Change in osmo-pcu[master]: tests/tbf: Fix null pointer access if slowly stepping with gdb

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

pespin gerrit-no-reply at lists.osmocom.org
Mon Jul 26 12:51:01 UTC 2021


pespin has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-pcu/+/25044 )


Change subject: tests/tbf: Fix null pointer access if slowly stepping with gdb
......................................................................

tests/tbf: Fix null pointer access if slowly stepping with gdb

When slowly debugging test_tbf_dl_llc_loss, bssgp_tx_llc_discarded() may
trigger, submitting events to the libosmogb code. Since it didn't
properly set up the callback, it would end up in a null pointer
dereference when lib code tried to use backward-compatible API (which
was neither set up properly).

"""
TBF(TFI=0 TLLI=0xc0123456 DIR=DL STATE=ASSIGN) Discarding LLC PDU because lifetime limit reached, count=3 new_queue_size=0
BSSGP (BVCI=2234) Tx LLC-DISCARDED TLLI=0xc0123456, FRAMES=3, OCTETS=57
/git/libosmocore/src/gb/gprs_ns.c:271:2: runtime error: member access within null pointer of type 'struct gprs_ns_inst'
"""

"""
(gdb) bt
 #0  0x00007ffff729cac0 in gprs_active_nsvc_by_nsei (nsi=nsi at entry=0x0, nsei=2234, bvci=bvci at entry=0)
    at /git/libosmocore/src/gb/gprs_ns.c:271
 #1  0x00007ffff72b1fec in gprs_ns_sendmsg (nsi=0x0, msg=0x621000000160) at /git/libosmocore/src/gb/gprs_ns.c:1087
 #2  0x00007ffff72d1803 in _gprs_ns_sendmsg (ctx=<optimized out>, msg=<optimized out>) at /git/libosmocore/src/gb/gprs_bssgp.c:80
 #3  0x00007ffff730226f in bssgp_tx_llc_discarded (bctx=<optimized out>, tlli=<optimized out>, num_frames=<optimized out>, num_octets=<optimized out>)
    at /git/libosmocore/src/gb/gprs_bssgp_bss.c:249
 #4  0x000055555588243e in gprs_rlcmac_dl_tbf::llc_dequeue (this=0x7ffff1622860, bctx=<optimized out>)
    at /git/osmo-pcu/src/tbf_dl.cpp:413
"""

Change-Id: Iee5bcf21afc8980a14f90f5b1ead6d2460a244ea
---
M tests/tbf/TbfTest.cpp
1 file changed, 41 insertions(+), 29 deletions(-)



  git pull ssh://gerrit.osmocom.org:29418/osmo-pcu refs/changes/44/25044/1

diff --git a/tests/tbf/TbfTest.cpp b/tests/tbf/TbfTest.cpp
index 5065e90..9515835 100644
--- a/tests/tbf/TbfTest.cpp
+++ b/tests/tbf/TbfTest.cpp
@@ -58,6 +58,18 @@
 /* Measurements shared by all unit tests */
 static struct pcu_l1_meas meas;
 
+int gprs_gp_send_test_cb(void *ctx, struct msgb *msg)
+{
+	return 0;
+}
+
+static gprs_pcu *prepare_pcu(void)
+{
+	struct gprs_pcu *pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	bssgp_set_bssgp_callback(gprs_gp_send_test_cb, pcu->nsi);
+	return pcu;
+}
+
 static int bts_handle_rach(struct gprs_rlcmac_bts *bts, uint16_t ra, uint32_t Fn, int16_t qta)
 {
 	struct rach_ind_params rip = {
@@ -95,7 +107,7 @@
 
 static void test_tbf_tlli_update()
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	GprsMs *ms, *ms_new;
 
@@ -248,7 +260,7 @@
 
 static void test_tbf_final_ack(enum test_tbf_final_ack_mode test_mode)
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	uint8_t ts_no = 4;
 	unsigned i;
@@ -333,7 +345,7 @@
 
 static void test_tbf_delayed_release()
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	uint8_t ts_no = 4;
 	unsigned i;
@@ -403,7 +415,7 @@
 
 static void test_tbf_imsi()
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	uint8_t ts_no = 4;
 	uint8_t ms_class = 45;
@@ -464,7 +476,7 @@
 
 static void test_tbf_exhaustion()
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	unsigned i;
 	uint8_t ts_no = 4;
@@ -507,7 +519,7 @@
 
 static void test_tbf_dl_llc_loss()
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	uint8_t ts_no = 4;
 	uint8_t ms_class = 45;
@@ -1714,7 +1726,7 @@
 
 static void test_tbf_single_phase()
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	int ts_no = 7;
 	uint32_t fn = DUMMY_FN; /* 17,25,9 */
@@ -1738,7 +1750,7 @@
 
 static void test_tbf_egprs_two_phase_puan(void)
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	int ts_no = 7;
 	uint32_t fn = 2654218;
@@ -1793,7 +1805,7 @@
  */
 static void test_immediate_assign_rej_single_block()
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	uint32_t fn = 2654218;
 	uint16_t qta = 31;
@@ -1826,7 +1838,7 @@
  */
 static void test_immediate_assign_rej_multi_block()
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	uint32_t fn = 2654218;
 	uint16_t qta = 31;
@@ -1867,7 +1879,7 @@
 
 static void test_tbf_two_phase()
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	int ts_no = 7;
 	uint32_t fn = 2654218;
@@ -1899,7 +1911,7 @@
 
 static void test_tbf_ra_update_rach()
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	int ts_no = 7;
 	uint32_t fn = 2654218;
@@ -1972,7 +1984,7 @@
 
 static void test_tbf_dl_flow_and_rach_two_phase()
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	int ts_no = 7;
 	uint32_t fn = 2654218;
@@ -2033,7 +2045,7 @@
 
 static void test_tbf_dl_flow_and_rach_single_phase()
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	int ts_no = 7;
 	uint32_t fn = 2654218;
@@ -2093,7 +2105,7 @@
 
 static void test_tbf_dl_reuse()
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	int ts_no = 7;
 	uint32_t fn = 2654218;
@@ -2193,7 +2205,7 @@
 
 static void test_tbf_gprs_egprs()
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	uint8_t ts_no = 4;
 	uint8_t ms_class = 45;
@@ -2260,7 +2272,7 @@
 
 static void test_tbf_ws()
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	GprsMs *ms;
 	uint8_t ts_no = 4;
@@ -2305,7 +2317,7 @@
 
 static void test_tbf_update_ws(void)
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	GprsMs *ms;
 	uint8_t ts_no = 4;
@@ -2349,7 +2361,7 @@
 
 static void test_tbf_puan_urbb_len(void)
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	int ts_no = 7;
 	uint32_t fn = 2654218;
@@ -2488,7 +2500,7 @@
 
 static void test_tbf_li_decoding(void)
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	int ts_no = 7;
 	uint32_t fn = 2654218;
@@ -2524,7 +2536,7 @@
  */
 static void test_tbf_epdan_out_of_rx_window(void)
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	uint8_t ms_class = 11;
 	uint8_t egprs_ms_class = 11;
@@ -2615,7 +2627,7 @@
 
 static void test_tbf_egprs_two_phase_spb(void)
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	int ts_no = 7;
 	uint32_t fn = 2654218;
@@ -2646,7 +2658,7 @@
 
 static void test_tbf_egprs_two_phase()
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	int ts_no = 7;
 	uint32_t fn = 2654218;
@@ -3074,7 +3086,7 @@
 
 static void test_tbf_egprs_retx_dl(void)
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	uint8_t ts_no = 4;
 
@@ -3102,7 +3114,7 @@
 
 static void test_tbf_egprs_spb_dl(void)
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	uint8_t ts_no = 4;
 
@@ -3132,7 +3144,7 @@
 
 static void test_tbf_egprs_dl()
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	uint8_t ts_no = 4;
 	int i;
@@ -3155,7 +3167,7 @@
 
 static void test_packet_access_rej_prr_no_other_tbfs()
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	uint32_t fn = 2654218;
 	int ts_no = 7;
@@ -3192,7 +3204,7 @@
 
 static void test_packet_access_rej_prr()
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	uint32_t fn = 2654218;
 	uint16_t qta = 31;
@@ -3262,7 +3274,7 @@
 
 void test_packet_access_rej_epdan()
 {
-	the_pcu = gprs_pcu_alloc(tall_pcu_ctx);
+	the_pcu = prepare_pcu();
 	struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);
 	uint32_t tlli = 0xffeeddcc;
 	static uint8_t exp[] = { 0x40, 0x84, 0x7f, 0xf7, 0x6e, 0xe6, 0x7e, 0xab,

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-pcu/+/25044
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-pcu
Gerrit-Branch: master
Gerrit-Change-Id: Iee5bcf21afc8980a14f90f5b1ead6d2460a244ea
Gerrit-Change-Number: 25044
Gerrit-PatchSet: 1
Gerrit-Owner: pespin <pespin at sysmocom.de>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20210726/68b62515/attachment.htm>


More information about the gerrit-log mailing list