From a52ba0175f0e84c06faeb582414e4dc2dfe458c3 Mon Sep 17 00:00:00 2001
From: Jacob Erlbeck <jerlbeck@sysmocom.de>
Date: Thu, 24 Oct 2013 01:33:21 +0200
Subject: gb: Fix gprs_nsvc_delete() to free ctr group

This fixes a SEGV error that happens the next time the statistics
are updated.

Addresses:
 Program terminated with signal 11, Segmentation fault.
 #0  0xb7711fa5 in rate_ctr_group_intv (grp=<optimized out>) at
 rate_ctr.c:107
 107             for (i = 0; i < grp->desc->num_ctr; i++) {
 #0  0xb7711fa5 in rate_ctr_group_intv (grp=<optimized out>) at
     rate_ctr.c:107
 #1  rate_ctr_timer_cb (data=0x0) at rate_ctr.c:129
 #2  0xb770ec59 in osmo_timers_update () at timer.c:243
 #3  0xb770ef7a in osmo_select_main (polling=0) at select.c:133
 #4  0x08049987 in main (argc=3, argv=0xbfba8084) at
     gb_proxy_main.c:306

Sponsored-by: On-Waves ehf
---
 src/gb/gprs_ns.c         |  1 +
 tests/gb/gprs_ns_test.c  | 41 +++++++++++++++++++++++
 tests/gb/gprs_ns_test.ok | 86 ++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 128 insertions(+)

diff --git a/src/gb/gprs_ns.c b/src/gb/gprs_ns.c
index 6a35ad35..a4a6376f 100644
--- a/src/gb/gprs_ns.c
+++ b/src/gb/gprs_ns.c
@@ -210,6 +210,7 @@ void gprs_nsvc_delete(struct gprs_nsvc *nsvc)
 	if (osmo_timer_pending(&nsvc->timer))
 		osmo_timer_del(&nsvc->timer);
 	llist_del(&nsvc->list);
+	rate_ctr_group_free(nsvc->ctrg);
 	talloc_free(nsvc);
 }
 
diff --git a/tests/gb/gprs_ns_test.c b/tests/gb/gprs_ns_test.c
index 38c7d1ff..74eb701c 100644
--- a/tests/gb/gprs_ns_test.c
+++ b/tests/gb/gprs_ns_test.c
@@ -8,6 +8,7 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <unistd.h>
 #include <stdint.h>
 #include <string.h>
 #include <getopt.h>
@@ -439,6 +440,45 @@ static void gprs_dump_nsi(struct gprs_ns_inst *nsi)
 	printf("\n");
 }
 
+static void test_nsvc()
+{
+	struct gprs_ns_inst *nsi = gprs_ns_instantiate(gprs_ns_callback, NULL);
+	struct sockaddr_in peer[1] = {{0},};
+	struct gprs_nsvc *nsvc;
+	int i;
+
+	peer[0].sin_family = AF_INET;
+	peer[0].sin_port = htons(1111);
+	peer[0].sin_addr.s_addr = htonl(REMOTE_BSS_ADDR);
+
+	for (i=0; i<4; ++i) {
+		printf("--- Create via RESET (round %d) ---\n\n", i);
+
+		send_ns_reset(nsi, &peer[0], NS_CAUSE_OM_INTERVENTION,
+			      0x1001, 0x1000);
+		gprs_dump_nsi(nsi);
+
+		printf("--- Delete nsvc object (round %d)---\n\n", i);
+
+		nsvc = gprs_nsvc_by_nsvci(nsi, 0x1001);
+		OSMO_ASSERT(nsvc != NULL);
+		gprs_nsvc_delete(nsvc);
+
+		gprs_dump_nsi(nsi);
+	}
+
+	gprs_ns_destroy(nsi);
+	nsi = NULL;
+
+	printf("--- Process timers ---\n\n");
+	/* wait for rate_ctr_timer expiry */
+	usleep(1100000);
+	/* ensure termination */
+	alarm(2);
+	osmo_timers_update();
+	alarm(0);
+}
+
 static void test_bss_port_changes()
 {
 	struct gprs_ns_inst *nsi = gprs_ns_instantiate(gprs_ns_callback, NULL);
@@ -568,6 +608,7 @@ int main(int argc, char **argv)
 	osmo_signal_register_handler(SS_L_NS, &test_signal, NULL);
 
 	printf("===== NS protocol test START\n");
+	test_nsvc();
 	test_bss_port_changes();
 	test_sgsn_output();
 	printf("===== NS protocol test END\n\n");
diff --git a/tests/gb/gprs_ns_test.ok b/tests/gb/gprs_ns_test.ok
index 424d6819..b5d578a1 100644
--- a/tests/gb/gprs_ns_test.ok
+++ b/tests/gb/gprs_ns_test.ok
@@ -1,4 +1,90 @@
 ===== NS protocol test START
+--- Create via RESET (round 0) ---
+
+PROCESSING RESET from 0x01020304:1111
+02 00 81 01 01 82 10 01 04 82 10 00 
+
+==> got signal NS_RESET, NS-VC 0x1001/1.2.3.4:1111
+MESSAGE to BSS, msg length 9
+03 01 82 10 01 04 82 10 00 
+
+MESSAGE to BSS, msg length 1
+0a 
+
+result (RESET) = 9
+
+Current NS-VCIs:
+    VCI 0x1001, NSEI 0x1000, peer 0x01020304:1111, blocked
+
+--- Delete nsvc object (round 0)---
+
+Current NS-VCIs:
+
+--- Create via RESET (round 1) ---
+
+PROCESSING RESET from 0x01020304:1111
+02 00 81 01 01 82 10 01 04 82 10 00 
+
+==> got signal NS_RESET, NS-VC 0x1001/1.2.3.4:1111
+MESSAGE to BSS, msg length 9
+03 01 82 10 01 04 82 10 00 
+
+MESSAGE to BSS, msg length 1
+0a 
+
+result (RESET) = 9
+
+Current NS-VCIs:
+    VCI 0x1001, NSEI 0x1000, peer 0x01020304:1111, blocked
+
+--- Delete nsvc object (round 1)---
+
+Current NS-VCIs:
+
+--- Create via RESET (round 2) ---
+
+PROCESSING RESET from 0x01020304:1111
+02 00 81 01 01 82 10 01 04 82 10 00 
+
+==> got signal NS_RESET, NS-VC 0x1001/1.2.3.4:1111
+MESSAGE to BSS, msg length 9
+03 01 82 10 01 04 82 10 00 
+
+MESSAGE to BSS, msg length 1
+0a 
+
+result (RESET) = 9
+
+Current NS-VCIs:
+    VCI 0x1001, NSEI 0x1000, peer 0x01020304:1111, blocked
+
+--- Delete nsvc object (round 2)---
+
+Current NS-VCIs:
+
+--- Create via RESET (round 3) ---
+
+PROCESSING RESET from 0x01020304:1111
+02 00 81 01 01 82 10 01 04 82 10 00 
+
+==> got signal NS_RESET, NS-VC 0x1001/1.2.3.4:1111
+MESSAGE to BSS, msg length 9
+03 01 82 10 01 04 82 10 00 
+
+MESSAGE to BSS, msg length 1
+0a 
+
+result (RESET) = 9
+
+Current NS-VCIs:
+    VCI 0x1001, NSEI 0x1000, peer 0x01020304:1111, blocked
+
+--- Delete nsvc object (round 3)---
+
+Current NS-VCIs:
+
+--- Process timers ---
+
 --- Setup, send BSSGP RESET ---
 
 Setup NS-VC: remote 0x01020304:1111, NSVCI 0x1122(4386), NSEI 0x1122(4386)
-- 
cgit v1.2.3