sysmocom
/
open5gs
forked from acouzens/open5gs
11
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
open5gs/tests
History
Bostjan Meglic c791d97ed7 [NF] Fix double-free crash when NF is under heavy load 
<nf>/init.c:<nf>_main() :
ogs_pollset_poll() receives the time of the expiration of next timer as
an argument. If this timeout is in very near future (1 millisecond),
and if there are multiple events that need to be processed by
ogs_pollset_poll(), these could take more than 1 millisecond for
processing, resulting in the timer already passed the expiration.

In case that another NF is under heavy load and responds to an SBI
request with some delay of a few seconds, it can happen that
ogs_pollset_poll() adds SBI responses to the event list for further
processing, then ogs_timer_mgr_expire() is called which will add an
additional event for timer expiration. When all events are processed
one-by-one, the SBI xact would get deleted twice in a row, resulting in
a crash.

0  __GI_abort () at ./stdlib/abort.c:107
1  0x00007f9de91693b1 in ?? () from /lib/x86_64-linux-gnu/libtalloc.so.2
2  0x00007f9de9a21745 in ogs_talloc_free (ptr=0x7f9d906c2c70, location=0x7f9de960bf41 "../lib/sbi/message.c:2423") at ../lib/core/ogs-memory.c:107
3  0x00007f9de95dbf31 in ogs_sbi_discovery_option_free (discovery_option=0x7f9d9090e670) at ../lib/sbi/message.c:2423
4  0x00007f9de95f7c47 in ogs_sbi_xact_remove (xact=0x7f9db630b630) at ../lib/sbi/context.c:1702
5  0x000055a482784846 in amf_state_operational (s=0x7f9d9488bbb0, e=0x7f9d90aecf20) at ../src/amf/amf-sm.c:604
6  0x00007f9de9a33cf0 in ogs_fsm_dispatch (fsm=0x7f9d9488bbb0, event=0x7f9d90aecf20) at ../lib/core/ogs-fsm.c:127
7  0x000055a48275b32e in amf_main (data=0x0) at ../src/amf/init.c:149
8  0x00007f9de9a249eb in thread_worker (arg=0x55a483d41d90) at ../lib/core/ogs-thread.c:67
9  0x00007f9de8fd2b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
10 0x00007f9de9063bb4 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:100
 		2023-02-04 21:25:46 +09:00
..
310014 Introduced Subscription identifier de-concealing 2022-12-24 20:22:45 +09:00
af [NF] Fix double-free crash when NF is under heavy load 2023-02-04 21:25:46 +09:00
app Introduced Subscription identifier de-concealing 2022-12-24 20:22:45 +09:00
attach Introduced Subscription identifier de-concealing 2022-12-24 20:22:45 +09:00
common [CORE] OGS_MAX_SDU_LEN->OGS_HUGE_LEN Stack (#2008) 2023-01-25 22:24:51 +09:00
core Introduced Subscription identifier de-concealing 2022-12-24 20:22:45 +09:00
crypt Introduced Subscription identifier de-concealing 2022-12-24 20:22:45 +09:00
csfb Introduced Subscription identifier de-concealing 2022-12-24 20:22:45 +09:00
handover [CORE] OGS_MAX_SDU_LEN->OGS_HUGE_LEN Stack (#2008) 2023-01-25 22:24:51 +09:00
non3gpp [LOG] remove ogs_expect_or_return()/return_val() 2023-01-24 00:01:36 +09:00
registration [NRF] Fixed a crash during NRF discovery (#2034) 2023-01-29 11:22:45 +09:00
sctp Fixed MacOSX Test code 2022-11-23 21:06:15 +09:00
slice Introduced Subscription identifier de-concealing 2022-12-24 20:22:45 +09:00
unit [CORE] OGS_MAX_SDU_LEN->OGS_HUGE_LEN Stack (#2008) 2023-01-25 22:24:51 +09:00
volte [LOG] remove ogs_expect_or_return()/return_val() 2023-01-24 00:01:36 +09:00
vonr [CORE] OGS_MAX_SDU_LEN->OGS_HUGE_LEN Stack (#2008) 2023-01-25 22:24:51 +09:00
meson.build [EPC] Support ePDG Interface (#1039) 2021-06-21 22:36:38 +09:00