Change in ...osmo-msc[master]: fix segfault: don't send CC REL on NULL msc_a

laforge gerrit-no-reply at lists.osmocom.org
Thu Aug 29 05:42:03 UTC 2019


laforge has submitted this change and it was merged. ( https://gerrit.osmocom.org/c/osmo-msc/+/15314 )

Change subject: fix segfault: don't send CC REL on NULL msc_a
......................................................................

fix segfault: don't send CC REL on NULL msc_a

Apparently, if a conn disappears during an ongoing call, the CC code tried to
send a CC REL on a NULL msc_a during cleanup, which lead to a crash
(cccamp2019). Guard against that.

Crash:

 #0  msc_a_tx_dtap_to_i (msc_a=0x0, dtap=0x55a4bf2fa0f0) at ../../../../src/osmo-msc/src/libmsc/msc_a.c:1565
 #1  0x000055a4be1bb03c in trans_tx_gsm48 (trans=0x55a4bf2d52a0, trans=0x55a4bf2d52a0, trans=0x55a4bf2d52a0, msg=<optimized out>)
     at ../../../../src/osmo-msc/src/libmsc/gsm_04_08_cc.c:82
 #2  gsm48_cc_tx_release (trans=trans at entry=0x55a4bf2d52a0, arg=arg at entry=0x7ffdd731a0e0) at ../../../../src/osmo-msc/src/libmsc/gsm_04_08_cc.c:1101
 #3  0x000055a4be1bee65 in _gsm48_cc_trans_free (trans=trans at entry=0x55a4bf2d52a0) at ../../../../src/osmo-msc/src/libmsc/gsm_04_08_cc.c:278
 #4  0x000055a4be1ab654 in trans_free (trans=trans at entry=0x55a4bf2d52a0) at ../../../../src/osmo-msc/src/libmsc/transaction.c:170
 #5  0x000055a4be1bd091 in mncc_tx_to_gsm_cc (net=<optimized out>, msg=msg at entry=0x55a4bf2d3b68)
     at ../../../../src/osmo-msc/src/libmsc/gsm_04_08_cc.c:1971
 #6  0x000055a4be1bf1e5 in mncc_tx_to_cc (net=<optimized out>, arg=arg at entry=0x55a4bf2d3b68)
     at ../../../../src/osmo-msc/src/libmsc/gsm_04_08_cc.c:2049
 #7  0x000055a4be18ed63 in mncc_sock_read (bfd=0x55a4bf2563b8, bfd=0x55a4bf2563b8) at ../../../../src/osmo-msc/src/libmsc/mncc_sock.c:121
 #8  mncc_sock_cb (bfd=0x55a4bf2563b8, flags=1) at ../../../../src/osmo-msc/src/libmsc/mncc_sock.c:189
 #9  0x00007fcfad607ce1 in osmo_fd_disp_fds (_eset=0x7ffdd731a9a0, _wset=0x7ffdd731a920, _rset=0x7ffdd731a8a0)
     at ../../../src/libosmocore/src/select.c:223
 #10 osmo_select_main (polling=<optimized out>) at ../../../src/libosmocore/src/select.c:263
 #11 0x000055a4be17dd56 in main (argc=3, argv=<optimized out>) at ../../../../src/osmo-msc/src/osmo-msc/msc_main.c:723

Change-Id: Ia1bb0410ad0618c182a5f6da06af342b6d483eff
---
M src/libmsc/gsm_04_08_cc.c
M src/libmsc/msc_a.c
2 files changed, 19 insertions(+), 2 deletions(-)

Approvals:
  laforge: Looks good to me, approved
  Jenkins Builder: Verified



diff --git a/src/libmsc/gsm_04_08_cc.c b/src/libmsc/gsm_04_08_cc.c
index a1fea9a..ba6a197 100644
--- a/src/libmsc/gsm_04_08_cc.c
+++ b/src/libmsc/gsm_04_08_cc.c
@@ -1076,8 +1076,16 @@
 static int gsm48_cc_tx_release(struct gsm_trans *trans, void *arg)
 {
 	struct gsm_mncc *rel = arg;
-	struct msgb *msg = gsm48_msgb_alloc_name("GSM 04.08 CC REL");
-	struct gsm48_hdr *gh = (struct gsm48_hdr *) msgb_put(msg, sizeof(*gh));
+	struct msgb *msg;
+	struct gsm48_hdr *gh;
+
+	if (!trans->msc_a) {
+		LOG_TRANS(trans, LOGL_DEBUG, "Cannot send CC REL, there is no MSC-A connection\n");
+		return -EINVAL;
+	}
+
+	msg = gsm48_msgb_alloc_name("GSM 04.08 CC REL");
+	gh = (struct gsm48_hdr *) msgb_put(msg, sizeof(*gh));
 
 	gh->msg_type = GSM48_MT_CC_RELEASE;
 
diff --git a/src/libmsc/msc_a.c b/src/libmsc/msc_a.c
index 553761f..b3e2e32 100644
--- a/src/libmsc/msc_a.c
+++ b/src/libmsc/msc_a.c
@@ -1562,6 +1562,15 @@
 {
 	struct ran_msg ran_msg;
 
+	if (!msc_a) {
+		struct gsm48_hdr *gh = msgb_l3(dtap) ? : dtap->data;
+		uint8_t pdisc = gsm48_hdr_pdisc(gh);
+		LOGP(DMSC, LOGL_ERROR, "Attempt to send DTAP to NULL MSC-A, dropping message: %s %s\n",
+		     gsm48_pdisc_name(pdisc), gsm48_pdisc_msgtype_name(pdisc, gsm48_hdr_msg_type(gh)));
+		msgb_free(dtap);
+		return -EIO;
+	}
+
 	if (msc_a->c.ran->type == OSMO_RAT_EUTRAN_SGS) {
 		/* The SGs connection to the MME always is at the MSC-A. */
 		return sgs_iface_tx_dtap_ud(msc_a, dtap);

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-msc/+/15314
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Change-Id: Ia1bb0410ad0618c182a5f6da06af342b6d483eff
Gerrit-Change-Number: 15314
Gerrit-PatchSet: 2
Gerrit-Owner: neels <nhofmeyr at sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <laforge at gnumonks.org>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190829/9879bc01/attachment.html>


More information about the gerrit-log mailing list