Due date:
% Done:


Spec Reference:


Building with address sanitizer, i get a heap-use-after-free during mgcp_test.c in test_retransmission().

<0010> ../../../../src/osmo-mgw/src/libosmo-mgcp/mgcp_protocol.c:1091 endpoint:rtpbridge/7@mgw CI:B56C87C0 CRCX: connection successfully created
==19776==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e000023188 at pc 0x7f127af94fb6 bp 0x7ffc57de92d0 sp 0x7ffc57de92c8
WRITE of size 8 at 0x60e000023188 thread T0
    #0 0x7f127af94fb5 in __llist_add (/usr/local/lib/
    #1 0x7f127af9514d in llist_add (/usr/local/lib/
    #2 0x7f127af96134 in osmo_stat_item_group_alloc (/usr/local/lib/
    #3 0x55985cac69a3 in mgcp_stat_trunk_alloc (/home/neels/osmo-dev/make/osmo-mgw/tests/mgcp/mgcp_test+0x1159a3)
    #4 0x55985cac345c in mgcp_trunk_alloc (/home/neels/osmo-dev/make/osmo-mgw/tests/mgcp/mgcp_test+0x11245c)
    #5 0x55985ca85d96 in mgcp_config_alloc (/home/neels/osmo-dev/make/osmo-mgw/tests/mgcp/mgcp_test+0xd4d96)
    #6 0x55985ca6627f in test_retransmission ../../../../src/osmo-mgw/tests/mgcp/mgcp_test.c:933
    #7 0x55985ca71944 in main ../../../../src/osmo-mgw/tests/mgcp/mgcp_test.c:2255
    #8 0x7f1279c4c09a in __libc_start_main (/lib/x86_64-linux-gnu/
    #9 0x55985ca61b39 in _start (/home/neels/osmo-dev/make/osmo-mgw/tests/mgcp/mgcp_test+0xb0b39)

I bisected to identify this commit as the cause:

commit 6bad138c96ef0e2a93ef7de42e897880131c0b43
Author:     Philipp Maier <>
    mgcp_ratectr: add stats items to monitor trunk usage

I took a very brief look and couldn't figure it out directly, so decided to revert the commit instead.

dexter please take a look and re-submit a fixed patch version

Associated revisions

Revision 26856859 (diff)
Added by neels 5 days ago

Revert "mgcp_ratectr: add stats items to monitor trunk usage"

This reverts commit 6bad138c96ef0e2a93ef7de42e897880131c0b43.

Reason for revert: heap-use-after-free during 'make check'
in mgcp_test.c test_retransmission()

Change-Id: I96792a719c9c7273676ab9ffe0b9e2aae4c23166
Related: OS#5201

Revision 41ab87f6 (diff)
Added by daniel 3 days ago

contrib/jenkins: Use ASAN for osmo-mgw

Change-Id: I55cfea8a94730ebfaed1ef3227c50777edfb94fb
Related: OS#5201


#2 Updated by daniel 3 days ago

I believe you need to add talloc_set_destructor(stats->common, free_stat_item_group);
and free the stat_item group in there.

It's weird that the jenkins job didn't catch that. Do we not use ASAN for these?

#3 Updated by daniel 3 days ago

#4 Updated by daniel 3 days ago

ASAN is not enabled for osmo-mgw. Patch here:

#5 Updated by dexter about 7 hours ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

I have uploaded a corrected version of the patch to gerrit now: mgcp_ratectr: add stats items to monitor trunk usage

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)