forked from acouzens/open5gs
[SMF] fix crash due free-ing invalid pointer
In case that database is (manually) corrupted for a specific UE, SSC mode and ARP preemption vulnerability fields are not set correctly, SMF will crash when trying to build a request to create PCF association. Function smf_npcf_smpolicycontrol_build_create() will end prematurely, and when cleaning up resources it will try to free() up invalid pointer, which was not set to 0 at beginning of the function. [smf] ERROR: SSCMode is not allowed (../src/smf/nudm-handler.c:165) [sbi] DEBUG: STATUS [201] (../lib/sbi/nghttp2-server.c:443) [sbi] DEBUG: SENDING...: 3 (../lib/sbi/nghttp2-server.c:451) [sbi] DEBUG: { } (../lib/sbi/nghttp2-server.c:452) [sbi] DEBUG: STREAM closed [1] (../lib/sbi/nghttp2-server.c:962) [smf] ERROR: No Arp.preempt_cap (../src/smf/npcf-build.c:132) <crash> 0 __GI_abort () at ./stdlib/abort.c:107 1 0x00007f9348fe43b1 in ?? () from /lib/x86_64-linux-gnu/libtalloc.so.2 2 0x00007f9349aef745 in ogs_talloc_free (ptr=0x7f9348e38dab <_int_free+1675>, location=0x5591b8675d27 "../src/smf/npcf-build.c:181") at ../lib/core/ogs-memory.c:107 3 0x00005591b8653c45 in smf_npcf_smpolicycontrol_build_create (sess=0x7f9343070010, data=0x0) at ../src/smf/npcf-build.c:181 4 0x00007f9349abc2b4 in ogs_sbi_xact_add (sbi_object=0x7f9343070010, service_type=OGS_SBI_SERVICE_TYPE_NPCF_SMPOLICYCONTROL, discovery_option=0x7f9338006d90, build=0x5591b86531d0 <smf_npcf_smpolicycontrol_build_create>, context=0x7f9343070010, data=0x0) at ../lib/sbi/context.c:1699 5 0x00005591b86580be in smf_sbi_discover_and_send (service_type=OGS_SBI_SERVICE_TYPE_NPCF_SMPOLICYCONTROL, discovery_option=0x0, build=0x5591b86531d0 <smf_npcf_smpolicycontrol_build_create>, sess=0x7f9343070010, stream=0x7f9344fce0a0, state=0, data=0x0) at ../src/smf/sbi-path.c:110 6 0x00005591b864e9da in smf_nudm_sdm_handle_get (sess=0x7f9343070010, stream=0x7f9344fce0a0, recvmsg=0x7f933f52d5a0) at ../src/smf/nudm-handler.c:290 7 0x00005591b8600c96 in smf_gsm_state_wait_5gc_sm_policy_association (s=0x7f9343070610, e=0x7f9338076730) at ../src/smf/gsm-sm.c:523 ...
This commit is contained in:
parent
1be6176e8d
commit
3e22059916
|
@ -47,6 +47,8 @@ ogs_sbi_request_t *smf_npcf_smpolicycontrol_build_create(
|
|||
message.h.resource.component[0] = (char *)OGS_SBI_RESOURCE_NAME_SM_POLICIES;
|
||||
|
||||
memset(&SmPolicyContextData, 0, sizeof(SmPolicyContextData));
|
||||
memset(&sNssai, 0, sizeof(sNssai));
|
||||
memset(&SubsSessAmbr, 0, sizeof(SubsSessAmbr));
|
||||
|
||||
SmPolicyContextData.supi = smf_ue->supi;
|
||||
if (!SmPolicyContextData.supi) {
|
||||
|
@ -105,7 +107,6 @@ ogs_sbi_request_t *smf_npcf_smpolicycontrol_build_create(
|
|||
}
|
||||
}
|
||||
|
||||
memset(&SubsSessAmbr, 0, sizeof(SubsSessAmbr));
|
||||
if (OGS_SBI_FEATURES_IS_SET(sess->smpolicycontrol_features,
|
||||
OGS_SBI_NPCF_SMPOLICYCONTROL_DN_AUTHORIZATION)) {
|
||||
if (sess->session.ambr.uplink) {
|
||||
|
@ -161,7 +162,6 @@ ogs_sbi_request_t *smf_npcf_smpolicycontrol_build_create(
|
|||
}
|
||||
}
|
||||
|
||||
memset(&sNssai, 0, sizeof(sNssai));
|
||||
sNssai.sst = sess->s_nssai.sst;
|
||||
sNssai.sd = ogs_s_nssai_sd_to_string(sess->s_nssai.sd);
|
||||
SmPolicyContextData.slice_info = &sNssai;
|
||||
|
|
Loading…
Reference in New Issue