<p>daniel <strong>submitted</strong> this change.</p><p><a href="https://gerrit.osmocom.org/c/osmo-gbproxy/+/26374">View Change</a></p><div style="white-space:pre-wrap">Approvals:
Jenkins Builder: Verified
laforge: Looks good to me, but someone else must approve
fixeria: Looks good to me, but someone else must approve
daniel: Looks good to me, approved
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">gbproxy: Fix crash when FLUSH_LL_ACK does not contain a BVCI IE<br><br>The BVCI IE is listed as conditional and is only included if the flush<br>action indicates that LLC-PDUs are transferred. (3GPP TS 48.018 Ch.<br>10.4.2).<br><br>The code in gbprox_rx_sig_from_bss unconditionally tries to get a BVCI<br>from a FLUSH_LL message which could result in a segfault if no such IE<br>is included. Routing towards the SGSN can happen simply based on TLLI (for pooling)<br>since there is only one signalling BVC towards the SGSN.<br><br>Related: OS#5332<br>Change-Id: I659f9c925bb38b8cf2348b84b976142d8d4693f7<br>---<br>M src/gb_proxy.c<br>1 file changed, 18 insertions(+), 2 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/gb_proxy.c b/src/gb_proxy.c</span><br><span>index fbb6e79..d6d760f 100644</span><br><span>--- a/src/gb_proxy.c</span><br><span>+++ b/src/gb_proxy.c</span><br><span>@@ -1151,15 +1151,27 @@</span><br><span> rc = gbprox_rx_rim_from_bss(tp, nse, msg, log_pfx, pdut_name);</span><br><span> break;</span><br><span> case BSSGP_PDUT_LLC_DISCARD:</span><br><span style="color: hsl(0, 100%, 40%);">- case BSSGP_PDUT_FLUSH_LL_ACK:</span><br><span> /* route based on BVCI + TLLI */</span><br><span> ptp_bvci = ntohs(tlvp_val16_unal(&tp[0], BSSGP_IE_BVCI));</span><br><span> tlli = osmo_load32be(TLVP_VAL(&tp[0], BSSGP_IE_TLLI));</span><br><span> from_bvc = gbproxy_bvc_by_bvci(nse, ptp_bvci);</span><br><span> if (!from_bvc)</span><br><span> goto err_no_bvc;</span><br><span style="color: hsl(0, 100%, 40%);">- gbprox_bss2sgsn_tlli(from_bvc->cell, msg, &tlli, true);</span><br><span style="color: hsl(120, 100%, 40%);">+ rc = gbprox_bss2sgsn_tlli(from_bvc->cell, msg, &tlli, true);</span><br><span> break;</span><br><span style="color: hsl(120, 100%, 40%);">+ case BSSGP_PDUT_FLUSH_LL_ACK:</span><br><span style="color: hsl(120, 100%, 40%);">+ {</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Route based on TLLI */</span><br><span style="color: hsl(120, 100%, 40%);">+ tlli = osmo_load32be(TLVP_VAL(&tp[0], BSSGP_IE_TLLI));</span><br><span style="color: hsl(120, 100%, 40%);">+ struct gbproxy_sgsn *sgsn = gbproxy_select_sgsn(nse->cfg, &tlli);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!sgsn) {</span><br><span style="color: hsl(120, 100%, 40%);">+ rc = -EINVAL;</span><br><span style="color: hsl(120, 100%, 40%);">+ break;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ rc = gbprox_relay2nse(msg, sgsn->nse, 0);</span><br><span style="color: hsl(120, 100%, 40%);">+ break;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> case BSSGP_PDUT_PAGING_PS_REJECT:</span><br><span> case BSSGP_PDUT_DUMMY_PAGING_PS_RESP:</span><br><span> {</span><br><span>@@ -1459,6 +1471,10 @@</span><br><span> rc = osmo_fsm_inst_dispatch(sgsn_bvc->fi, BSSGP_BVCFSM_E_RX_UNBLOCK_ACK, msg);</span><br><span> break;</span><br><span> case BSSGP_PDUT_FLUSH_LL:</span><br><span style="color: hsl(120, 100%, 40%);">+ /* TODO: If new BVCI is on different NSE we should remove the new BVCI so the</span><br><span style="color: hsl(120, 100%, 40%);">+ * message is interpreted as a request to delete the PDUs, not forward them.</span><br><span style="color: hsl(120, 100%, 40%);">+ * If we negotiate Inter-NSE re-routing or LCS-procedures we can also</span><br><span style="color: hsl(120, 100%, 40%);">+ * add the NSEI TLV to trigger re-routing the PDUs */</span><br><span> /* simple case: BVCI IE is mandatory */</span><br><span> bvci = ntohs(tlvp_val16_unal(&tp[0], BSSGP_IE_BVCI));</span><br><span> sgsn_bvc = gbproxy_bvc_by_bvci(nse, bvci);</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/osmo-gbproxy/+/26374">change 26374</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/osmo-gbproxy/+/26374"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: osmo-gbproxy </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: I659f9c925bb38b8cf2348b84b976142d8d4693f7 </div>
<div style="display:none"> Gerrit-Change-Number: 26374 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: daniel <dwillmann@sysmocom.de> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins Builder </div>
<div style="display:none"> Gerrit-Reviewer: daniel <dwillmann@sysmocom.de> </div>
<div style="display:none"> Gerrit-Reviewer: fixeria <vyanitskiy@sysmocom.de> </div>
<div style="display:none"> Gerrit-Reviewer: laforge <laforge@osmocom.org> </div>
<div style="display:none"> Gerrit-Reviewer: lynxis lazus <lynxis@fe80.eu> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>