<p>laforge <strong>submitted</strong> this change.</p><p><a href="https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/15942">View Change</a></p><div style="white-space:pre-wrap">Approvals:
  laforge: Looks good to me, but someone else must approve
  pespin: Looks good to me, approved
  Jenkins Builder: Verified

</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">msc: add f_tc_invalid_mgcp_crash<br><br>Make sure that osmo-msc doesn't crash if a successful CRCX response contains an<br>invalid IP address.<br><br>Originally/recently, osmo-msc did not validate the IP addresses at all. In an<br>intermediate patch I added error handling, releasing the call. That uncovered a<br>use-after-free problem in libosmo-mgcp-client. This problem is fixed by<br>osmo_fsm_set_dealloc_ctx() and an osmo-mgw fix (see<br>I7df2e9202b04e7ca7366bb0a8ec53cf3bb14faf3 in osmo-mgw).<br><br>Add this test to make sure the crash is not re-introduced.<br><br>Change-Id: I0c76b0a7a33a96a39a242ecd387ba3769161cf7a<br>---<br>M msc/BSC_ConnectionHandler.ttcn<br>M msc/MSC_Tests.ttcn<br>2 files changed, 40 insertions(+), 0 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/msc/BSC_ConnectionHandler.ttcn b/msc/BSC_ConnectionHandler.ttcn</span><br><span>index a1c8bd3..0846c04 100644</span><br><span>--- a/msc/BSC_ConnectionHandler.ttcn</span><br><span>+++ b/msc/BSC_ConnectionHandler.ttcn</span><br><span>@@ -711,6 +711,7 @@</span><br><span>                                                         (f_mt_call and f_mt_call) */</span><br><span>      boolean stop_after_cc_setup,                    /* Special case: stop call establish after CC Setup */</span><br><span>       boolean ran_clear_when_alerting,                /* Special case: send Clear upon CC Alerting */</span><br><span style="color: hsl(120, 100%, 40%);">+       boolean expect_release,                         /* Special case: expect call establish to cause direct CC Rel */</span><br><span> </span><br><span>         MgcpCallId mgcp_call_id optional,               /* MGCP Call ID; CallAgent allocated */</span><br><span>      MgcpEndpoint mgcp_ep optional                   /* MGCP Endpoint, CallAgent or MGW allocated */,</span><br><span>@@ -749,6 +750,7 @@</span><br><span>       mgw_drop_dlcx := false,</span><br><span>      stop_after_cc_setup := false,</span><br><span>        ran_clear_when_alerting := false,</span><br><span style="color: hsl(120, 100%, 40%);">+     expect_release := false,</span><br><span>     mgcp_call_id := omit,</span><br><span>        mgcp_ep := "rtpbridge/1@mgw",</span><br><span>      use_osmux := false,</span><br><span>@@ -1210,6 +1212,8 @@</span><br><span>          tr_BSSMAP_IE_AoIP_TLA4(f_inet_addr(cpars.mgw_conn_1.mgw_rtp_ip), ?);</span><br><span> </span><br><span>     var default mdcx := activate(as_optional_mgcp_mdcx(cpars.mgw_conn_2.mgw_rtp_ip, cpars.mgw_conn_2.mgw_rtp_port));</span><br><span style="color: hsl(120, 100%, 40%);">+      var boolean got_mncc_setup_compl_ind := false;</span><br><span style="color: hsl(120, 100%, 40%);">+        var boolean got_cc_connect := false;</span><br><span> </span><br><span>     interleave {</span><br><span>         [] MNCC.receive(tr_MNCC_SETUP_ind(?, tr_MNCC_number(hex2str(cpars.called_party)))) -> value mncc {</span><br><span>@@ -1347,15 +1351,27 @@</span><br><span> </span><br><span>  [] MNCC.receive(tr_MNCC_SETUP_COMPL_ind(?)) -> value mncc {</span><br><span>               log("f_mo_call_establish 8: rx MNCC SETUP COMPLETE ind");</span><br><span style="color: hsl(120, 100%, 40%);">+           got_mncc_setup_compl_ind := true;</span><br><span style="color: hsl(120, 100%, 40%);">+             if (not cpars.expect_release and got_cc_connect) {</span><br><span style="color: hsl(120, 100%, 40%);">+                    break;</span><br><span style="color: hsl(120, 100%, 40%);">+                }</span><br><span>            }</span><br><span> </span><br><span>        [] BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_CC_CONNECT(cpars.transaction_id))) {</span><br><span>               log("f_mo_call_establish 10: rx CC CONNECT");</span><br><span>              BSSAP.send(ts_PDU_DTAP_MO(ts_ML3_MO_CC_CONNECT_ACK(cpars.transaction_id)));</span><br><span style="color: hsl(120, 100%, 40%);">+           got_cc_connect := true;</span><br><span style="color: hsl(120, 100%, 40%);">+               if (not cpars.expect_release and got_mncc_setup_compl_ind) {</span><br><span style="color: hsl(120, 100%, 40%);">+                  break;</span><br><span style="color: hsl(120, 100%, 40%);">+                }</span><br><span>            }</span><br><span> </span><br><span>        [] BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_CC_RELEASE(cpars.transaction_id))) {</span><br><span>               log("f_mo_call_establish 11: rx CC RELEASE");</span><br><span style="color: hsl(120, 100%, 40%);">+               if (not cpars.expect_release) {</span><br><span style="color: hsl(120, 100%, 40%);">+                       setverdict(fail, "Got unexpected CC Release");</span><br><span style="color: hsl(120, 100%, 40%);">+                      mtc.stop;</span><br><span style="color: hsl(120, 100%, 40%);">+             }</span><br><span>            f_expect_clear();</span><br><span>            break;</span><br><span>               }</span><br><span>diff --git a/msc/MSC_Tests.ttcn b/msc/MSC_Tests.ttcn</span><br><span>index 4ef592f..480ec96 100644</span><br><span>--- a/msc/MSC_Tests.ttcn</span><br><span>+++ b/msc/MSC_Tests.ttcn</span><br><span>@@ -5662,6 +5662,29 @@</span><br><span>      vc_conn.done;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+friend function f_tc_invalid_mgcp_crash(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {</span><br><span style="color: hsl(120, 100%, 40%);">+  f_init_handler(pars);</span><br><span style="color: hsl(120, 100%, 40%);">+ var CallParameters cpars := valueof(t_CallParams('12345'H, 0));</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+     /* Set invalid IP address so that osmo-msc discards the rtp_stream and MGCP endpoint FSM instances in the middle</span><br><span style="color: hsl(120, 100%, 40%);">+       * of successful MGCP response dispatch. If things aren't safeguarded, the on_success() in osmo_mgcpc_ep_fsm</span><br><span style="color: hsl(120, 100%, 40%);">+       * will cause a use-after-free after that event dispatch. */</span><br><span style="color: hsl(120, 100%, 40%);">+  cpars.mgw_conn_1.mgw_rtp_ip := "0.0.0.0";</span><br><span style="color: hsl(120, 100%, 40%);">+   cpars.mgw_conn_2.mgw_rtp_ip := "0.0.0.0";</span><br><span style="color: hsl(120, 100%, 40%);">+   cpars.rtp_sdp_format := "FOO/8000";</span><br><span style="color: hsl(120, 100%, 40%);">+ cpars.expect_release := true;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+       f_perform_lu();</span><br><span style="color: hsl(120, 100%, 40%);">+       f_mo_call_establish(cpars);</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+testcase TC_invalid_mgcp_crash() runs on MTC_CT {</span><br><span style="color: hsl(120, 100%, 40%);">+     var BSC_ConnHdlr vc_conn;</span><br><span style="color: hsl(120, 100%, 40%);">+     f_init();</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+   vc_conn := f_start_handler(refers(f_tc_invalid_mgcp_crash), 7);</span><br><span style="color: hsl(120, 100%, 40%);">+       vc_conn.done;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> control {</span><br><span>      execute( TC_cr_before_reset() );</span><br><span>     execute( TC_lu_imsi_noauth_tmsi() );</span><br><span>@@ -5792,6 +5815,7 @@</span><br><span>         if (mp_enable_osmux_test) {</span><br><span>          execute( TC_lu_and_mt_call_osmux() );</span><br><span>        }</span><br><span style="color: hsl(120, 100%, 40%);">+     execute( TC_invalid_mgcp_crash() );</span><br><span> }</span><br><span> </span><br><span> </span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/15942">change 15942</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/15942"/><meta itemprop="name" content="View Change"/></div></div>

<div style="display:none"> Gerrit-Project: osmo-ttcn3-hacks </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: I0c76b0a7a33a96a39a242ecd387ba3769161cf7a </div>
<div style="display:none"> Gerrit-Change-Number: 15942 </div>
<div style="display:none"> Gerrit-PatchSet: 4 </div>
<div style="display:none"> Gerrit-Owner: neels <nhofmeyr@sysmocom.de> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins Builder </div>
<div style="display:none"> Gerrit-Reviewer: laforge <laforge@osmocom.org> </div>
<div style="display:none"> Gerrit-Reviewer: pespin <pespin@sysmocom.de> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>