[PATCH] osmo-msc[master]: msc_cipher_mode_compl: Handle CIPH MOD COMPL without L3 message

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Harald Welte gerrit-no-reply at lists.osmocom.org
Wed Jan 24 21:40:27 UTC 2018 

Review at  https://gerrit.osmocom.org/6034

msc_cipher_mode_compl: Handle CIPH MOD COMPL without L3 message

According to TS 44.008 Section 3.2.1.31, the "Layer 3 Message Contents"
IE of the BSSMAP Cipher Mode Complete is optional. The BSC may hence
inlcude that IE or not include it.

Without this patch, OsmoMSC is crashing if that IE was missing:

<000a> a_iface_bssap.c:699 Rx BSC DT: 00 03 55 2c 02
<000a> a_iface_bssap.c:629 Rx MSC DT1 BSSMAP CIPHER MODE COMPLETE
<001f> a_iface_bssap.c:91 Found A subscriber for conn_id 1
<000a> a_iface_bssap.c:415 BSC sends cipher mode complete (conn_id=1)
==5611== Invalid read of size 8
==5611==    at 0x128D0F: msc_cipher_mode_compl (osmo_msc.c:159)
==5611==    by 0x114F62: bssmap_rx_ciph_compl.isra.8 (a_iface_bssap.c:432)
==5611==    by 0x113267: sccp_sap_up (a_iface.c:520)

Change-Id: I722f9b468b157b3736918f090daaa9489a6028ee
Closes: OS#2871
---
M include/osmocom/msc/gsup_client.h
M src/libmsc/osmo_msc.c
2 files changed, 27 insertions(+), 27 deletions(-)


  git pull ssh://gerrit.osmocom.org:29418/osmo-msc refs/changes/34/6034/1

diff --git a/include/osmocom/msc/gsup_client.h b/include/osmocom/msc/gsup_client.h
index 3d1dce0..0199a72 100644
--- a/include/osmocom/msc/gsup_client.h
+++ b/include/osmocom/msc/gsup_client.h
@@ -25,7 +25,7 @@
 
 #include <osmocom/msc/oap_client.h>
 
-#define GSUP_CLIENT_RECONNECT_INTERVAL 10
+#define GSUP_CLIENT_RECONNECT_INTERVAL 1
 #define GSUP_CLIENT_PING_INTERVAL 20
 
 struct msgb;
diff --git a/src/libmsc/osmo_msc.c b/src/libmsc/osmo_msc.c
index 2a868a8..755f8aa 100644
--- a/src/libmsc/osmo_msc.c
+++ b/src/libmsc/osmo_msc.c
@@ -156,43 +156,43 @@
 void msc_cipher_mode_compl(struct gsm_subscriber_connection *conn,
 			   struct msgb *msg, uint8_t alg_id)
 {
-	struct gsm48_hdr *gh = msgb_l3(msg);
-	unsigned int payload_len = msgb_l3len(msg) - sizeof(*gh);
-	struct tlv_parsed tp;
-	uint8_t mi_type;
-	char imeisv[GSM48_MI_SIZE] = "";
 	struct vlr_ciph_result ciph_res = { .cause = VLR_CIPH_REJECT };
 
-	if (!gh) {
-		LOGP(DRR, LOGL_ERROR, "invalid: msgb without l3 header\n");
-		return;
-	}
-
 	if (!conn) {
-		LOGP(DRR, LOGL_ERROR,
-		     "invalid: rx Ciphering Mode Complete on NULL conn\n");
+		LOGP(DRR, LOGL_ERROR, "invalid: rx Ciphering Mode Complete on NULL conn\n");
 		return;
 	}
 	if (!conn->vsub) {
-		LOGP(DRR, LOGL_ERROR,
-		     "invalid: rx Ciphering Mode Complete for NULL subscr\n");
+		LOGP(DRR, LOGL_ERROR, "invalid: rx Ciphering Mode Complete for NULL subscr\n");
 		return;
 	}
 
-	DEBUGP(DRR, "%s: CIPHERING MODE COMPLETE\n",
-	       vlr_subscr_name(conn->vsub));
+	DEBUGP(DRR, "%s: CIPHERING MODE COMPLETE\n", vlr_subscr_name(conn->vsub));
 
-	tlv_parse(&tp, &gsm48_att_tlvdef, gh->data, payload_len, 0, 0);
+	if (msg) {
+		struct gsm48_hdr *gh = msgb_l3(msg);
+		unsigned int payload_len = msgb_l3len(msg) - sizeof(*gh);
+		struct tlv_parsed tp;
+		uint8_t mi_type;
+		char imeisv[GSM48_MI_SIZE] = "";
 
-	/* bearer capability */
-	if (TLVP_PRESENT(&tp, GSM48_IE_MOBILE_ID)) {
-		mi_type = TLVP_VAL(&tp, GSM48_IE_MOBILE_ID)[0] & GSM_MI_TYPE_MASK;
-		if (mi_type == GSM_MI_TYPE_IMEISV
-		    && TLVP_LEN(&tp, GSM48_IE_MOBILE_ID) > 0) {
-			gsm48_mi_to_string(imeisv, sizeof(imeisv),
-					   TLVP_VAL(&tp, GSM48_IE_MOBILE_ID),
-					   TLVP_LEN(&tp, GSM48_IE_MOBILE_ID));
-			ciph_res.imeisv = imeisv;
+		if (!gh) {
+			LOGP(DRR, LOGL_ERROR, "invalid: msgb without l3 header\n");
+			return;
+		}
+
+		tlv_parse(&tp, &gsm48_att_tlvdef, gh->data, payload_len, 0, 0);
+
+		/* bearer capability */
+		if (TLVP_PRESENT(&tp, GSM48_IE_MOBILE_ID)) {
+			mi_type = TLVP_VAL(&tp, GSM48_IE_MOBILE_ID)[0] & GSM_MI_TYPE_MASK;
+			if (mi_type == GSM_MI_TYPE_IMEISV
+			    && TLVP_LEN(&tp, GSM48_IE_MOBILE_ID) > 0) {
+				gsm48_mi_to_string(imeisv, sizeof(imeisv),
+						   TLVP_VAL(&tp, GSM48_IE_MOBILE_ID),
+						   TLVP_LEN(&tp, GSM48_IE_MOBILE_ID));
+				ciph_res.imeisv = imeisv;
+			}
 		}
 	}
 

-- 
To view, visit https://gerrit.osmocom.org/6034
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I722f9b468b157b3736918f090daaa9489a6028ee
Gerrit-PatchSet: 1
Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Owner: Harald Welte <laforge at gnumonks.org>

More information about the gerrit-log mailing list