Actions
Bug #5565
closedSMPP ESME heap-use-after-free
Start date:
05/16/2022
Due date:
% Done:
100%
Resolution:
Spec Reference:
Description
I'm seeing this when running a custom WIP SMS load test (in TTCN3) when the test exits and disconnects via GSUP/SMPP/etc:
==2277642==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000003ef4 at pc 0x7f3e409cfa8d bp 0x7ffe7f80f8c0 sp 0x7ffe7f80f8b8
READ of size 4 at 0x614000003ef4 thread T0
#0 0x7f3e409cfa8c in osmo_wqueue_bfd_cb /space/home/laforge/projects/git/libosmocore/src/write_queue.c:61
#1 0x7f3e409a28a6 in poll_disp_fds /space/home/laforge/projects/git/libosmocore/src/select.c:361
#2 0x7f3e409a2a33 in _osmo_select_main /space/home/laforge/projects/git/libosmocore/src/select.c:399
#3 0x7f3e409a2b16 in osmo_select_main_ctx /space/home/laforge/projects/git/libosmocore/src/select.c:455
#4 0x5556dead072b in main (/space/home/laforge/projects/git/osmo-msc/src/osmo-msc/osmo-msc+0x45a72b)
#5 0x7f3e3d75a7fc in __libc_start_main ../csu/libc-start.c:332
#6 0x5556deacbe09 in _start (/space/home/laforge/projects/git/osmo-msc/src/osmo-msc/osmo-msc+0x455e09)
0x614000003ef4 is located 180 bytes inside of 432-byte region [0x614000003e40,0x614000003ff0)
freed by thread T0 here:
#0 0x7f3e415bd4d7 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x7f3e3e8d7353 in _tc_free_internal ../../talloc.c:1222
#2 0x5556decbe988 in esme_destroy (/space/home/laforge/projects/git/osmo-msc/src/osmo-msc/osmo-msc+0x648988)
#3 0x5556decbed1b in smpp_esme_put (/space/home/laforge/projects/git/osmo-msc/src/osmo-msc/osmo-msc+0x648d1b)
#4 0x5556decc8b61 in esme_link_read_cb (/space/home/laforge/projects/git/osmo-msc/src/osmo-msc/osmo-msc+0x652b61)
#5 0x7f3e409cf94d in osmo_wqueue_bfd_cb /space/home/laforge/projects/git/libosmocore/src/write_queue.c:47
#6 0x7f3e409a28a6 in poll_disp_fds /space/home/laforge/projects/git/libosmocore/src/select.c:361
#7 0x7f3e409a2a33 in _osmo_select_main /space/home/laforge/projects/git/libosmocore/src/select.c:399
#8 0x7f3e409a2b16 in osmo_select_main_ctx /space/home/laforge/projects/git/libosmocore/src/select.c:455
#9 0x5556dead072b in main (/space/home/laforge/projects/git/osmo-msc/src/osmo-msc/osmo-msc+0x45a72b)
#10 0x7f3e3d75a7fc in __libc_start_main ../csu/libc-start.c:332
#11 0x5556deacbe09 in _start (/space/home/laforge/projects/git/osmo-msc/src/osmo-msc/osmo-msc+0x455e09)
previously allocated by thread T0 here:
#0 0x7f3e415bd7cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7f3e3e8d97ef in __talloc_with_prefix ../../talloc.c:783
#2 0x7f3e3e8da196 in __talloc ../../talloc.c:825
#3 0x7f3e3e8da196 in _talloc_named_const ../../talloc.c:982
#4 0x7f3e3e8da196 in _talloc_zero ../../talloc.c:2421
#5 0x5556decc918e in link_accept_cb (/space/home/laforge/projects/git/osmo-msc/src/osmo-msc/osmo-msc+0x65318e)
#6 0x5556decc9d2b in smsc_fd_cb (/space/home/laforge/projects/git/osmo-msc/src/osmo-msc/osmo-msc+0x653d2b)
#7 0x7f3e409a28a6 in poll_disp_fds /space/home/laforge/projects/git/libosmocore/src/select.c:361
#8 0x7f3e409a2a33 in _osmo_select_main /space/home/laforge/projects/git/libosmocore/src/select.c:399
#9 0x7f3e409a2b16 in osmo_select_main_ctx /space/home/laforge/projects/git/libosmocore/src/select.c:455
#10 0x5556dead072b in main (/space/home/laforge/projects/git/osmo-msc/src/osmo-msc/osmo-msc+0x45a72b)
#11 0x7f3e3d75a7fc in __libc_start_main ../csu/libc-start.c:332
#12 0x5556deacbe09 in _start (/space/home/laforge/projects/git/osmo-msc/src/osmo-msc/osmo-msc+0x455e09)
SUMMARY: AddressSanitizer: heap-use-after-free /space/home/laforge/projects/git/libosmocore/src/write_queue.c:61 in osmo_wqueue_bfd_cb
Related issues
Updated by laforge almost 2 years ago
- Status changed from New to In Progress
- Assignee set to laforge
The problem is most likely that we destroy the esme (and its underlying write_queue) in the read_cb() without returning -EBADF from the wqueue read_cb. This means the code proceeds further down to the OSMO_FD_WRITE case, if something is to be written -> boom.
Updated by laforge almost 2 years ago
- % Done changed from 0 to 80
Updated by laforge almost 2 years ago
- Related to Bug #3278: Disconnected ESME socket leaves esme entry in smsc->esme_list added
Updated by laforge almost 2 years ago
- Status changed from In Progress to Resolved
- % Done changed from 80 to 100
Applied in changeset osmo-msc|022193da73230fba5c65599fedcba606b71f9928.
Actions
