OpenBSC March 2017

openbsc@lists.osmocom.org

22 participants
46 discussions

by Vadim Yanitskiy

Hi Max, > On a related note - are you working on moving OsmoBTS to libosmocoding? Not a whole OsmoBTS :) GSM 05.03 transcoding routines only. Right now, I am testing dynamic TS switching on UmTRX. > Are there some missing pieces before this can be done? Almost done, now we need to switch OsmoBTS to use libosmocore's implementation and remove the old code. With best regards, Vadim Yanitskiy.

8 years

Unknown HFC multiport controller

by Alexander Huemer

Hi, I have a Siemens BS-11 and a HFC IOB1E1 PCI card. The linux kernel is not very happy with the card, I get Unknown HFC multiport controller (vendor:1397 device:30b1 subvendor:1397 subdevice:b543) Please contact the driver maintainer for support. The same error is mentioned in [1] but with different subdevice id, which I believe does not matter. I am not sure why vendor ID 1397 (PCI_VENDOR_ID_CCD) and device ID 30b1 (PCI_DEVICE_ID_CCD_HFCE1) are not valid. Consulting [2] I was under the impression that this is the expectation of the driver. [1] does not provide an answer as far as I can see. Would anybody know what the problem is here? -Alex [1] http://lists.osmocom.org/pipermail/openbsc/2009-August/001838.html [2] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/driver…

8 years

MNCC ABI changes

by Holger Freyther

Hi, as part of looking into early media (and at some point handover handling) I would like to use MNCC_RTP_CONNECT and supply "recvonly", "sendonly" attributes. The gsm_mncc_rtp structure does not carry this information though. struct gsm_mncc_rtp { uint32_t msg_type; uint32_t callref; uint32_t ip; uint16_t port; uint32_t payload_type; uint32_t payload_msg_type; }; The content of payload_msg_type currently holds anything between 0x300 and 0x03ff and I would like to split this field into two uint16_t. The reason is not to change the size of the structure (and maybe not dump the protocol version). It would be a backward compatible change. Is anyone open for such tricks? Otherwise I will bump protocol version and change the ABI (and try to update the various active users of this protocol). holger

8 years

SMS not received in mobile - Virtual layer1 (osmo-nitb + osmo-bts + osmocom-bb/mobile)

by Sebastian Stumpf

Hi, Some of my sent SMS are not received by my mobile and I try to figure out if this is a problem with my virtual layer 1, configuration or something in the layers 2+. I use: osmo-nitb: 1 subscriber in hlr (id 1, ext 017519191919) osmo-bts: virt-phy, arfcn 666, TS0=CCCH+SDCCH4, TS1=SDCCH8 MS layer23 app mobile: is the subscriber from osmo-nitb MS layer1 virt-phy: virtual gsmtap layer between bts and mobile I want: Send a sms to subscriber 017519191919. osmo-nitb VTY: OpenBSC# subscriber id 1 sms sender id 1 send Test I have 2 outcomes, first one is the failure. See https://www.dropbox.com/s/eunpfioq518t09a/mobile--ms-virt--bts-virt--bsc-ni… for the pcap. Do not wonder about the duplicated gsmtap messages from mobile, the ones to ip 225.0.0.1 are over virt-phy layer, the ones to localhost from the gsmtap logging option from mobile. Filter them out via "gsmtap && (ip.dst != 127.0.0.1)". 602-613: RR channel establishment with RA and IA as reaction to paging in 590 627,631: SABM from BTS to establish async balanced mode on SAPI3 (SMS) and the ACK from MS 656,684,699: I-Data frames on SAPI3 containing the sms 660,688,703: ReceiveReady's from MS (That ACK all I-frames before N(R)-1 as far as I understood) For me, that looks good and I really do not understand why the MS will not answer with the CP-ACK/RP-ACK after receiving the SMS Data in 699. The LAPDM link will stay up for some more time and be used by the network for retransmission of the sms (1149), but MS will never react to it on the SMS layer (CP-ACK, RP-ACK). Here is the console log for the mobile (https://www.dropbox.com/s/6gug5cd4up5qv7y/mobile--ms-virt--bts-virt--bsc-ni…). The paging is answered in line 378: Fri Mar 10 10:42:06 2017 DLLAPD <0012> lapd_core.c:793 SABM(E) received in state LAPD_STATE_IDLE Second outcome is a successfully sent sms from network to ms. See https://www.dropbox.com/s/ghdn7pc0j4vifbe/mobile--ms-virt--bts-virt--bsc-ni… for the pcap. What is different here? There is no paging, but the sms is sent within the dedicated channel used for the location update initiated by the phone started up. Why there is another outcome, I don't know. 169-181: RR channel establishment with RA and IA as part of mibiles startup routine to make location update 188,416: Location udpdate procedure on SAPI0 230,234: SABM from BTS to establish async balanced mode on SAPI3 (SMS) and the ACK from MS 396,444: I-Data frames on SAPI3 containing the sms 400,449: RR's from MS 450: CP-ACK for BTS 482,499: RP-ACK I-Frames for Network (osmo-nitb) Again, the console log of the mobile (https://www.dropbox.com/s/cujsn40d43g6wxk/mobile--ms-virt--bts-virt--bsc-ni…). The SABM on SAPI3 on downlink is received in line 206: Fri Mar 10 11:06:13 2017 DLLAPD <0012> lapd_core.c:793 SABM(E) received in state LAPD_STATE_IDLE The signaling looks quite similar in both cases, but one time the mobiles sms handler responds to CP-DATA msg containing the SMS, the other time not. Can someone find an error in the signaling I did not see? Is there a known Bug? To be honest, I last merged my branch with master some time ago (~ Jan 18 2017) and thus did not update osmo-nitb and the libraries since then to avoid compatibility problems. Have there been recent changes that could cause that behavior? Thank you and Kind Regards, Sebastian

8 years

about reusing subscriber connections

by Neels Hofmeyr

Testing with the nano3G, e.g. when sending a large SMS, I see that multiple CM Service Requests may come in on the same IuCS connection. The code so far assumed that a CM Service Request would always come in on a fresh, unauthenticated connection (after iuRelease): the ProcessAccessReQuest FSM always starts out with establishing identities, authentication, ciphering. Now I've added code to accept a CM Service Request on an already accepted connection, by sending back an immediate CM Service Accept without even invoking the PARQ FSM. But that might not be such a good idea: I face the same for a Location Updating. A phone may choose to send a periodic LU on an already open and accepted connection (I guess). So we should allow that by sending back a LU Accept right away, without another authentication dance. But we also want to tell the HLR about the LU. The VLR FSMs may also have other actions in mind that the MSC doesn't know or care about. So: To not re-invent the wheel outside of libvlr, I would go on and add a flag to the LU and PARQ FSMs to indicate that the request is coming in on an already accepted connection, to jump directly to the post-ciphering FSM state. But I'd like to hear whether you guys have some thoughts or experience on this. For the case of the large multi-part SMS, we usually are fast enough in releasing the conn after each SMS fragment. For the next fragment, another initialUE message with a CM Service Request starts the PARQ FSM, auth+ciph is re-established, and the next part goes through. But sometimes the UE has already started to send another CM Service Request to initiate the next SMS fragment before it acked the previous one -- meaning that before we get as far as being done and issuing an iuRelease from the CN, the UE already sends another fresh CM Service Request on the same conn. That means we don't have to re-establish auth, quite nice actually. To allow cascades like these, we might also decide to iuRelease slightly later, giving the UE another second to re-use the open connection, so that we have less message overhead and use less auth tuples -- I wouldn't actually give it much more than a second; after about five seconds, the UE usually does an iuRelease itself. That sounds sane, but actually https://osmocom.org/issues/1816 holds against that: when I send USSD requests *from the phone* rapidly without leaving time to iuRelease, only the first USSD goes through from the UE to the CN. The second one is never received on the IuCS wire. That would indicate that the phone expects a conn to close right away from the CN, always. When I wait for iuRelease before sending another USSD, the MO USSD gets its own conn established and all is well. This behaves identically for both the femto cell kinds I have for testing. But, today, seeing multiple CM Service Requests on the same conn for SMS makes me think that #1816 might be a bug in the USSD dispatch of my phone. If MO SMS can do CM Service Requests on an already open conn, why should MO USSD not be able to do the same? I think in the old, pre-VLR code, we would accept multiple CM Service Requests on the same conn without problems, because the semantics were "re-entrant", calling secure_connection() in multiple places, which was skipped when some flag that we're already authenticated was set. The VLR paradigm is different: it "locks down" a new conn until that is accepted (authenticated and ciphered, according to config). Once a conn is accepted, the rest of the code does not need to bother with asking for securing a connection. So far receiving a CM Service Request is semantically identical with starting a new conn. That's why I would explicitly add a parameter to FSM invocation to skip over auth+ciph in case the conn is already accepted, but still do any HLR actions as needed. What still bugs me is: when the phone knows that a conn is open, why should it bother with a CM Service Request, it could just start sending the real meat right away. Re-using from the CN side: In https://osmocom.org/issues/1712#note-7 I noted that the code should not page when a connection is already open. https://osmocom.org/issues/1862 asks for not attempting to send USSD from the CN to the UE when a conn is there but not authenticated/ciphered yet. When the conn is accepted, we can immediately send the MT messages -- however, if the conn is there but still busy authenticating, we must neither page nor can we send messages right away. We should then add an item to the queue of actions to carry out after a paging response, without dispatching a paging request; and ensure that the queue is also worked off in case we receive a CM Service Request or LU Request instead of a Paging Response ... actually, this might already work, but I should test for it. P.S.: Also wondering, could it happen that we receive a Paging Response on an already accepted connection? Wouldn't make much sense, but might be possible to provoke ;) Any facts/thoughts on this stuff are welcome. ~N

8 years

Re: libosmocore build failure cascade

by Vadim Yanitskiy

Hi Neels, Max and others, Sorry, I didn't expect such build failures. It seems, some of them was already fixed before I noticed this mail. I was a bit busy with OsmoBTS testing, so let me some time to go through this issues and let me know, if I should fix something else. Before submitting a new change, I do the following: - make check - make distcheck Should I test something else in the future? With best regards, Vadim Yanitskiy.

8 years

Re: New Defects reported by Coverity Scan for Osmocom

by Neels Hofmeyr

From libosmo-abis beb10ef02a10d73537a97f6f21aad36664c9b266 "add basic unixsocket support": On Wed, Mar 08, 2017 at 08:39:07AM -0800, scan-admin(a)coverity.com wrote: > *** CID 163920: (TAINTED_SCALAR) > /source-Osmocom/libosmo-abis/src/input/unixsocket.c: 90 in unixsocket_read_cb() > 84 uint8_t controldata; > 85 int ret; > 86 > 87 if (!msg) > 88 return -ENOMEM; > 89 > >>> CID 163920: (TAINTED_SCALAR) > >>> Calling function "read" taints argument "msg->data". > 90 ret = read(bfd->fd, msg->data, UNIXSOCKET_ALLOC_SIZE - 16); What this seems to complain about is that we're writing arbitrary data to msg->data, and in lapd_receive() pass this to a LOGP that prints a hexdump of it. In osmo_hexdump, we of course do hex_chars[buf[i] >> 4] which we know to always work out to one of '0'..'f' for *any* data. This point seems to be missed by covertiy scan and it believes we may end up with an invalid index to hex_chars[]. So this is a false positive. Marked it as such. > *** CID 163919: Security best practices violations (STRING_OVERFLOW) > /source-Osmocom/libosmo-abis/src/input/unixsocket.c: 236 in unixsocket_line_update() > 230 struct unixsocket_line *config; > 231 char sock_path[PATH_MAX]; > 232 int ret = 0; > 233 int i; > 234 > 235 if (line->sock_path) > >>> CID 163919: Security best practices violations (STRING_OVERFLOW) > >>> Note: This defect has an elevated risk because the source argument is a parameter of the current function. > 236 strcpy(sock_path, line->sock_path); Please always use osmo_strlcpy(), here with sizeof(sock_path). > 237 else > 238 sprintf(sock_path, "%s%d", UNIXSOCKET_SOCK_PATH_DEFAULT, > 239 line->num); > 240 > 241 LOGP(DLINP, LOGL_NOTICE, "line update (line=%p)\n", line); > > ** CID 163918: Memory - illegal accesses (BUFFER_SIZE_WARNING) > /source-Osmocom/openbsc/openbsc/src/libbsc/bsc_subscriber.c: 83 in bsc_subscr_set_imsi() > > The next one is from me, in 6d804b1a7e375213cb4b3e437c2b9b8c68872164 "add struct bsc_subscr, separating libbsc from gsm_subscriber": > ________________________________________________________________________________________________________ > *** CID 163918: Memory - illegal accesses (BUFFER_SIZE_WARNING) > /source-Osmocom/openbsc/openbsc/src/libbsc/bsc_subscriber.c: 83 in bsc_subscr_set_imsi() > 77 } > 78 > 79 void bsc_subscr_set_imsi(struct bsc_subscr *bsub, const char *imsi) > 80 { > 81 if (!bsub) > 82 return; > >>> CID 163918: Memory - illegal accesses (BUFFER_SIZE_WARNING) > >>> Calling strncpy with a maximum size argument of 16 bytes on destination array "bsub->imsi" of size 16 bytes might leave the destination string unterminated. > 83 strncpy(bsub->imsi, imsi, sizeof(bsub->imsi)); Again, I should use osmo_strlcpy(), which correctly handles sizeof(buf), other than strncpy which might leave the string unterminated. ~N

8 years

libosmocore build failure cascade

by Neels Hofmeyr

As you may have noticed, Vadim's new coding generation code caused numerous builds to fall on their faces. The reasons why what failed are not so trivial, so let me explain. In short, - we place generated artifacts in the $builddir, which ensures clean builds after removing the $builddir. Because we do that, we sometimes need to also -I$(builddir)/include for builds where $(builddir) != $(srcdir). - for generated files, it is important to have proper make dependencies to rebuild them when the sources for generation change. - in build jobs, it is important to wipe the workspace clean, particularly in the presence of generated source files that don't have proper make dependencies. What I saw today: (1) libosmocore master build failed https://jenkins.osmocom.org/jenkins/job/libosmocore/866/ (2) gerrit libosmocore patch checking build *succeeded* for the failing patch (3) libosmocore build actually first *succeeded* even in clean src dir (4) libosmocore build from different dir on clean *system* failed (5) new generated files ended up in $srcdir (6) debian build complained about files present but not installed My first guess was: the gerrit job fails to clean the workspace and hence works because old headers remain; the master build fails because it properly cleans up the workspace and checks building from another dir. Not at all :) (1) In fact the libosmocore *master* build failed because it did not properly clean up the workspace. The old headers remained, but lacked some symbols that were now undefined during compilation. --> added rm -rf *; git checkout . to the libosmocore master build. --> https://gerrit.osmocom.org/2002 ensures regeneration by changed gen code (If there are more deps that could be added there, please go ahead!) (2) The gerrit libosmocore patch succeeded because it properly cleans up the workspace, and does not check building from a separate dir. So it regenerated all headers in $srcdir, which is fine when also building in $srcdir. --> https://gerrit.osmocom.org/1998 tests separate dir in jenkins.sh (3) If I still have libosmocore headers in e.g. /usr/local/include, the build will take those when missing in the src tree and may actually succeed. So I had to go and rm -rf /usr/local/include/osmocom to reproduce the failure. :/ (4) Build from different dir fails because coding/gsm0503_interleaving.c #includes a header that is generated in $builddir (already before this patch), but coding/Makefile.am did not -I$(builddir)/include. --> https://gerrit.osmocom.org/2003 adds -I builddir in coding/ (5) While generating files in $srcdir does not necessarily break builds, it's better to write to $builddir instead -- removing $builddir then clears the build state completely. Fixed up to generate to $builddir, also in: --> https://gerrit.osmocom.org/1996 generates gsm0503 to builddir (6) *All* files part of 'make install' need to be mentioned in debian/*, either as files to be ignored or files to be installed. Max fixed it in: --> https://gerrit.osmocom.org/1989 --> do we want to add deb build checking to the gerrit job? I spent some time on cleaning failures from that patch, but then spent some extra time to help us not run into these problems again... Thanks for being aware of these issues. ~N -- - Neels Hofmeyr <nhofmeyr(a)sysmocom.de> http://www.sysmocom.de/ ======================================================================= * sysmocom - systems for mobile communications GmbH * Alt-Moabit 93 * 10559 Berlin, Germany * Sitz / Registered office: Berlin, HRB 134158 B * Geschäftsführer / Managing Directors: Harald Welte

8 years

osmo-sip-connector in bad state

by OMAR RAMADAN

If the SIP server dies in the middle of a call, osmo-sip-connector is in a bad state and generates a never ending stream of error messages: 58): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f258): zero length packettport(0xb7e9f25 It looks like the messages are generated from sofia-sip and I have managed to suppress the messages by setting the environment variable SU_DEBUG < 3: http://sofia-sip.sourcearchive.com/documentation/1.12.7/tport__internal_8h_… However, it looks like osmo-sip-connector is clearly in a bad state when this happens and we need a way to detect and release these ghosted calls.

8 years

packages broken by osmo-pcu commit "BTS: Convert relative frame numbers to absolute frame numbers"

by Neels Hofmeyr

Hi, the line if (abs(rfn - m_cur_rfn) > RFN_THRESHOLD) { in your recent osmo-pcu patch breaks the package builds (on ubuntu 16.10 x86_64 as well as i586). 1275a3f91a744e011b0dba82b09124d249c7abb5 / I74f00c11e5739d49f370ce6c357149e81d9aa759 I guess you should cast the uint32_t to e.g. long int explicitly to avoid the overloading ambiguity. abs((long int)(...)) It puzzles me why our gerrit build job did not run into this ambiguity though. My own build on my laptop doesn't even print a warning for this line. https://build.opensuse.org/package/live_build_log/network:osmocom:nightly/o… [ 110s] bts.cpp: In member function 'uint32_t BTS::rfn_to_fn(uint32_t)': [ 110s] bts.cpp:553:25: error: call of overloaded 'abs(uint32_t)' is ambiguous [ 110s] if (abs(rfn - m_cur_rfn) > RFN_THRESHOLD) { [ 110s] ^ [ 110s] In file included from /usr/include/c++/6/cstdlib:75:0, [ 110s] from /usr/include/c++/6/stdlib.h:36, [ 110s] from /usr/include/osmocom/core/linuxrbtree.h:97, [ 110s] from /usr/include/osmocom/core/timer.h:35, [ 110s] from ./bts.h:29, [ 110s] from bts.cpp:21: [ 110s] /usr/include/stdlib.h:735:12: note: candidate: int abs(int) [ 110s] extern int abs (int __x) __THROW __attribute__ ((__const__)) __wur; [ 110s] ^~~ [ 110s] In file included from /usr/include/c++/6/stdlib.h:36:0, [ 110s] from /usr/include/osmocom/core/linuxrbtree.h:97, [ 110s] from /usr/include/osmocom/core/timer.h:35, [ 110s] from ./bts.h:29, [ 110s] from bts.cpp:21: [ 110s] /usr/include/c++/6/cstdlib:185:3: note: candidate: __int128 std::abs(__int128) [ 110s] abs(__GLIBCXX_TYPE_INT_N_0 __x) { return __x >= 0 ? __x : -__x; } [ 110s] ^~~ [ 110s] /usr/include/c++/6/cstdlib:180:3: note: candidate: long long int std::abs(long long int) [ 110s] abs(long long __x) { return __builtin_llabs (__x); } [ 110s] ^~~ [ 110s] /usr/include/c++/6/cstdlib:172:3: note: candidate: long int std::abs(long int) [ 110s] abs(long __i) { return __builtin_labs(__i); } [ 110s] ^~~ ~N

8 years

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

OpenBSC March 2017