<p>pespin has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.osmocom.org/c/osmo-pcu/+/25044">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">tests/tbf: Fix null pointer access if slowly stepping with gdb<br><br>When slowly debugging test_tbf_dl_llc_loss, bssgp_tx_llc_discarded() may<br>trigger, submitting events to the libosmogb code. Since it didn't<br>properly set up the callback, it would end up in a null pointer<br>dereference when lib code tried to use backward-compatible API (which<br>was neither set up properly).<br><br>"""<br>TBF(TFI=0 TLLI=0xc0123456 DIR=DL STATE=ASSIGN) Discarding LLC PDU because lifetime limit reached, count=3 new_queue_size=0<br>BSSGP (BVCI=2234) Tx LLC-DISCARDED TLLI=0xc0123456, FRAMES=3, OCTETS=57<br>/git/libosmocore/src/gb/gprs_ns.c:271:2: runtime error: member access within null pointer of type 'struct gprs_ns_inst'<br>"""<br><br>"""<br>(gdb) bt<br> #0 0x00007ffff729cac0 in gprs_active_nsvc_by_nsei (nsi=nsi@entry=0x0, nsei=2234, bvci=bvci@entry=0)<br> at /git/libosmocore/src/gb/gprs_ns.c:271<br> #1 0x00007ffff72b1fec in gprs_ns_sendmsg (nsi=0x0, msg=0x621000000160) at /git/libosmocore/src/gb/gprs_ns.c:1087<br> #2 0x00007ffff72d1803 in _gprs_ns_sendmsg (ctx=<optimized out>, msg=<optimized out>) at /git/libosmocore/src/gb/gprs_bssgp.c:80<br> #3 0x00007ffff730226f in bssgp_tx_llc_discarded (bctx=<optimized out>, tlli=<optimized out>, num_frames=<optimized out>, num_octets=<optimized out>)<br> at /git/libosmocore/src/gb/gprs_bssgp_bss.c:249<br> #4 0x000055555588243e in gprs_rlcmac_dl_tbf::llc_dequeue (this=0x7ffff1622860, bctx=<optimized out>)<br> at /git/osmo-pcu/src/tbf_dl.cpp:413<br>"""<br><br>Change-Id: Iee5bcf21afc8980a14f90f5b1ead6d2460a244ea<br>---<br>M tests/tbf/TbfTest.cpp<br>1 file changed, 41 insertions(+), 29 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.osmocom.org:29418/osmo-pcu refs/changes/44/25044/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/tests/tbf/TbfTest.cpp b/tests/tbf/TbfTest.cpp</span><br><span>index 5065e90..9515835 100644</span><br><span>--- a/tests/tbf/TbfTest.cpp</span><br><span>+++ b/tests/tbf/TbfTest.cpp</span><br><span>@@ -58,6 +58,18 @@</span><br><span> /* Measurements shared by all unit tests */</span><br><span> static struct pcu_l1_meas meas;</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+int gprs_gp_send_test_cb(void *ctx, struct msgb *msg)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+static gprs_pcu *prepare_pcu(void)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ struct gprs_pcu *pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ bssgp_set_bssgp_callback(gprs_gp_send_test_cb, pcu->nsi);</span><br><span style="color: hsl(120, 100%, 40%);">+ return pcu;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> static int bts_handle_rach(struct gprs_rlcmac_bts *bts, uint16_t ra, uint32_t Fn, int16_t qta)</span><br><span> {</span><br><span> struct rach_ind_params rip = {</span><br><span>@@ -95,7 +107,7 @@</span><br><span> </span><br><span> static void test_tbf_tlli_update()</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> GprsMs *ms, *ms_new;</span><br><span> </span><br><span>@@ -248,7 +260,7 @@</span><br><span> </span><br><span> static void test_tbf_final_ack(enum test_tbf_final_ack_mode test_mode)</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> uint8_t ts_no = 4;</span><br><span> unsigned i;</span><br><span>@@ -333,7 +345,7 @@</span><br><span> </span><br><span> static void test_tbf_delayed_release()</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> uint8_t ts_no = 4;</span><br><span> unsigned i;</span><br><span>@@ -403,7 +415,7 @@</span><br><span> </span><br><span> static void test_tbf_imsi()</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> uint8_t ts_no = 4;</span><br><span> uint8_t ms_class = 45;</span><br><span>@@ -464,7 +476,7 @@</span><br><span> </span><br><span> static void test_tbf_exhaustion()</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> unsigned i;</span><br><span> uint8_t ts_no = 4;</span><br><span>@@ -507,7 +519,7 @@</span><br><span> </span><br><span> static void test_tbf_dl_llc_loss()</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> uint8_t ts_no = 4;</span><br><span> uint8_t ms_class = 45;</span><br><span>@@ -1714,7 +1726,7 @@</span><br><span> </span><br><span> static void test_tbf_single_phase()</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> int ts_no = 7;</span><br><span> uint32_t fn = DUMMY_FN; /* 17,25,9 */</span><br><span>@@ -1738,7 +1750,7 @@</span><br><span> </span><br><span> static void test_tbf_egprs_two_phase_puan(void)</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> int ts_no = 7;</span><br><span> uint32_t fn = 2654218;</span><br><span>@@ -1793,7 +1805,7 @@</span><br><span> */</span><br><span> static void test_immediate_assign_rej_single_block()</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> uint32_t fn = 2654218;</span><br><span> uint16_t qta = 31;</span><br><span>@@ -1826,7 +1838,7 @@</span><br><span> */</span><br><span> static void test_immediate_assign_rej_multi_block()</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> uint32_t fn = 2654218;</span><br><span> uint16_t qta = 31;</span><br><span>@@ -1867,7 +1879,7 @@</span><br><span> </span><br><span> static void test_tbf_two_phase()</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> int ts_no = 7;</span><br><span> uint32_t fn = 2654218;</span><br><span>@@ -1899,7 +1911,7 @@</span><br><span> </span><br><span> static void test_tbf_ra_update_rach()</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> int ts_no = 7;</span><br><span> uint32_t fn = 2654218;</span><br><span>@@ -1972,7 +1984,7 @@</span><br><span> </span><br><span> static void test_tbf_dl_flow_and_rach_two_phase()</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> int ts_no = 7;</span><br><span> uint32_t fn = 2654218;</span><br><span>@@ -2033,7 +2045,7 @@</span><br><span> </span><br><span> static void test_tbf_dl_flow_and_rach_single_phase()</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> int ts_no = 7;</span><br><span> uint32_t fn = 2654218;</span><br><span>@@ -2093,7 +2105,7 @@</span><br><span> </span><br><span> static void test_tbf_dl_reuse()</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> int ts_no = 7;</span><br><span> uint32_t fn = 2654218;</span><br><span>@@ -2193,7 +2205,7 @@</span><br><span> </span><br><span> static void test_tbf_gprs_egprs()</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> uint8_t ts_no = 4;</span><br><span> uint8_t ms_class = 45;</span><br><span>@@ -2260,7 +2272,7 @@</span><br><span> </span><br><span> static void test_tbf_ws()</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> GprsMs *ms;</span><br><span> uint8_t ts_no = 4;</span><br><span>@@ -2305,7 +2317,7 @@</span><br><span> </span><br><span> static void test_tbf_update_ws(void)</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> GprsMs *ms;</span><br><span> uint8_t ts_no = 4;</span><br><span>@@ -2349,7 +2361,7 @@</span><br><span> </span><br><span> static void test_tbf_puan_urbb_len(void)</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> int ts_no = 7;</span><br><span> uint32_t fn = 2654218;</span><br><span>@@ -2488,7 +2500,7 @@</span><br><span> </span><br><span> static void test_tbf_li_decoding(void)</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> int ts_no = 7;</span><br><span> uint32_t fn = 2654218;</span><br><span>@@ -2524,7 +2536,7 @@</span><br><span> */</span><br><span> static void test_tbf_epdan_out_of_rx_window(void)</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> uint8_t ms_class = 11;</span><br><span> uint8_t egprs_ms_class = 11;</span><br><span>@@ -2615,7 +2627,7 @@</span><br><span> </span><br><span> static void test_tbf_egprs_two_phase_spb(void)</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> int ts_no = 7;</span><br><span> uint32_t fn = 2654218;</span><br><span>@@ -2646,7 +2658,7 @@</span><br><span> </span><br><span> static void test_tbf_egprs_two_phase()</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> int ts_no = 7;</span><br><span> uint32_t fn = 2654218;</span><br><span>@@ -3074,7 +3086,7 @@</span><br><span> </span><br><span> static void test_tbf_egprs_retx_dl(void)</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> uint8_t ts_no = 4;</span><br><span> </span><br><span>@@ -3102,7 +3114,7 @@</span><br><span> </span><br><span> static void test_tbf_egprs_spb_dl(void)</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> uint8_t ts_no = 4;</span><br><span> </span><br><span>@@ -3132,7 +3144,7 @@</span><br><span> </span><br><span> static void test_tbf_egprs_dl()</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> uint8_t ts_no = 4;</span><br><span> int i;</span><br><span>@@ -3155,7 +3167,7 @@</span><br><span> </span><br><span> static void test_packet_access_rej_prr_no_other_tbfs()</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> uint32_t fn = 2654218;</span><br><span> int ts_no = 7;</span><br><span>@@ -3192,7 +3204,7 @@</span><br><span> </span><br><span> static void test_packet_access_rej_prr()</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> uint32_t fn = 2654218;</span><br><span> uint16_t qta = 31;</span><br><span>@@ -3262,7 +3274,7 @@</span><br><span> </span><br><span> void test_packet_access_rej_epdan()</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- the_pcu = gprs_pcu_alloc(tall_pcu_ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ the_pcu = prepare_pcu();</span><br><span> struct gprs_rlcmac_bts *bts = bts_alloc(the_pcu, 0);</span><br><span> uint32_t tlli = 0xffeeddcc;</span><br><span> static uint8_t exp[] = { 0x40, 0x84, 0x7f, 0xf7, 0x6e, 0xe6, 0x7e, 0xab,</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/osmo-pcu/+/25044">change 25044</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/osmo-pcu/+/25044"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: osmo-pcu </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: Iee5bcf21afc8980a14f90f5b1ead6d2460a244ea </div>
<div style="display:none"> Gerrit-Change-Number: 25044 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: pespin <pespin@sysmocom.de> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>