fixeria has uploaded this change for review.

View Change

msc: add TC_silent_call_start_stop

This testcase triggers a use-after-free in osmo-msc.

Change-Id: I3ef22fbb5a05f69cc8aea7f42e05f6e1d6c4a8b6
Related: osmo-msc.git I93913d189800d71f82c013b6e946bd63db362f65
---
M msc/MSC_Tests.ttcn
M msc/expected-results.xml
2 files changed, 51 insertions(+), 0 deletions(-)

git pull ssh://gerrit.osmocom.org:29418/osmo-ttcn3-hacks refs/changes/63/40863/1
diff --git a/msc/MSC_Tests.ttcn b/msc/MSC_Tests.ttcn
index 4a7acdc..46fdd4d 100644
--- a/msc/MSC_Tests.ttcn
+++ b/msc/MSC_Tests.ttcn
@@ -7710,6 +7710,52 @@
 	setverdict(pass);
 }
 
+/* Bug reproducer for https://gerrit.osmocom.org/c/osmo-msc/+/40852.
+ * Start and stop a silent call while there's an active connection. */
+private function f_TC_silent_call_start_stop(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
+	var charstring cmd, resp;
+
+	f_init_handler(pars);
+
+	cmd := "subscriber imsi " & hex2str(g_pars.imsi) & " silent-call ";
+
+	f_perform_lu();
+	f_ran_register_imsi(g_pars.imsi, g_pars.tmsi);
+
+	/* The MS establishes a connection (e.g. for periodic Location Updating) */
+	f_establish_fully();
+
+	/* Meanwhile, a silent call is being initiated from the VTY */
+	MSCVTY.send(cmd & "start any signalling");
+	resp := f_vty_wait_for_prompt(MSCVTY);
+	if (resp != "% Silent call initiated") {
+		setverdict(fail, "VTY: Unexpected response: ", resp);
+	}
+
+	/* XXX: The MSC pages the MS, even though there is an active connection?!? */
+	f_expect_paging();
+
+	/* A silent call is being stopped from the VTY */
+	MSCVTY.send(cmd & "stop");
+	resp := f_vty_wait_for_prompt(MSCVTY);
+	if (resp != "% Silent call ended\n% Silent call stopped") {
+		setverdict(fail, "VTY: Unexpected response: ", resp);
+	}
+
+	f_sleep(10.0); /* timer X4 is 10s */
+
+	/* ... osmo-msc crashes after paging timeout ... */
+
+	f_expect_clear();
+}
+testcase TC_silent_call_start_stop() runs on MTC_CT {
+	var BSC_ConnHdlr vc_conn;
+	f_init();
+
+	vc_conn := f_start_handler(refers(f_TC_silent_call_start_stop), 30);
+	vc_conn.done;
+}
+
 control {
 	execute( TC_cr_before_reset() );
 	execute( TC_lu_imsi_noauth_tmsi() );
@@ -7910,6 +7956,10 @@
 	if (Misc_Helpers.f_osmo_repo_is("nightly")) {
 		execute( TC_stat_bsc_sctp_disconnected() );
 	}
+
+	if (Misc_Helpers.f_osmo_repo_is("nightly")) {
+		execute( TC_silent_call_start_stop() );
+	}
 }
 
 
diff --git a/msc/expected-results.xml b/msc/expected-results.xml
index 7a5066d..7070662 100644
--- a/msc/expected-results.xml
+++ b/msc/expected-results.xml
@@ -177,6 +177,7 @@
   <testcase classname='MSC_Tests' name='TC_lu_and_mt_csd' time='MASKED'/>
   <testcase classname='MSC_Tests' name='TC_lu_and_mo_call_reass_for_mt_codec' time='MASKED'/>
   <testcase classname='MSC_Tests' name='TC_stat_bsc_sctp_disconnected' time='MASKED'/>
+  <testcase classname='MSC_Tests' name='TC_silent_call_start_stop' time='MASKED'/>
   <!-- MSC_Tests_Iu testcases start here -->
   <testcase classname='MSC_Tests_Iu' name='TC_iu_lu_imsi_reject' time='MASKED'/>
   <testcase classname='MSC_Tests_Iu' name='TC_iu_lu_imsi_timeout_gsup' time='MASKED'/>

To view, visit change 40863. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-MessageType: newchange
Gerrit-Project: osmo-ttcn3-hacks
Gerrit-Branch: master
Gerrit-Change-Id: I3ef22fbb5a05f69cc8aea7f42e05f6e1d6c4a8b6
Gerrit-Change-Number: 40863
Gerrit-PatchSet: 1
Gerrit-Owner: fixeria <vyanitskiy@sysmocom.de>