Segmentation fault while sending sms via bsc_hack_VTY

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/OpenBSC@lists.osmocom.org/.

Richard Zahoransky r.zahoransky at gmx.de
Wed Jun 30 14:55:54 UTC 2010


-------- Original-Nachricht --------
> Datum: Wed, 30 Jun 2010 12:10:20 +0800
> Von: Holger Hans Peter Freyther <holger at freyther.de>
> An: openbsc at lists.gnumonks.org
> Betreff: Re: Segmentation fault while sending sms via bsc_hack_VTY
 
> > 
> > thanks a lot for starting to debug this. Could you help me a bit with
> > your test setup? Which type of BTS do you use? Could you get us a pcap
> > file for the Channel Activate NACK?


Attached I have a pcap file from bsc_hack. It logged until the segmentation fault happened. Additionally, I have captured the bsc_hack output and valgrind output in the other file. There you also find the openbsc config file. Only bsc_hack was started, without lcr or openggsn for this testing.

We use two nanoBTS - ipaccess-find prints out:

MAC Address='00:02:95:00:2f:b7'  IP Address='10.1.1.10'  Unit ID='1802/0/0'  Location 1=''  Location 2='BTS_NBT131G'  Equipment Version='165a029_48'  Software Version='168c002_v100b16d0'  Unit Name='nbts-00-02-95-00-2F-B7'  Serial Number='00071355'  
MAC Address='00:02:95:00:57:3e'  IP Address='10.1.1.11'  Unit ID='1800/0/0'  Location 1=''  Location 2='BTS_NBT131G'  Equipment Version='165a029_55'  Software Version='168a302_v142b13d0'  Unit Name='nbts-00-02-95-00-57-3E'  Serial Number='00107709'  

Each BTS has its own part in the openbsc.cfg

> 
> please confirm that both the SMS crash and the NACKs are resolved.

I loaded and built the current version from OpenBSC (Jun., 30. ~ 3:00 p.m.). SMS still crashes when sending from vty console. 
As far as I can tell, the NACKs are resolved.

> 
> thanks
thank you too!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smstest.pcap
Type: application/cap
Size: 9480 bytes
Desc: not available
URL: <http://lists.osmocom.org/pipermail/openbsc/attachments/20100630/105ccb8a/attachment.bin>
-------------- next part --------------
bsc_hack output after sending sms from the console:

<0000> abis_rsl.c:1388 (bts=0,trx=0,ts=0,ss=0) SAPI=0 ESTABLISH INDICATION
<0002> gsm_04_08.c:936 LOCATION UPDATING REQUEST: mi_type=0x04 MI(2936373035) type=NORMAL 
<0001> gsm_04_08.c:100 (bts 0 trx 0 ts 0 pd 05) Sending 0x18 to MS.
<0001> gsm_04_08.c:100 (bts 0 trx 0 ts 0 pd 05) Sending 0x18 to MS.
<- Can't find any subscriber for this ID
<0000> abis_rsl.c:1388 (bts=0,trx=0,ts=0,ss=0) SAPI=0 DATA INDICATION
<0003> gsm_04_08.c:1024 CLASSMARK CHANGE CM2(len=3) CM3(len=10)
<0000> abis_rsl.c:1388 (bts=0,trx=0,ts=0,ss=0) SAPI=0 DATA INDICATION
<0002> gsm_04_08.c:390 IDENTITY RESPONSE: mi_type=0x01 MI(262014900288624)
<0000> abis_rsl.c:1388 (bts=0,trx=0,ts=0,ss=0) SAPI=0 DATA INDICATION
<0002> gsm_04_08.c:390 IDENTITY RESPONSE: mi_type=0x02 MI(358998013670220)
<0002> gsm_04_08.c:327 Subscriber 262014900288624: LOCATION UPDATING REJECT LAC=2323 BTS=0
<0001> gsm_04_08.c:100 (bts 0 trx 0 ts 0 pd 05) Sending 0x04 to MS.
<0003> gsm_04_08_utils.c:197 Sending Channel Release: Chan: Number: 0 Type: 1
<0004> abis_rsl.c:586 (bts=0,trx=0,ts=0,ss=0) DEACTivate SACCH CMD
<0000> chan_alloc.c:363 (bts=0,trx=0,ts=0,ss=0) Recycling Channel
<0004> abis_rsl.c:942 (bts=0,trx=0,ts=0,ss=0): MEAS RES for inactive channel
<0004> abis_rsl.c:942 (bts=0,trx=0,ts=0,ss=0): MEAS RES for inactive channel
<0000> abis_rsl.c:1388 (bts=0,trx=0,ts=0,ss=0) SAPI=0 RELEASE CONFIRMATION
<0004> abis_rsl.c:625 (bts=0,trx=0,ts=0,ss=0) RF Channel Release CMD due error 0
<0004> abis_rsl.c:1047 (bts=0,trx=0,ts=0,ss=0) RF CHANNEL RELEASE ACK
<0004> abis_rsl.c:1235 (bts=0,trx=0,ts=0,ss=0) Activating ARFCN(871) SS(0) lctype SDCCH r=LOCATION_UPDATE ra=0x00
<0004> abis_rsl.c:1031 (bts=0,trx=0,ts=0,ss=0) CHANNEL ACTIVATE ACK
<0000> abis_rsl.c:1388 (bts=0,trx=0,ts=0,ss=0) SAPI=0 ESTABLISH INDICATION
<0002> gsm_04_08.c:936 LOCATION UPDATING REQUEST: mi_type=0x01 MI(262032560591295) type=NORMAL 
<0001> gsm_04_08.c:100 (bts 0 trx 0 ts 0 pd 05) Sending 0x18 to MS.
<0000> abis_rsl.c:1388 (bts=0,trx=0,ts=0,ss=0) SAPI=0 DATA INDICATION
<0003> gsm_04_08.c:1024 CLASSMARK CHANGE CM2(len=3) CM3(len=5)
<0004> abis_rsl.c:1235 (bts=0,trx=0,ts=0,ss=1) Activating ARFCN(871) SS(1) lctype SDCCH r=LOCATION_UPDATE ra=0x12
<0004> abis_rsl.c:1031 (bts=0,trx=0,ts=0,ss=1) CHANNEL ACTIVATE ACK
<0000> abis_rsl.c:1388 (bts=0,trx=0,ts=0,ss=0) SAPI=0 DATA INDICATION
<0002> gsm_04_08.c:390 IDENTITY RESPONSE: mi_type=0x02 MI(352080036021620)
<0000> abis_rsl.c:1388 (bts=0,trx=0,ts=0,ss=1) SAPI=0 ESTABLISH INDICATION
<0003> gsm_04_08.c:988 PAGING RESPONSE: mi_type=0x04 MI(782026853)
<0003> gsm_04_08.c:1006 <- Channel was requested by stylish-blau
<0001> transaction.c:70 subscr=0x86beef0, subscr->net=0x8679ae0
Segmentation fault



Valgrind output:

when connecting to bts_hack_vty:

==17982== Syscall param ioctl(TCSET{S,SW,SF}) points to uninitialised byte(s)
==17982==    at 0x4166A5F: tcsetattr (tcsetattr.c:88)
==17982==    by 0x4069865: vty_create (vty.c:1399)
==17982==    by 0x406A289: telnet_new_connection (telnet_interface.c:167)
==17982==    by 0x403D924: bsc_select_main (select.c:119)
==17982==    by 0x804BEA5: main (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==  Address 0xbecc1298 is on thread 1's stack
==17982== 

After typing subscriber extension 42792 sms send "Test via console" in bts_hack_vty:

==17982== Invalid write of size 1
==17982==    at 0x4025D27: strcat (mc_replace_strmem.c:176)
==17982==    by 0x402D4B9: dbd_quote_binary (in /usr/lib/dbd/libdbdsqlite3.so)
==17982==    by 0x4056894: dbi_conn_quote_binary_copy (in /usr/lib/libdbi.so.0.0.5)
==17982==    by 0x8056F24: db_sync_equipment (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805B683: gsm48_rx_rr_pag_resp (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805BCB1: gsm0408_rcv_rr (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8060B80: gsm0408_dispatch (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8064CC7: msc_compl_l3 (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x807E46B: gsm0408_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8068FDF: abis_rsl_rx_rll (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x806A103: abis_rsl_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x80798F3: handle_ts1_read (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==  Address 0x4474eae is 0 bytes after a block of size 6 alloc'd
==17982==    at 0x4024F20: malloc (vg_replace_malloc.c:236)
==17982==    by 0x402D48C: dbd_quote_binary (in /usr/lib/dbd/libdbdsqlite3.so)
==17982==    by 0x4056894: dbi_conn_quote_binary_copy (in /usr/lib/libdbi.so.0.0.5)
==17982==    by 0x8056F24: db_sync_equipment (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805B683: gsm48_rx_rr_pag_resp (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805BCB1: gsm0408_rcv_rr (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8060B80: gsm0408_dispatch (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8064CC7: msc_compl_l3 (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x807E46B: gsm0408_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8068FDF: abis_rsl_rx_rll (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x806A103: abis_rsl_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x80798F3: handle_ts1_read (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982== 
==17982== Invalid write of size 1
==17982==    at 0x405C973: _dbd_encode_binary (in /usr/lib/libdbi.so.0.0.5)
==17982==    by 0x402D4E5: dbd_quote_binary (in /usr/lib/dbd/libdbdsqlite3.so)
==17982==    by 0x4056894: dbi_conn_quote_binary_copy (in /usr/lib/libdbi.so.0.0.5)
==17982==    by 0x8056F56: db_sync_equipment (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805B683: gsm48_rx_rr_pag_resp (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805BCB1: gsm0408_rcv_rr (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8060B80: gsm0408_dispatch (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8064CC7: msc_compl_l3 (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x807E46B: gsm0408_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8068FDF: abis_rsl_rx_rll (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x806A103: abis_rsl_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x80798F3: handle_ts1_read (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==  Address 0x4474ee4 is 0 bytes after a block of size 4 alloc'd
==17982==    at 0x4024F20: malloc (vg_replace_malloc.c:236)
==17982==    by 0x402D48C: dbd_quote_binary (in /usr/lib/dbd/libdbdsqlite3.so)
==17982==    by 0x4056894: dbi_conn_quote_binary_copy (in /usr/lib/libdbi.so.0.0.5)
==17982==    by 0x8056F56: db_sync_equipment (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805B683: gsm48_rx_rr_pag_resp (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805BCB1: gsm0408_rcv_rr (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8060B80: gsm0408_dispatch (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8064CC7: msc_compl_l3 (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x807E46B: gsm0408_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8068FDF: abis_rsl_rx_rll (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x806A103: abis_rsl_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x80798F3: handle_ts1_read (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982== 
==17982== Invalid read of size 1
==17982==    at 0x4025CEB: strcat (mc_replace_strmem.c:176)
==17982==    by 0x402D4B9: dbd_quote_binary (in /usr/lib/dbd/libdbdsqlite3.so)
==17982==    by 0x4056894: dbi_conn_quote_binary_copy (in /usr/lib/libdbi.so.0.0.5)
==17982==    by 0x8056F56: db_sync_equipment (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805B683: gsm48_rx_rr_pag_resp (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805BCB1: gsm0408_rcv_rr (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8060B80: gsm0408_dispatch (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8064CC7: msc_compl_l3 (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x807E46B: gsm0408_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8068FDF: abis_rsl_rx_rll (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x806A103: abis_rsl_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x80798F3: handle_ts1_read (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==  Address 0x4474ee4 is 0 bytes after a block of size 4 alloc'd
==17982==    at 0x4024F20: malloc (vg_replace_malloc.c:236)
==17982==    by 0x402D48C: dbd_quote_binary (in /usr/lib/dbd/libdbdsqlite3.so)
==17982==    by 0x4056894: dbi_conn_quote_binary_copy (in /usr/lib/libdbi.so.0.0.5)
==17982==    by 0x8056F56: db_sync_equipment (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805B683: gsm48_rx_rr_pag_resp (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805BCB1: gsm0408_rcv_rr (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8060B80: gsm0408_dispatch (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8064CC7: msc_compl_l3 (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x807E46B: gsm0408_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8068FDF: abis_rsl_rx_rll (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x806A103: abis_rsl_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x80798F3: handle_ts1_read (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982== 
==17982== Invalid write of size 1
==17982==    at 0x4025D0B: strcat (mc_replace_strmem.c:176)
==17982==    by 0x402D4B9: dbd_quote_binary (in /usr/lib/dbd/libdbdsqlite3.so)
==17982==    by 0x4056894: dbi_conn_quote_binary_copy (in /usr/lib/libdbi.so.0.0.5)
==17982==    by 0x8056F56: db_sync_equipment (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805B683: gsm48_rx_rr_pag_resp (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805BCB1: gsm0408_rcv_rr (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8060B80: gsm0408_dispatch (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8064CC7: msc_compl_l3 (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x807E46B: gsm0408_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8068FDF: abis_rsl_rx_rll (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x806A103: abis_rsl_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x80798F3: handle_ts1_read (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==  Address 0x4474ee4 is 0 bytes after a block of size 4 alloc'd
==17982==    at 0x4024F20: malloc (vg_replace_malloc.c:236)
==17982==    by 0x402D48C: dbd_quote_binary (in /usr/lib/dbd/libdbdsqlite3.so)
==17982==    by 0x4056894: dbi_conn_quote_binary_copy (in /usr/lib/libdbi.so.0.0.5)
==17982==    by 0x8056F56: db_sync_equipment (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805B683: gsm48_rx_rr_pag_resp (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805BCB1: gsm0408_rcv_rr (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8060B80: gsm0408_dispatch (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8064CC7: msc_compl_l3 (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x807E46B: gsm0408_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8068FDF: abis_rsl_rx_rll (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x806A103: abis_rsl_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x80798F3: handle_ts1_read (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982== 
==17982== Invalid write of size 1
==17982==    at 0x4025D27: strcat (mc_replace_strmem.c:176)
==17982==    by 0x402D4B9: dbd_quote_binary (in /usr/lib/dbd/libdbdsqlite3.so)
==17982==    by 0x4056894: dbi_conn_quote_binary_copy (in /usr/lib/libdbi.so.0.0.5)
==17982==    by 0x8056F56: db_sync_equipment (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805B683: gsm48_rx_rr_pag_resp (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805BCB1: gsm0408_rcv_rr (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8060B80: gsm0408_dispatch (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8064CC7: msc_compl_l3 (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x807E46B: gsm0408_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8068FDF: abis_rsl_rx_rll (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x806A103: abis_rsl_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x80798F3: handle_ts1_read (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==  Address 0x4474ee5 is 1 bytes after a block of size 4 alloc'd
==17982==    at 0x4024F20: malloc (vg_replace_malloc.c:236)
==17982==    by 0x402D48C: dbd_quote_binary (in /usr/lib/dbd/libdbdsqlite3.so)
==17982==    by 0x4056894: dbi_conn_quote_binary_copy (in /usr/lib/libdbi.so.0.0.5)
==17982==    by 0x8056F56: db_sync_equipment (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805B683: gsm48_rx_rr_pag_resp (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805BCB1: gsm0408_rcv_rr (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8060B80: gsm0408_dispatch (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8064CC7: msc_compl_l3 (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x807E46B: gsm0408_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8068FDF: abis_rsl_rx_rll (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x806A103: abis_rsl_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x80798F3: handle_ts1_read (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982== 
==17982== Invalid read of size 1
==17982==    at 0x40E250B: vfprintf (vfprintf.c:1614)
==17982==    by 0x4102146: vasprintf (vasprintf.c:64)
==17982==    by 0x405742E: dbi_conn_queryf (in /usr/lib/libdbi.so.0.0.5)
==17982==    by 0x8056F8E: db_sync_equipment (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805B683: gsm48_rx_rr_pag_resp (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805BCB1: gsm0408_rcv_rr (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8060B80: gsm0408_dispatch (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8064CC7: msc_compl_l3 (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x807E46B: gsm0408_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8068FDF: abis_rsl_rx_rll (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x806A103: abis_rsl_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x80798F3: handle_ts1_read (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==  Address 0x4474eae is 0 bytes after a block of size 6 alloc'd
==17982==    at 0x4024F20: malloc (vg_replace_malloc.c:236)
==17982==    by 0x402D48C: dbd_quote_binary (in /usr/lib/dbd/libdbdsqlite3.so)
==17982==    by 0x4056894: dbi_conn_quote_binary_copy (in /usr/lib/libdbi.so.0.0.5)
==17982==    by 0x8056F24: db_sync_equipment (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805B683: gsm48_rx_rr_pag_resp (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805BCB1: gsm0408_rcv_rr (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8060B80: gsm0408_dispatch (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8064CC7: msc_compl_l3 (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x807E46B: gsm0408_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8068FDF: abis_rsl_rx_rll (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x806A103: abis_rsl_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x80798F3: handle_ts1_read (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982== 
==17982== Invalid read of size 1
==17982==    at 0x410BACD: _IO_default_xsputn (genops.c:479)
==17982==    by 0x40E2299: vfprintf (vfprintf.c:1614)
==17982==    by 0x4102146: vasprintf (vasprintf.c:64)
==17982==    by 0x405742E: dbi_conn_queryf (in /usr/lib/libdbi.so.0.0.5)
==17982==    by 0x8056F8E: db_sync_equipment (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805B683: gsm48_rx_rr_pag_resp (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805BCB1: gsm0408_rcv_rr (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8060B80: gsm0408_dispatch (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8064CC7: msc_compl_l3 (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x807E46B: gsm0408_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8068FDF: abis_rsl_rx_rll (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x806A103: abis_rsl_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==  Address 0x4474ee4 is 0 bytes after a block of size 4 alloc'd
==17982==    at 0x4024F20: malloc (vg_replace_malloc.c:236)
==17982==    by 0x402D48C: dbd_quote_binary (in /usr/lib/dbd/libdbdsqlite3.so)
==17982==    by 0x4056894: dbi_conn_quote_binary_copy (in /usr/lib/libdbi.so.0.0.5)
==17982==    by 0x8056F56: db_sync_equipment (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805B683: gsm48_rx_rr_pag_resp (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805BCB1: gsm0408_rcv_rr (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8060B80: gsm0408_dispatch (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8064CC7: msc_compl_l3 (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x807E46B: gsm0408_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8068FDF: abis_rsl_rx_rll (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x806A103: abis_rsl_rcvmsg (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x80798F3: handle_ts1_read (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982== 
<0001> transaction.c:70 subscr=0x445cc48, subscr->net=0x42af8d0
==17982== Invalid read of size 1
==17982==    at 0x4026038: strlen (mc_replace_strmem.c:282)
==17982==    by 0x40409E8: gsm48_encode_bcd_number (gsm48_ie.c:83)
==17982==    by 0x806184F: gsm340_gen_oa (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x806190B: gsm340_gen_tpdu (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8063069: gsm411_send_sms (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x806319E: paging_cb_send_sms (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x807452F: subscr_paging_cb (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x80760DA: _paging_request_stop (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8076186: paging_request_stop (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x80722E3: gsm48_handle_paging_resp (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805B69C: gsm48_rx_rr_pag_resp (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805BCB1: gsm0408_rcv_rr (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==  Address 0xa6 is not stack'd, malloc'd or (recently) free'd
==17982== 
==17982== 
==17982== Process terminating with default action of signal 11 (SIGSEGV)
==17982==  Access not within mapped region at address 0xA6
==17982==    at 0x4026038: strlen (mc_replace_strmem.c:282)
==17982==    by 0x40409E8: gsm48_encode_bcd_number (gsm48_ie.c:83)
==17982==    by 0x806184F: gsm340_gen_oa (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x806190B: gsm340_gen_tpdu (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8063069: gsm411_send_sms (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x806319E: paging_cb_send_sms (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x807452F: subscr_paging_cb (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x80760DA: _paging_request_stop (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x8076186: paging_request_stop (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x80722E3: gsm48_handle_paging_resp (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805B69C: gsm48_rx_rr_pag_resp (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==    by 0x805BCB1: gsm0408_rcv_rr (in /home/gsm/openbsc-gprs/openbsc/openbsc/src/bsc_hack)
==17982==  If you believe this happened as a result of a stack
==17982==  overflow in your program's main thread (unlikely but
==17982==  possible), you can try to increase the size of the
==17982==  main thread stack using the --main-stacksize= flag.
==17982==  The main thread stack size used in this run was 8388608.
==17982== 
==17982== HEAP SUMMARY:
==17982==     in use at exit: 743,573 bytes in 5,081 blocks
==17982==   total heap usage: 8,630 allocs, 3,549 frees, 2,006,406 bytes allocated
==17982== 
==17982== LEAK SUMMARY:
==17982==    definitely lost: 0 bytes in 0 blocks
==17982==    indirectly lost: 0 bytes in 0 blocks
==17982==      possibly lost: 740,173 bytes in 5,050 blocks
==17982==    still reachable: 3,400 bytes in 31 blocks
==17982==         suppressed: 0 bytes in 0 blocks
==17982== Rerun with --leak-check=full to see details of leaked memory
==17982== 
==17982== For counts of detected and suppressed errors, rerun with: -v
==17982== Use --track-origins=yes to see where uninitialised values come from
==17982== ERROR SUMMARY: 11 errors from 9 contexts (suppressed: 40 from 13)
Segmentation fault


OpenBSC config is:
!
! OpenBSC configuration saved from vty
!   !
password foo
!
line vty
 no login
!
network
 network country code 262
 mobile network code 23
 short name RZ-GSM
 long name RZ-GSM
 auth policy closed
 location updating reject cause 13
 encryption a5 0
 neci 0
 rrlp mode none
 mm info 1
 handover 1
 handover window rxlev averaging 10
 handover window rxqual averaging 1
 handover window rxlev neighbor averaging 10
 handover power budget interval 6
 handover power budget hysteresis 3
 handover maximum distance 9999
 timer t3101 10
 timer t3103 0
 timer t3105 0
 timer t3107 0
 timer t3109 0
 timer t3111 0
 timer t3113 60
 timer t3115 0
 timer t3117 0
 timer t3119 0
 timer t3141 0
 bts 0
  type nanobts
  band DCS1800
  cell_identity 4711
  location_area_code 2323
  training_sequence_code 7
  base_station_id_code 63
  ms max power 15
  cell reselection hysteresis 4
  rxlev access min 0
  channel allocator ascending
  rach tx integer 9
  rach max transmission 7
  ip.access unit_id 1800 0
  oml ip.access stream_id 255
  gprs mode none
  trx 0
   rf_locked 0
   arfcn 871
   nominal power 23
   max_power_red 20
   rsl e1 tei 0
    timeslot 0
     phys_chan_config CCCH+SDCCH4
    timeslot 1
     phys_chan_config SDCCH8
    timeslot 2
     phys_chan_config TCH/F
    timeslot 3
     phys_chan_config TCH/F
    timeslot 4
     phys_chan_config TCH/F
    timeslot 5
     phys_chan_config TCH/F
    timeslot 6
     phys_chan_config TCH/F
    timeslot 7
     phys_chan_config TCH/F
bts 1
  type nanobts
  band DCS1800
  cell_identity 4712
  location_area_code 2323
  training_sequence_code 7
  base_station_id_code 63
  ms max power 15
  cell reselection hysteresis 4
  rxlev access min 0
  channel allocator ascending
  rach tx integer 9
  rach max transmission 7
  ip.access unit_id 1802 0
  oml ip.access stream_id 255
  gprs mode none
  trx 0
   rf_locked 0
   arfcn 877
   nominal power 23
   max_power_red 20
   rsl e1 tei 0
    timeslot 0
     phys_chan_config CCCH+SDCCH4
    timeslot 1
     phys_chan_config SDCCH8
    timeslot 2
     phys_chan_config TCH/F
    timeslot 3
     phys_chan_config TCH/F
    timeslot 4
     phys_chan_config TCH/F
    timeslot 5
     phys_chan_config TCH/F
    timeslot 6
     phys_chan_config TCH/F
    timeslot 7
     phys_chan_config TCH/F



More information about the OpenBSC mailing list