Dear Andreas, Harald,
I don't really know much about the bit order of TRAU frames but
the trau_test.c is causing an out of bounds access to the gsm_fr_map.
Re-produce (GCC >= 3.8 or clang >= 3.2 required):
$ make clean && make CFLAGS+="-ggdb3 -Og -fsanitize=address"
$ cd tests/trau
$ ./trau_test
Issue:
Breakpoint 1, 0xb69e7810 in __asan_report_error () from /usr/lib/i386-linux-gnu/libasan.so.0
(gdb) bt
#0 0xb69e7810 in __asan_report_error () from /usr/lib/i386-linux-gnu/libasan.so.0
#1 0xb69e08cf in __asan_report_load1 () from /usr/lib/i386-linux-gnu/libasan.so.0
#2 0x0804c4e7 in trau_encode_fr (tf=tf@entry=0xbffff530,
data=data@entry=0xbffff700 <incomplete sequence \320>) at trau_mux.c:441
#3 0x08048e06 in test_trau_fr_efr (data=<optimized out>,
data@entry=0xbffff700 <incomplete sequence \320>) at trau_test.c:35
#4 0x080494bf in main () at trau_test.c:70
(gdb) frame2
Undefined command: "frame2". Try "help".
(gdb) frame 2
#2 0x0804c4e7 in trau_encode_fr (tf=tf@entry=0xbffff530,
data=data@entry=0xbffff700 <incomplete sequence \320>) at trau_mux.c:441
441 k = gsm_fr_map[++l]-1;
(gdb) p l
$1 = 76
(gdb) p l
$2 = 76
(gdb) p sizeof(gsm_fr_map)
$3 = 76
Please fix as soon as possible as I would like to enable ASAN checking on
the jenkins as soon as possible.
kind regards
holger
found by -fsanitize=address the last iteration of the loop, where i ==
259 and o == 260. It is read out-of-bounds but the content is never
used.
---
openbsc/src/libtrau/trau_mux.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/openbsc/src/libtrau/trau_mux.c b/openbsc/src/libtrau/trau_mux.c
index fd1895f..4f159e4 100644
--- a/openbsc/src/libtrau/trau_mux.c
+++ b/openbsc/src/libtrau/trau_mux.c
@@ -436,6 +436,9 @@ void trau_encode_fr(struct decoded_trau_frame *tf,
o = 0; /* offset output bits */
while (i < 260) {
tf->d_bits[k+o] = (data[j/8] >> (7-(j%8))) & 1;
+ /* to avoid out-of-bounds access in gsm_fr_map[++l] */
+ if (i == 259)
+ break;
if (--k < 0) {
o += gsm_fr_map[l];
k = gsm_fr_map[++l]-1;
--
2.0.0
--
- Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
hi!
I would like to have your opinion on the power management of the
sysmoBTS2050 hardware in various conditions:
Using only a single TRX with 10:
We have to disable the second TRX. Would you want to set a
different device id in the EEPROM for the sysmoBTS2050 to indicate
a single TRX board? If yes we could have nominal power return 40
and something like the sysmobts-mgr could disable the power of the
second trx on start?
Another option would be to make it configurable inside the bts
configuration file. In this case the bts process would need to
tell the sysmobts-mgr to switch off the second trx?
Reducing power in a dual-bts setup:
The current unfinished idea would be that in case the system
heats up too much we reduce the transmit power on the first
TRX. Is this enough? Is this enough because in the long run we
will manage both TRX from the first one? Or shall we handle
the heat inside OpenBSC to temporarily reduce the power? This
way we would need to send information in case the system returns
to an acceptable temperature?
holger
This is a Mailman mailing list bounce action notice:
List: OpenBSC
Member: mki(a)mki-consult.de
Action: Subscription disabled.
Reason: Excessive or fatal bounces.
The triggering bounce notice is attached below.
Questions? Contact the Mailman site administrator at
mailman(a)lists.osmocom.org.
The function that checks for HO compatibility is wrong for quite some
time. Even for E1 based BTSs the function requires RTP proxy to be
enabled. The following patch is fixing this, by changing the condition
so RTP proxy is only required, when the BTS is an IP based unit:
diff --git a/openbsc/src/libbsc/bsc_vty.c b/openbsc/src/libbsc/bsc_vty.c
index 6acf0c6..fbf28ec 100644
--- a/openbsc/src/libbsc/bsc_vty.c
+++ b/openbsc/src/libbsc/bsc_vty.c
@@ -1427,8 +1427,9 @@ DEFUN(cfg_net_handover, cfg_net_handover_cmd,
{
int enable = atoi(argv[0]);
struct gsm_network *gsmnet = gsmnet_from_vty(vty);
+ struct gsm_bts *bts = vty->index;
- if (enable && ipacc_rtp_direct) {
+ if (enable && ((is_ipaccess_bts(bts)) && ipacc_rtp_direct)) {
vty_out(vty, "%% Cannot enable handover unless RTP Proxy mode "
"is enabled by using the -P command line option%s",
VTY_NEWLINE);
The patch is tested with Nokia Insite.
I hope someone can commit this to the master branch.
Regards,
Csaba
Hi,
i try to get openbsc to work. To do that i followed the steps on the page :
http://openbsc.osmocom.org/trac/wiki/OpenBSC_GPRS
till the last step everything go's ok, during the last step :
cd /root/openbsc/openbsc; autoreconf -fi; export
PKG_CONFIG_PATH=/usr/local/lib/pkgconfig; ./configure; make
I get the message :
checking for LIBOSMONETIF... no
configure: error: Package requirements (libosmo-netif >= 0.0.1) were not
met:
No package 'libosmo-netif' found
I tried to find this package but was not able to find it.
Do you know where i can find this package so that i can get things working ?
Regards
Henry
Hi All
As per the specs after PDP context accept mobile station should exchange
XID parameters with SGSN. before it initiate transfer of data.
As per the literature mobile station if not happy with the negotiated
quality of service it will send the deactivation request and I am getting
the same.
Is this is the only reason mobile station will send deactivation request or
something else, which I am missing.
Any suggestion to fix this problem.
can anybody comment on this please.
regards
Josh
