This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
Harald Welte gerrit-no-reply at lists.osmocom.orgHarald Welte has submitted this change and it was merged. ( https://gerrit.osmocom.org/10183 )
Change subject: BTS: fix: pad LAPDm frames before sending via L1CTL
......................................................................
BTS: fix: pad LAPDm frames before sending via L1CTL
Thanks to Stefan Sperling, a critical bug was discovered in trxcon.
The problem was that length of LAPDm frames was not checked before
passing them to the libosmocoding API. So, if a received LAPDm
frame is shorter than expected (i.e. 23 bytes), then:
- in case of xCCH, there was a heap overflow (detected by ASAN),
so a short frame has been encoded together with some garbage
outside the primitive buffer...
- in case of FACCH, as the length != 23, a frame was recognised
as a speech frame, and also encoded together with some garbage.
Since the bug is fixed (OS#3415), some TTCN-3 BTS tests started
to fail, because most likely it was assumed that trxcon would
pad the frames automatically, but it doesn't and shouldn't.
Let's automatically pad LAPDm frames with 0x2b before sending.
Change-Id: I16cba4e4179456bebabf0638760af011a27fd333
Related: OS#3418
---
M bts/BTS_Tests.ttcn
1 file changed, 8 insertions(+), 2 deletions(-)
Approvals:
Harald Welte: Looks good to me, approved
Jenkins Builder: Verified
diff --git a/bts/BTS_Tests.ttcn b/bts/BTS_Tests.ttcn
index 40bfd24..77bffd6 100644
--- a/bts/BTS_Tests.ttcn
+++ b/bts/BTS_Tests.ttcn
@@ -1153,7 +1153,8 @@
var LapdmFrameAB lb := valueof(ts_LAPDm_AB(0, false, false, enc_GsmRrL3Message(meas_rep)));
log("LAPDm: ", lb);
var octetstring pl := '0000'O & enc_LapdmFrameAB(lb);
- L1CTL.send(ts_L1CTL_DATA_REQ(g_chan_nr, ts_RslLinkID_SACCH(0), pl));
+ L1CTL.send(ts_L1CTL_DATA_REQ(g_chan_nr, ts_RslLinkID_SACCH(0),
+ f_pad_oct(pl, 23, '2B'O)));
repeat;
}
}
@@ -1163,7 +1164,8 @@
[] L1CTL.receive(tr_L1CTL_DATA_IND(g_chan_nr, tr_RslLinkID_DCCH(?))) -> value l1_dl {
log("DCCH received: ", l1_dl.payload.data_ind.payload);
var octetstring pl := '010301'O;
- L1CTL.send(ts_L1CTL_DATA_REQ(g_chan_nr, ts_RslLinkID_DCCH(0), pl));
+ L1CTL.send(ts_L1CTL_DATA_REQ(g_chan_nr, ts_RslLinkID_DCCH(0),
+ f_pad_oct(pl, 23, '2B'O)));
repeat;
}
}
@@ -3222,6 +3224,10 @@
/* prepend dummy L1 header */
l2 := '0000'O & l2;
}
+
+ /* If required, pad L2 frame with constant 0x2b filling */
+ l2 := f_pad_oct(l2, 23, '2B'O);
+
log("encoding ", l, " to ", l2);
L1CTL.send(ts_L1CTL_DATA_REQ(g_chan_nr, link_id, l2));
}
--
To view, visit https://gerrit.osmocom.org/10183
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: osmo-ttcn3-hacks
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I16cba4e4179456bebabf0638760af011a27fd333
Gerrit-Change-Number: 10183
Gerrit-PatchSet: 5
Gerrit-Owner: Vadim Yanitskiy <axilirator at gmail.com>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Stefan Sperling <ssperling at sysmocom.de>
Gerrit-Reviewer: Vadim Yanitskiy <axilirator at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20180727/990a0465/attachment.htm>