Sylvain Munaut schrieb:
Hi,
You need one of the patch that's in my pending branch. The
"ipaccess: Send RTP Payload IE for CRCX & MDCX" patch to be exact.
Try sylvain/pending branch and it should work. Basically the RTP
Payload IE is required.
Sylvain
Hi Sylvain,
I tried you branch code. After initializing the nanoBTS the bsc_hack
crashed with the following output:
DB: Database initialized.
DB: Database prepared.
<000d> input/ipaccess.c:504 accept()ed new OML link from 132.230.8.239
<0005> bsc_init.c:626 bootstrapping OML for BTS 0
<000d> input/ipaccess.c:562 accept()ed new RSL link from 132.230.8.239
<0004> bsc_init.c:761 bootstrapping RSL for BTS/TRX (0/0) on ARFCN 514
using MCC=1 MNC=1 LAC=1 CID=0 BSIC=63 TSC=7
*** stack smashing detected ***: ./bsc_hack terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0x211ed8]
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0x211e90]
./bsc_hack[0x804b8af]
./bsc_hack[0x806d77b]
./bsc_hack[0x8070629]
./bsc_hack[0x806a275]
./bsc_hack[0x804a6ce]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0x147b56]
./bsc_hack[0x804a2a1]
======= Memory map: ========
00110000-00125000 r-xp 00000000 08:05 864987
/lib/tls/i686/cmov/libpthread-2.10.1.so
00125000-00126000 r--p 00014000 08:05 864987
/lib/tls/i686/cmov/libpthread-2.10.1.so
00126000-00127000 rw-p 00015000 08:05 864987
/lib/tls/i686/cmov/libpthread-2.10.1.so
00127000-00129000 rw-p 00000000 00:00 0
00131000-0026f000 r-xp 00000000 08:05 864973
/lib/tls/i686/cmov/libc-2.10.1.so
0026f000-00270000 ---p 0013e000 08:05 864973
/lib/tls/i686/cmov/libc-2.10.1.so
00270000-00272000 r--p 0013e000 08:05 864973
/lib/tls/i686/cmov/libc-2.10.1.so
00272000-00273000 rw-p 00140000 08:05 864973
/lib/tls/i686/cmov/libc-2.10.1.so
00273000-00276000 rw-p 00000000 00:00 0
00276000-002fc000 r-xp 00000000 08:05 841133 /usr/lib/libsqlite3.so.0.8.6
002fc000-002fd000 r--p 00086000 08:05 841133 /usr/lib/libsqlite3.so.0.8.6
002fd000-002fe000 rw-p 00087000 08:05 841133 /usr/lib/libsqlite3.so.0.8.6
00359000-0037d000 r-xp 00000000 08:05 864977
/lib/tls/i686/cmov/libm-2.10.1.so
0037d000-0037e000 r--p 00023000 08:05 864977
/lib/tls/i686/cmov/libm-2.10.1.so
0037e000-0037f000 rw-p 00024000 08:05 864977
/lib/tls/i686/cmov/libm-2.10.1.so
00709000-00712000 r-xp 00000000 08:05 864975
/lib/tls/i686/cmov/libcrypt-2.10.1.so
00712000-00713000 r--p 00008000 08:05 864975
/lib/tls/i686/cmov/libcrypt-2.10.1.so
00713000-00714000 rw-p 00009000 08:05 864975
/lib/tls/i686/cmov/libcrypt-2.10.1.so
00714000-0073b000 rw-p 00000000 00:00 0
007bf000-007c1000 r-xp 00000000 08:05 864976
/lib/tls/i686/cmov/libdl-2.10.1.so
007c1000-007c2000 r--p 00001000 08:05 864976
/lib/tls/i686/cmov/libdl-2.10.1.so
007c2000-007c3000 rw-p 00002000 08:05 864976
/lib/tls/i686/cmov/libdl-2.10.1.so
008ce000-008e9000 r-xp 00000000 08:05 187717 /lib/ld-2.10.1.so
008e9000-008ea000 r--p 0001a000 08:05 187717 /lib/ld-2.10.1.so
008ea000-008eb000 rw-p 0001b000 08:05 187717 /lib/ld-2.10.1.so
00989000-0098e000 r-xp 00000000 08:05 3394967 /usr/lib/dbd/libdbdsqlite3.so
0098e000-0098f000 r--p 00004000 08:05 3394967 /usr/lib/dbd/libdbdsqlite3.so
0098f000-00990000 rw-p 00005000 08:05 3394967 /usr/lib/dbd/libdbdsqlite3.so
00b9e000-00bba000 r-xp 00000000 08:05 191751 /lib/libgcc_s.so.1
00bba000-00bbb000 r--p 0001b000 08:05 191751 /lib/libgcc_s.so.1
00bbb000-00bbc000 rw-p 0001c000 08:05 191751 /lib/libgcc_s.so.1
00ec1000-00ecc000 r-xp 00000000 08:05 1103345 /usr/lib/libdbi.so.0.0.5
00ecc000-00ecd000 rw-p 0000a000 08:05 1103345 /usr/lib/libdbi.so.0.0.5
00ee2000-00ee3000 r-xp 00000000 00:00 0 [vdso]
08048000-08091000 r-xp 00000000 08:05 1518261
/home/konrad/openbsc/openbsc/src/bsc_hack
08091000-08092000 r--p 00048000 08:05 1518261
/home/konrad/openbsc/openbsc/src/bsc_hack
08092000-08095000 rw-p 00049000 08:05 1518261
/home/konrad/openbsc/openbsc/src/bsc_hack
08095000-08099000 rw-p 00000000 00:00 0
08817000-0889f000 rw-p 00000000 00:00 0 [heap]
b6fdd000-b6fde000 ---p 00000000 00:00 0
b6fde000-b77e0000 rw-p 00000000 00:00 0
b77fd000-b7800000 rw-p 00000000 00:00 0
bfe1b000-bfe30000 rw-p 00000000 00:00 0 [stack]
signal 6 received
talloc report on 'vty' (total 26794 bytes in 2351 blocks)
save_cwd contains 33 bytes in 1 blocks
(ref 0) 0x8836b00
vty_command contains 15081 bytes in 1180 blocks
(ref 0) 0x8836ac8
vty_vector contains 11680 bytes in 1169 blocks
(ref 0) 0x8836a90
full talloc report on 'openbsc' (total 137802 bytes in 62 blocks)
struct e1inp_line contains 45208 bytes in 1 blocks
(ref 0) 0x88733a8
struct ia_e1_handle contains 60 bytes in 1 blocks
(ref 0) 0x885c588
telnet_connection contains 1 bytes in 1 blocks
(ref 0) 0x881b048
struct gsm_network contains 85112 bytes in 5 blocks
(ref 0) 0x881af20
struct gsm_bts contains 84856 bytes in 2
blocks (ref 0) 0x885cc08
struct gsm_bts_trx contains 82348 bytes in 1
blocks (ref 0) 0x885d608
OpenBSC contains 8 bytes in 1
blocks (ref 0) 0x881e060
OpenBSC contains 8 bytes in 1
blocks (ref 0) 0x881f2c0
counter contains 500 bytes in 26 blocks
(ref 0) 0x8817568
struct counter contains 20 bytes in 1
blocks (ref 0) 0x881f278
struct counter contains 20 bytes in 1
blocks (ref 0) 0x881f230
struct counter contains 20 bytes in 1
blocks (ref 0) 0x881f1e8
struct counter contains 20 bytes in 1
blocks (ref 0) 0x881f1a0
struct counter contains 20 bytes in 1
blocks (ref 0) 0x881d8b8
struct counter contains 20 bytes in 1
blocks (ref 0) 0x881d870
struct counter contains 20 bytes in 1
blocks (ref 0) 0x881d828
struct counter contains 20 bytes in 1
blocks (ref 0) 0x881d7e0
struct counter contains 20 bytes in 1
blocks (ref 0) 0x881d798
struct counter contains 20 bytes in 1
blocks (ref 0) 0x881d750
struct counter contains 20 bytes in 1
blocks (ref 0) 0x881d708
struct counter contains 20 bytes in 1
blocks (ref 0) 0x8819980
struct counter contains 20 bytes in 1
blocks (ref 0) 0x8819938
struct counter contains 20 bytes in 1
blocks (ref 0) 0x88198f0
struct counter contains 20 bytes in 1
blocks (ref 0) 0x88198a8
struct counter contains 20 bytes in 1
blocks (ref 0) 0x8819860
struct counter contains 20 bytes in 1
blocks (ref 0) 0x881aa40
struct counter contains 20 bytes in 1
blocks (ref 0) 0x881a9f8
struct counter contains 20 bytes in 1
blocks (ref 0) 0x881a9b0
struct counter contains 20 bytes in 1
blocks (ref 0) 0x881a968
struct counter contains 20 bytes in 1
blocks (ref 0) 0x881a920
struct counter contains 20 bytes in 1
blocks (ref 0) 0x881b0f8
struct counter contains 20 bytes in 1
blocks (ref 0) 0x881b0b0
struct counter contains 20 bytes in 1
blocks (ref 0) 0x881e0a0
struct counter contains 20 bytes in 1
blocks (ref 0) 0x881e5d8
trau_upq_entry contains 0 bytes in 1 blocks
(ref 0) 0x8817530
trau_map_entry contains 0 bytes in 1 blocks
(ref 0) 0x88174f8
transaction contains 0 bytes in 1 blocks
(ref 0) 0x88174c0
subch_txq_entry contains 0 bytes in 1 blocks
(ref 0) 0x8817488
signal_handler contains 140 bytes in 8 blocks
(ref 0) 0x8817450
struct signal_handler contains 20 bytes in 1
blocks (ref 0) 0x885cb50
struct signal_handler contains 20 bytes in 1
blocks (ref 0) 0x88565b8
struct signal_handler contains 20 bytes in 1
blocks (ref 0) 0x88176c0
struct signal_handler contains 20 bytes in 1
blocks (ref 0) 0x8817678
struct signal_handler contains 20 bytes in 1
blocks (ref 0) 0x8817630
struct signal_handler contains 20 bytes in 1
blocks (ref 0) 0x88175e8
struct signal_handler contains 20 bytes in 1
blocks (ref 0) 0x88175a0
paging_request contains 0 bytes in 1 blocks
(ref 0) 0x8817418
gsm_call contains 0 bytes in 1 blocks
(ref 0) 0x88173e0
subscr_request contains 0 bytes in 1 blocks
(ref 0) 0x88173a8
subscriber contains 0 bytes in 1 blocks
(ref 0) 0x8817370
sms contains 0 bytes in 1 blocks
(ref 0) 0x8817338
loc_updating_oper contains 0 bytes in 1 blocks
(ref 0) 0x8817300
bs11_file_list_entry contains 0 bytes in 1 blocks
(ref 0) 0x88172c8
msgb contains 6780 bytes in 8 blocks
(ref 0) 0x8817290
RSL contains 1072 bytes in 1
blocks (ref 0) 0x887fab0
RSL contains 1072 bytes in 1
blocks (ref 0) 0x887f648
RSL contains 1072 bytes in 1
blocks (ref 0) 0x887f1e0
RSL contains 1072 bytes in 1
blocks (ref 0) 0x887ed78
RSL contains 1072 bytes in 1
blocks (ref 0) 0x887e910
RSL contains 1072 bytes in 1
blocks (ref 0) 0x885c5f8
Abis/IP contains 348 bytes in 1
blocks (ref 0) 0x8872288
Aborted
For debugging the Code with gdb I had to change the makefile. (See
attached patch)
Here is the backtrace:
Program received signal SIGABRT, Aborted.
0x0021a832 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
(gdb) bt
#0 0x0021a832 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1 0x00b8e4d1 in *__GI_raise (sig=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2 0x00b91932 in *__GI_abort () at abort.c:92
#3 0x00bc4ee5 in __libc_message (do_abort=2, fmt=0xc866dd "*** %s ***:
%s terminated\n")
at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#4 0x00c44ed8 in *__GI___fortify_fail (msg=0xc866c5 "stack smashing
detected") at fortify_fail.c:32
#5 0x00c44e90 in __stack_chk_fail () at stack_chk_fail.c:29
#6 0x0804b8df in input_event (event=1, type=E1INP_SIGN_RSL,
trx=0x80df1c0) at bsc_init.c:787
#7 0x0806d7ab in e1inp_event (ts=0x80f54f4, evt=1, tei=0 '\000',
sapi=77 'M') at e1_input.c:519
#8 0x08070659 in handle_ts1_read (bfd=0x80f5a5c, what=<value optimized
out>) at input/ipaccess.c:360
#9 ipaccess_fd_cb (bfd=0x80f5a5c, what=<value optimized out>) at
input/ipaccess.c:469
#10 0x0806a2a5 in bsc_select_main (polling=0) at select.c:109
#11 0x0804a6fe in main (argc=1, argv=0xbffff2d4) at bsc_hack.c:233
I located the Error in file bsc_init.c line 677:
si_tmp[23] -> buffer overflow
changing si_tmp[24] fixed the crash but the nanoBTS refuses to work.
Do you have any idea?
Regards Konrad