summaryrefslogtreecommitdiffstats
path: root/openbsc/src/libmsc/gsm_04_11.c
diff options
context:
space:
mode:
authorHolger Hans Peter Freyther <holger@moiji-mobile.com>2013-12-27 22:47:09 +0100
committerHolger Hans Peter Freyther <holger@moiji-mobile.com>2013-12-27 22:57:56 +0100
commitf76ed2d089acf4079828c810acb70acaa13892d7 (patch)
tree091f2c1798080a55f475a704cbb6b8c9fbfa124d /openbsc/src/libmsc/gsm_04_11.c
parent900394acf3564066571bc83cf9419037fa0fa003 (diff)
sms: Fix crash on RLL Establish Request timeouts with active call
Sylvain pointed out that in the current crash log the transaction we try to read the SMS from is actually a transaction for Call Control. On AMD64 the struct layout is different and that leads to a crash when the CC transaction is in front of the SMS transaction. Look at the trans->protocol to fix the crash. The issue got introduced in 6a3d765bf97349535602ed5b2b55d2093aa18d71 (2010) when I added the SAPI N Reject handling. #0 smpp_sms_cb (subsys=1, signal=4, handler_data=0xbb8270, signal_data=0x7fff33574ea0) at smpp_openbsc.c:284 284 if (sms->source != SMS_SOURCE_SMPP) (gdb) bt #0 smpp_sms_cb (subsys=1, signal=4, handler_data=0xbb8270, signal_data=0x7fff33574ea0) at smpp_openbsc.c:284 #1 0x00007f424e4a094c in osmo_signal_dispatch (subsys=1, signal=4, signal_data=0x7fff33574ea0) at signal.c:105 #2 0x000000000042b070 in send_signal (sig_no=<optimized out>, trans=<optimized out>, sms=<optimized out>, paging_result=<optimized out>) at gsm_04_11.c:125 #3 0x000000000042ccd2 in gsm411_sapi_n_reject (conn=0xec6790) at gsm_04_11.c:1000 #4 0x0000000000408983 in send_sapi_reject (link_id=<optimized out>, conn=<optimized out>) at bsc_api.c:733 #5 rll_ind_cb (_data=<optimized out>, lchan=<optimized out>, link_id=<optimized out>, rllr_ind=<optimized out>) at bsc_api.c:755 #6 rll_ind_cb (lchan=<optimized out>, link_id=<optimized out>, _data=<optimized out>, rllr_ind=<optimized out>) at bsc_api.c:736 #7 0x000000000041f8d2 in complete_rllr (rllr=<optimized out>, type=<optimized out>) at bsc_rll.c:55 #8 0x00007f424e4a03bc in osmo_timers_update () at timer.c:243 #9 0x00007f424e4a069b in osmo_select_main (polling=0) at select.c:133 #10 0x0000000000407394 in main (argc=<optimized out>, argv=0x7fff33575238) at bsc_hack.c:346 (gdb) frame 3 #3 0x000000000042ccd2 in gsm411_sapi_n_reject (conn=0xec6790) at gsm_04_11.c:1000 1000 send_signal(S_SMS_UNKNOWN_ERROR, trans, sms, 0); (gdb) p trans $1 = (struct gsm_trans *) 0xedba80 (gdb) p *trans .... data = 0x1}}, sms = 0x3439323400000003}}} (gdb) p trans->protocol $4 = 3 '\003'
Diffstat (limited to 'openbsc/src/libmsc/gsm_04_11.c')
-rw-r--r--openbsc/src/libmsc/gsm_04_11.c31
1 files changed, 18 insertions, 13 deletions
diff --git a/openbsc/src/libmsc/gsm_04_11.c b/openbsc/src/libmsc/gsm_04_11.c
index 19b6030..97a67ee 100644
--- a/openbsc/src/libmsc/gsm_04_11.c
+++ b/openbsc/src/libmsc/gsm_04_11.c
@@ -988,19 +988,24 @@ void gsm411_sapi_n_reject(struct gsm_subscriber_connection *conn)
net = conn->bts->network;
- llist_for_each_entry_safe(trans, tmp, &net->trans_list, entry)
- if (trans->conn == conn) {
- struct gsm_sms *sms = trans->sms.sms;
- if (!sms) {
- LOGP(DLSMS, LOGL_ERROR, "SAPI Reject but no "
- "SMS.\n");
- continue;
- }
-
- send_signal(S_SMS_UNKNOWN_ERROR, trans, sms, 0);
- sms_free(sms);
- trans->sms.sms = NULL;
- trans_free(trans);
+ llist_for_each_entry_safe(trans, tmp, &net->trans_list, entry) {
+ struct gsm_sms *sms;
+
+ if (trans->conn != conn)
+ continue;
+ if (trans->protocol != GSM48_PDISC_SMS)
+ continue;
+
+ sms = trans->sms.sms;
+ if (!sms) {
+ LOGP(DLSMS, LOGL_ERROR, "SAPI Reject but no SMS.\n");
+ continue;
}
+
+ send_signal(S_SMS_UNKNOWN_ERROR, trans, sms, 0);
+ sms_free(sms);
+ trans->sms.sms = NULL;
+ trans_free(trans);
+ }
}