sgsn: Free MM context after receiving a Detach Request

On a Detach/Re-attach cycle the Address Sanitizer detected a
use-after-free kind of problem. That is because we tried to
destroy the LLME twice. The first time it is destroyed as part
of the Detach handling ans the second time it is destroyed as
part of destroying the old MM context.

In case the GPRS GMM detach message is lost the SGSN needs
to reply besides not having a MM entry.

The alternative would have been to add NULL checks for all
usages of ctx->llme which would not have helped with the
readability.

Sponsored-by: On-Waves ehf

openbsc/src/gprs/gprs_gmm.c

@@ -808,6 +808,8 @@ static int gsm48_rx_gmm_det_req(struct sgsn_mm_ctx *ctx, struct msgb *msg)
 	gprs_llgmm_assign(ctx->llme, ctx->tlli, 0xffffffff,
 			  GPRS_ALGO_GEA0, NULL);
 
+	sgsn_mm_ctx_free(ctx);
+
 	return rc;
 }
 
@@ -1575,6 +1577,8 @@ int gsm0408_gprs_rcvmsg(struct msgb *msg, struct gprs_llc_llme *llme)
 		break;
 	}
 
+	/* MMCTX can be invalid */
+
 	return rc;
 }
 

openbsc/tests/sgsn/sgsn_test.c

@@ -141,9 +141,7 @@ static void test_gmm_detach(void)
 	/* verify that things are gone */
 	OSMO_ASSERT(count(gprs_llme_list()) == 0);
 	ictx = sgsn_mm_ctx_by_tlli(local_tlli, &raid);
-	/* this is still wrong and needs to be changed */
-	OSMO_ASSERT(ictx);
-	OSMO_ASSERT(ictx->llme == lle->llme);
+	OSMO_ASSERT(!ictx);
 }
 
 static struct log_info_cat gprs_categories[] = {