[MERGED] osmo-pcu[master]: fix segfault: check for NULL tbf in sched_select_ctrl_msg()

Neels Hofmeyr gerrit-no-reply at lists.osmocom.org
Fri Jan 6 13:54:04 UTC 2017


Neels Hofmeyr has submitted this change and it was merged.

Change subject: fix segfault: check for NULL tbf in sched_select_ctrl_msg()
......................................................................


fix segfault: check for NULL tbf in sched_select_ctrl_msg()

Apparently fixes a corrupted stack looking like this on sysmobts:

  (gdb) run
  Starting program: /usr/bin/osmo-pcu -c /etc/osmocom/osmo-pcu.cfg
  [Thread debugging using libthread_db enabled]
  Using host libthread_db library "/lib/libthread_db.so.1".
  <000b> telnet_interface.c:95 telnet at 127.0.0.1 4240
  <0001> osmobts_sock.cpp:227 Opening OsmoPCU L1 interface to OsmoBTS
  <0001> osmobts_sock.cpp:285 osmo-bts PCU socket has been connected
  <0001> pcu_l1_if.cpp:368 BTS available
  <0008> gprs_ns.c:233 NSVCI=65534 Creating NS-VC
  <0008> gprs_ns.c:233 NSVCI=100 Creating NS-VC
  <0008> gprs_ns.c:1568 NSEI=100 RESET procedure based on API request
  <0008> gprs_ns.c:393 NSEI=100 Tx NS RESET (NSVCI=100, cause=O&M intervention)
  <0001> pcu_l1_if.cpp:83 Sending activate request: trx=0 ts=2
  <0001> pcu_l1_if.cpp:495 PDCH: trx=0 ts=2
  <0001> pcu_l1_if.cpp:83 Sending activate request: trx=0 ts=3
  <0001> pcu_l1_if.cpp:495 PDCH: trx=0 ts=3
  <0001> pcu_l1_if.cpp:83 Sending activate request: trx=0 ts=4
  <0001> pcu_l1_if.cpp:495 PDCH: trx=0 ts=4
  <0001> pcu_l1_if.cpp:83 Sending activate request: trx=0 ts=5
  <0001> pcu_l1_if.cpp:495 PDCH: trx=0 ts=5
  <0001> pcu_l1_if.cpp:83 Sending activate request: trx=0 ts=6
  <0001> pcu_l1_if.cpp:495 PDCH: trx=0 ts=6
  <0001> pcu_l1_if.cpp:83 Sending activate request: trx=0 ts=7
  <0001> pcu_l1_if.cpp:495 PDCH: trx=0 ts=7
  <0001> pcu_l1_if.cpp:319 RACH request received: sapi=1 qta=0, ra=120, fn=103198
  <0009> tbf_ul.cpp:373 LLC [PCU -> SGSN] TBF(TFI=0 TLLI=0x7f2dd569 DIR=UL STATE=FLOW) len=6
  <0008> gprs_ns.c:684 All NS-VCs for NSEI 100 are either dead or blocked!

  Program received signal SIGSEGV, Segmentation fault.
  gprs_rlcmac_rcv_rts_block (bts=0x60a08, trx=trx at entry=0 '\000', ts=ts at entry=4 '\004', fn=7, fn at entry=103272,
      block_nr=block_nr at entry=0 '\000') at gprs_rlcmac_sched.cpp:349
  349	gprs_rlcmac_sched.cpp: No such file or directory.
  (gdb) bt
  #0  gprs_rlcmac_rcv_rts_block (bts=0x60a08, trx=trx at entry=0 '\000', ts=ts at entry=4 '\004', fn=7, fn at entry=103272,
      block_nr=block_nr at entry=0 '\000') at gprs_rlcmac_sched.cpp:349
  #1  0x0001151c in pcu_rx_rts_req_pdtch (trx=<optimized out>, ts=<optimized out>, fn=103272, block_nr=<optimized out>)
      at pcu_l1_if.cpp:279
  #2  0x0000bfcc in handle_ph_readytosend_ind (fl1h=0xafa40, rts_ind=0xb03f8) at osmo-bts-sysmo/sysmo_l1_if.c:142
  #3  l1if_handle_l1prim (wq=<optimized out>, fl1h=0xafa40, msg=0xb0330) at osmo-bts-sysmo/sysmo_l1_if.c:259
  #4  0x4fcd6330 in osmo_fd_disp_fds (_eset=0xbefffb68, _wset=0xbefffae8, _rset=0xbefffa68) at select.c:149
  #5  osmo_select_main (polling=<optimized out>) at select.c:189
  #6  0x0000b2a0 in main (argc=<optimized out>, argv=0x66628 <_ZStL8__ioinit>) at pcu_main.cpp:295

Fixes: coverity CID#158969
Related: https://lists.osmocom.org/pipermail/osmocom-net-gprs/2016-December/000785.html
Change-Id: I357492e558e98cfdbf5bb3438b5013029195b02b
---
M src/gprs_rlcmac_sched.cpp
1 file changed, 3 insertions(+), 0 deletions(-)

Approvals:
  Max: Looks good to me, but someone else must approve
  Neels Hofmeyr: Looks good to me, approved
  Harald Welte: Looks good to me, but someone else must approve
  Jenkins Builder: Verified



diff --git a/src/gprs_rlcmac_sched.cpp b/src/gprs_rlcmac_sched.cpp
index fdda79d..8b27cac 100644
--- a/src/gprs_rlcmac_sched.cpp
+++ b/src/gprs_rlcmac_sched.cpp
@@ -173,6 +173,9 @@
 		}
 	}
 
+	if (!tbf)
+		return NULL;
+
 	/* any message */
 	if (msg) {
 		tbf->rotate_in_list();

-- 
To view, visit https://gerrit.osmocom.org/1510
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I357492e558e98cfdbf5bb3438b5013029195b02b
Gerrit-PatchSet: 3
Gerrit-Project: osmo-pcu
Gerrit-Branch: master
Gerrit-Owner: Neels Hofmeyr <nhofmeyr at sysmocom.de>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Max <msuraev at sysmocom.de>
Gerrit-Reviewer: Neels Hofmeyr <nhofmeyr at sysmocom.de>


More information about the gerrit-log mailing list