Change in osmo-ttcn3-hacks[master]: BTS: fix: pad LAPDm frames before sending via L1CTL

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Vadim Yanitskiy gerrit-no-reply at lists.osmocom.org
Thu Jul 26 19:47:30 UTC 2018


Vadim Yanitskiy has uploaded this change for review. ( https://gerrit.osmocom.org/10183


Change subject: BTS: fix: pad LAPDm frames before sending via L1CTL
......................................................................

BTS: fix: pad LAPDm frames before sending via L1CTL

Thanks to Stefan Sperling, a critical bug was discovered in trxcon.
The problem was that length of LAPDm frames was not checked before
passing them to the libosmocoding API. So, if a received LAPDm
frame is shorter than expected (i.e. 23 bytes), then:

  - in case of xCCH, there was a heap overflow (detected by ASAN),
    so a short frame has been encoded together with some garbage
    outside the primitive buffer...

  - in case of FACCH, as the length != 23, a frame was recognised
    as a speech frame, and also encoded together with some garbage.

Since the bug is fixed (OS#3415), some TTCN-3 BTS tests started
to fail, because most likely it was assumed that trxcon would
pad the frames automatically, but it doesn't and shouldn't.

Let's automatically pad LAPDm frames with 0x2b before sending.

Change-Id: I16cba4e4179456bebabf0638760af011a27fd333
Related: OS#3418
---
M bts/BTS_Tests.ttcn
M start-testsuite.sh
2 files changed, 9 insertions(+), 1 deletion(-)



  git pull ssh://gerrit.osmocom.org:29418/osmo-ttcn3-hacks refs/changes/83/10183/1

diff --git a/bts/BTS_Tests.ttcn b/bts/BTS_Tests.ttcn
index 40bfd24..2e27c10 100644
--- a/bts/BTS_Tests.ttcn
+++ b/bts/BTS_Tests.ttcn
@@ -3222,6 +3222,14 @@
 		/* prepend dummy L1 header */
 		l2 := '0000'O & l2;
 	}
+
+	/* If required, pad L2 frame with constant 0x02 filling */
+	var integer l2_len := lengthof(l2);
+	while (l2_len < 23) {
+		l2_len := l2_len + 1;
+		l2 := l2 & '2B'O;
+	}
+
 	log("encoding ", l, " to ", l2);
 	L1CTL.send(ts_L1CTL_DATA_REQ(g_chan_nr, link_id, l2));
 }
diff --git a/start-testsuite.sh b/start-testsuite.sh
index e2da8f0..e8d7fcc 100755
--- a/start-testsuite.sh
+++ b/start-testsuite.sh
@@ -21,7 +21,7 @@
 	TEST=$3
 fi
 
-LD_LIBRARY_PATH="$SUITE_DIR:/usr/lib/titan:/usr/ttcn3/lib" ttcn3_start $SUITE $CFG $TEST
+LD_LIBRARY_PATH="$SUITE_DIR:/home/wmn/osmocom/titan.core/install/lib" ttcn3_start $SUITE $CFG $TEST
 
 expected="$SUITE_DIR/expected-results.xml"
 if [ ! -f "$expected" ]; then

-- 
To view, visit https://gerrit.osmocom.org/10183
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-ttcn3-hacks
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I16cba4e4179456bebabf0638760af011a27fd333
Gerrit-Change-Number: 10183
Gerrit-PatchSet: 1
Gerrit-Owner: Vadim Yanitskiy <axilirator at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20180726/5157b461/attachment.htm>


More information about the gerrit-log mailing list