<p>laforge <strong>merged</strong> this change.</p><p><a href="https://gerrit.osmocom.org/c/osmo-msc/+/15314">View Change</a></p><div style="white-space:pre-wrap">Approvals:
laforge: Looks good to me, approved
Jenkins Builder: Verified
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">fix segfault: don't send CC REL on NULL msc_a<br><br>Apparently, if a conn disappears during an ongoing call, the CC code tried to<br>send a CC REL on a NULL msc_a during cleanup, which lead to a crash<br>(cccamp2019). Guard against that.<br><br>Crash:<br><br> #0 msc_a_tx_dtap_to_i (msc_a=0x0, dtap=0x55a4bf2fa0f0) at ../../../../src/osmo-msc/src/libmsc/msc_a.c:1565<br> #1 0x000055a4be1bb03c in trans_tx_gsm48 (trans=0x55a4bf2d52a0, trans=0x55a4bf2d52a0, trans=0x55a4bf2d52a0, msg=<optimized out>)<br> at ../../../../src/osmo-msc/src/libmsc/gsm_04_08_cc.c:82<br> #2 gsm48_cc_tx_release (trans=trans@entry=0x55a4bf2d52a0, arg=arg@entry=0x7ffdd731a0e0) at ../../../../src/osmo-msc/src/libmsc/gsm_04_08_cc.c:1101<br> #3 0x000055a4be1bee65 in _gsm48_cc_trans_free (trans=trans@entry=0x55a4bf2d52a0) at ../../../../src/osmo-msc/src/libmsc/gsm_04_08_cc.c:278<br> #4 0x000055a4be1ab654 in trans_free (trans=trans@entry=0x55a4bf2d52a0) at ../../../../src/osmo-msc/src/libmsc/transaction.c:170<br> #5 0x000055a4be1bd091 in mncc_tx_to_gsm_cc (net=<optimized out>, msg=msg@entry=0x55a4bf2d3b68)<br> at ../../../../src/osmo-msc/src/libmsc/gsm_04_08_cc.c:1971<br> #6 0x000055a4be1bf1e5 in mncc_tx_to_cc (net=<optimized out>, arg=arg@entry=0x55a4bf2d3b68)<br> at ../../../../src/osmo-msc/src/libmsc/gsm_04_08_cc.c:2049<br> #7 0x000055a4be18ed63 in mncc_sock_read (bfd=0x55a4bf2563b8, bfd=0x55a4bf2563b8) at ../../../../src/osmo-msc/src/libmsc/mncc_sock.c:121<br> #8 mncc_sock_cb (bfd=0x55a4bf2563b8, flags=1) at ../../../../src/osmo-msc/src/libmsc/mncc_sock.c:189<br> #9 0x00007fcfad607ce1 in osmo_fd_disp_fds (_eset=0x7ffdd731a9a0, _wset=0x7ffdd731a920, _rset=0x7ffdd731a8a0)<br> at ../../../src/libosmocore/src/select.c:223<br> #10 osmo_select_main (polling=<optimized out>) at ../../../src/libosmocore/src/select.c:263<br> #11 0x000055a4be17dd56 in main (argc=3, argv=<optimized out>) at ../../../../src/osmo-msc/src/osmo-msc/msc_main.c:723<br><br>Change-Id: Ia1bb0410ad0618c182a5f6da06af342b6d483eff<br>---<br>M src/libmsc/gsm_04_08_cc.c<br>M src/libmsc/msc_a.c<br>2 files changed, 19 insertions(+), 2 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/libmsc/gsm_04_08_cc.c b/src/libmsc/gsm_04_08_cc.c</span><br><span>index a1fea9a..ba6a197 100644</span><br><span>--- a/src/libmsc/gsm_04_08_cc.c</span><br><span>+++ b/src/libmsc/gsm_04_08_cc.c</span><br><span>@@ -1076,8 +1076,16 @@</span><br><span> static int gsm48_cc_tx_release(struct gsm_trans *trans, void *arg)</span><br><span> {</span><br><span> struct gsm_mncc *rel = arg;</span><br><span style="color: hsl(0, 100%, 40%);">- struct msgb *msg = gsm48_msgb_alloc_name("GSM 04.08 CC REL");</span><br><span style="color: hsl(0, 100%, 40%);">- struct gsm48_hdr *gh = (struct gsm48_hdr *) msgb_put(msg, sizeof(*gh));</span><br><span style="color: hsl(120, 100%, 40%);">+ struct msgb *msg;</span><br><span style="color: hsl(120, 100%, 40%);">+ struct gsm48_hdr *gh;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!trans->msc_a) {</span><br><span style="color: hsl(120, 100%, 40%);">+ LOG_TRANS(trans, LOGL_DEBUG, "Cannot send CC REL, there is no MSC-A connection\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return -EINVAL;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ msg = gsm48_msgb_alloc_name("GSM 04.08 CC REL");</span><br><span style="color: hsl(120, 100%, 40%);">+ gh = (struct gsm48_hdr *) msgb_put(msg, sizeof(*gh));</span><br><span> </span><br><span> gh->msg_type = GSM48_MT_CC_RELEASE;</span><br><span> </span><br><span>diff --git a/src/libmsc/msc_a.c b/src/libmsc/msc_a.c</span><br><span>index 553761f..b3e2e32 100644</span><br><span>--- a/src/libmsc/msc_a.c</span><br><span>+++ b/src/libmsc/msc_a.c</span><br><span>@@ -1562,6 +1562,15 @@</span><br><span> {</span><br><span> struct ran_msg ran_msg;</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ if (!msc_a) {</span><br><span style="color: hsl(120, 100%, 40%);">+ struct gsm48_hdr *gh = msgb_l3(dtap) ? : dtap->data;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t pdisc = gsm48_hdr_pdisc(gh);</span><br><span style="color: hsl(120, 100%, 40%);">+ LOGP(DMSC, LOGL_ERROR, "Attempt to send DTAP to NULL MSC-A, dropping message: %s %s\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ gsm48_pdisc_name(pdisc), gsm48_pdisc_msgtype_name(pdisc, gsm48_hdr_msg_type(gh)));</span><br><span style="color: hsl(120, 100%, 40%);">+ msgb_free(dtap);</span><br><span style="color: hsl(120, 100%, 40%);">+ return -EIO;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> if (msc_a->c.ran->type == OSMO_RAT_EUTRAN_SGS) {</span><br><span> /* The SGs connection to the MME always is at the MSC-A. */</span><br><span> return sgs_iface_tx_dtap_ud(msc_a, dtap);</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/osmo-msc/+/15314">change 15314</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/osmo-msc/+/15314"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: osmo-msc </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: Ia1bb0410ad0618c182a5f6da06af342b6d483eff </div>
<div style="display:none"> Gerrit-Change-Number: 15314 </div>
<div style="display:none"> Gerrit-PatchSet: 2 </div>
<div style="display:none"> Gerrit-Owner: neels <nhofmeyr@sysmocom.de> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins Builder </div>
<div style="display:none"> Gerrit-Reviewer: laforge <laforge@gnumonks.org> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>