[S] Change in osmo-msc[master]: gsm0911_rcv_nc_ss(): avoid assertion failure in msc_a_put()

17 Apr 2025

fixeria has submitted this change. ( https://gerrit.osmocom.org/c/osmo-msc/+/39976?usp=email )
Change subject: gsm0911_rcv_nc_ss(): avoid assertion failure in msc_a_put()
......................................................................
gsm0911_rcv_nc_ss(): avoid assertion failure in msc_a_put()
It was reported by a user that osmo-msc hits an assertion failure:
Assert failed osmo_use_count_get_put(&msc_a->use_count, "cm_service_ss", -1) == 0 gsm_09_11.c:147
It's yet unclear how can this happen, because the MS/UE shall not be
sending SS/USSD messages without a prior CM Service Request.  However,
I was able to write an "evil MS" testcase that reproduces the problem
(see the related patch).  This is pretty much a DoS vector, so let's
add safety checks preventing this to gsm0911_rcv_nc_ss().
Change-Id: I724f0f0c9ef8611d3c3653e9370361b252127f72
Related: osmo-ttcn3-hacks.git If1d85a1b4b63b01b4565e53677acfd21e664e799
Related: 5fb4a9efcf ("Release BSS connection when SS message is rejected")
Related: OS#6756
---
M src/libmsc/gsm_09_11.c
1 file changed, 8 insertions(+), 4 deletions(-)
Approvals:
  Jenkins Builder: Verified
  osmith: Looks good to me, but someone else must approve
  fixeria: Looks good to me, approved
  laforge: Looks good to me, but someone else must approve

diff --git a/src/libmsc/gsm_09_11.c b/src/libmsc/gsm_09_11.c
index 442995e..f0d31bb 100644
--- a/src/libmsc/gsm_09_11.c
+++ b/src/libmsc/gsm_09_11.c
@@ -143,8 +143,10 @@
    			GSM48_PDISC_NC_SS | (tid << 4),
    			GSM0480_MTYPE_RELEASE_COMPLETE);
    		/* Decrement use counter that has been incremented by CM Service Request (SS).
-			 * If there is no other service request, the BSS connection will be released. */
-			msc_a_put(msc_a, MSC_A_USE_CM_SERVICE_SS);
+			 * If there is no other service request, the BSS connection will be released.
+			 * Guard against an "evil" MS/UE not sending CM Service Request (see OS#6756). */
+			if (osmo_use_count_by(&msc_a->use_count, MSC_A_USE_CM_SERVICE_SS))
+				msc_a_put(msc_a, MSC_A_USE_CM_SERVICE_SS);
    		return -EINVAL;
    	}
@@ -155,8 +157,10 @@
    			GSM48_PDISC_NC_SS | (tid << 4),
    			GSM0480_MTYPE_RELEASE_COMPLETE);
    		/* Decrement use counter that has been incremented by CM Service Request (SS).
-			 * If there is no other service request, the BSS connection will be released. */
-			msc_a_put(msc_a, MSC_A_USE_CM_SERVICE_SS);
+			 * If there is no other service request, the BSS connection will be released.
+			 * Guard against an "evil" MS/UE not sending CM Service Request (see OS#6756). */
+			if (osmo_use_count_by(&msc_a->use_count, MSC_A_USE_CM_SERVICE_SS))
+				msc_a_put(msc_a, MSC_A_USE_CM_SERVICE_SS);
    		return -ENOMEM;
    	}
-- 
To view, visit https://gerrit.osmocom.org/c/osmo-msc/+/39976?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email

Gerrit-MessageType: merged
Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Change-Id: I724f0f0c9ef8611d3c3653e9370361b252127f72
Gerrit-Change-Number: 39976
Gerrit-PatchSet: 2
Gerrit-Owner: fixeria vyanitskiy@sysmocom.de
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria vyanitskiy@sysmocom.de
Gerrit-Reviewer: laforge laforge@osmocom.org
Gerrit-Reviewer: osmith osmith@sysmocom.de



    

2025

2024

2023

2022

[S] Change in osmo-msc[master]: gsm0911_rcv_nc_ss(): avoid assertion failure in msc_a_put()