fixeria has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/40863?usp=email ) Change subject: msc: add TC_silent_call_start_stop ...................................................................... msc: add TC_silent_call_start_stop This testcase triggers a use-after-free in osmo-msc. Change-Id: I3ef22fbb5a05f69cc8aea7f42e05f6e1d6c4a8b6 Related: osmo-msc.git I93913d189800d71f82c013b6e946bd63db362f65 --- M msc/MSC_Tests.ttcn M msc/expected-results.xml 2 files changed, 51 insertions(+), 0 deletions(-) git pull ssh://gerrit.osmocom.org:29418/osmo-ttcn3-hacks refs/changes/63/40863/1 diff --git a/msc/MSC_Tests.ttcn b/msc/MSC_Tests.ttcn index 4a7acdc..46fdd4d 100644 --- a/msc/MSC_Tests.ttcn +++ b/msc/MSC_Tests.ttcn @@ -7710,6 +7710,52 @@ setverdict(pass); } +/* Bug reproducer for https://gerrit.osmocom.org/c/osmo-msc/+/40852. + * Start and stop a silent call while there's an active connection. */ +private function f_TC_silent_call_start_stop(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr { + var charstring cmd, resp; + + f_init_handler(pars); + + cmd := "subscriber imsi " & hex2str(g_pars.imsi) & " silent-call "; + + f_perform_lu(); + f_ran_register_imsi(g_pars.imsi, g_pars.tmsi); + + /* The MS establishes a connection (e.g. for periodic Location Updating) */ + f_establish_fully(); + + /* Meanwhile, a silent call is being initiated from the VTY */ + MSCVTY.send(cmd & "start any signalling"); + resp := f_vty_wait_for_prompt(MSCVTY); + if (resp != "% Silent call initiated") { + setverdict(fail, "VTY: Unexpected response: ", resp); + } + + /* XXX: The MSC pages the MS, even though there is an active connection?!? */ + f_expect_paging(); + + /* A silent call is being stopped from the VTY */ + MSCVTY.send(cmd & "stop"); + resp := f_vty_wait_for_prompt(MSCVTY); + if (resp != "% Silent call ended\n% Silent call stopped") { + setverdict(fail, "VTY: Unexpected response: ", resp); + } + + f_sleep(10.0); /* timer X4 is 10s */ + + /* ... osmo-msc crashes after paging timeout ... */ + + f_expect_clear(); +} +testcase TC_silent_call_start_stop() runs on MTC_CT { + var BSC_ConnHdlr vc_conn; + f_init(); + + vc_conn := f_start_handler(refers(f_TC_silent_call_start_stop), 30); + vc_conn.done; +} + control { execute( TC_cr_before_reset() ); execute( TC_lu_imsi_noauth_tmsi() ); @@ -7910,6 +7956,10 @@ if (Misc_Helpers.f_osmo_repo_is("nightly")) { execute( TC_stat_bsc_sctp_disconnected() ); } + + if (Misc_Helpers.f_osmo_repo_is("nightly")) { + execute( TC_silent_call_start_stop() ); + } } diff --git a/msc/expected-results.xml b/msc/expected-results.xml index 7a5066d..7070662 100644 --- a/msc/expected-results.xml +++ b/msc/expected-results.xml @@ -177,6 +177,7 @@ <testcase classname='MSC_Tests' name='TC_lu_and_mt_csd' time='MASKED'/> <testcase classname='MSC_Tests' name='TC_lu_and_mo_call_reass_for_mt_codec' time='MASKED'/> <testcase classname='MSC_Tests' name='TC_stat_bsc_sctp_disconnected' time='MASKED'/> + <testcase classname='MSC_Tests' name='TC_silent_call_start_stop' time='MASKED'/> <!-- MSC_Tests_Iu testcases start here --> <testcase classname='MSC_Tests_Iu' name='TC_iu_lu_imsi_reject' time='MASKED'/> <testcase classname='MSC_Tests_Iu' name='TC_iu_lu_imsi_timeout_gsup' time='MASKED'/> -- To view, visit https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/40863?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: osmo-ttcn3-hacks Gerrit-Branch: master Gerrit-Change-Id: I3ef22fbb5a05f69cc8aea7f42e05f6e1d6c4a8b6 Gerrit-Change-Number: 40863 Gerrit-PatchSet: 1 Gerrit-Owner: fixeria &lt;vyanitskiy(a)sysmocom.de&gt;