AgeCommit message (Collapse)AuthorFilesLines
2014-01-28smpp_smsc: Fix integer overflow in read return value and msgb_alloc()daniel/smpp-fixesDaniel Willmann1-6/+6
The size parameter of msgb_alloc is uint16_t so any length value above 65535 will allocate a msgb with incorrect size. This patch changes the type of rdlen and rc to ssize_t (the return value of read) and guards against the read length being larger than UINT16_MAX. To reproduce the issue run: echo -en "\x00\x01\x00\x01\x01" |socat stdin tcp:localhost:2775
2014-01-28smpp_smsc: Check that the size is large enough to hold actual dataDaniel Willmann1-0/+6
The first 4 bytes are the length including the length field. For length < 4 the subsequent msgb_put(msg, sizeof(uint32_t)) will fail, resulting in an abort. The code also expects (in smpp_msgb_cmdid()) the existence of 4 more bytes for the SMPP command ID. This patch checks that the length received is large enough to hold all 8 bytes in the msgb and drops the connection if that's not the case. The issue is reproducible with: echo -e "\x00\x00\x00\x02\x00" |socat stdin tcp:localhost:2775
2014-01-28smpp_smsc: Fix socket read() error handlingDaniel Willmann1-16/+31
Read returning -1 is an error here so make sure to print the actual reason and close the socket. Before this patch we just looped over the fd with read returning -1 every time. EINTR is handled to not cause an error and we don't need to check EAGAIN/EWOULDBLOCK since the callback is only called in case there is something to read. To avoid copy&paste issues the check is implemented as a macro and the log message moved into a separate if.
2014-01-27Add function to update TRAU muxer after assignment or handoverAndreas Eversberg6-5/+61
E1 based BTS use TRAU muxer to decode TRAU frames. After changing channel from one timeslot to another (due to handover or assignment), the TRAU muxer must be updated. The call reference of the call is disconnected from the old channel and connected to the new channel.
2014-01-26Use 'defines' for length and duration of RTP payloadAndreas Eversberg2-7/+17
2014-01-20nat: Make the access-list deny cause configurableHolger Hans Peter Freyther2-4/+50
Add two optional arguments to the imsi-deny rule for the reject cause and verify that it is saved out.
2014-01-20nat: Introduce reject cause to bsc_nat_acc_lst_entryHolger Hans Peter Freyther4-5/+120
The filtering architecture already allowed to specify a reject reason but this has not been used for the access-lists. Extend the access-list to include a reject reason and extend the test case to honor it.
2014-01-20mgcp/test: Don't reset conn_mode between messagesJacob Erlbeck2-3/+2
Currently, the conn_mode field is reset after it has been checked. This patch disables this behaviour and only adds a mark (bit) to detect modifications. Sponsored-by: On-Waves ehf
2014-01-20mgcp: Synchronize conn mode bits and output enabled flagsJacob Erlbeck3-32/+34
This patch changes implementation and the mgcp_connection_mode enum in a way that net_end.output_enabled (bts_end.output_enabled) flag always matches the MGCP_CONN_SEND_ONLY (MGCP_CONN_RECV_ONLY) bit of conn_mode. Based on this, the conn_mode bits are then used instead of the output_enabled fields within mgcp_protocol.c. Sponsored-by: On-Waves ehf
2014-01-20mgcp: Disable output enabled on initialisationJacob Erlbeck2-3/+3
Currently RTP output_enabled is set to 1 on initialisation, which does not semantically match the initial value of conn_mode (MGCP_CONN_NONE). This patch changes this initial value to 0. Sponsored-by: On-Waves ehf
2014-01-19Fix more hidden TSC bugs for Ericsson BTSHarald Welte1-3/+3
It seems that also the Ericsson RBS2000 code was assuming that we always use the bts-global TSC, rather than the possibly different TS-specific TSC.
2014-01-19TSC: Add new gsm_ts_tsc() function to resolve TSC of TSHarald Welte4-14/+11
We don't want every caller to check for ts->tsc == -1 and then using ts->trx->bts->tsc instead. Rather, introduce a new inline function to retrieve the correct value.
2014-01-19Do not expect all BTSs support TSC != BCCHarald Welte7-1/+28
We introduce a new feature indicating if the given BTS model supports a TSC that is different from the BCC (lower 3 bits of BSIC).
2014-01-19Make gsm48_lchan2chan_desc() reflect a ts-specific TSCHarald Welte1-2/+8
If the TS has a specific, different TSC than the BTS (beacon), we should use that with preference over the TSC of the BTS.
2014-01-17openbsc: Fix coverity issuesJacob Erlbeck2-6/+19
This patch (hopefully) fixes the new defects reported by coverity. Addresses: ** CID 1156986: Negative array index read (NEGATIVE_RETURNS) /tests/gsm0408/gsm0408_test.c: 419 in test_si_range_helpers() /tests/gsm0408/gsm0408_test.c: 423 in test_si_range_helpers() /tests/gsm0408/gsm0408_test.c: 427 in test_si_range_helpers() ** CID 1156987: Unchecked return value from library (CHECKED_RETURN) /src/libmgcp/mgcp_protocol.c: 1150 in mgcp_keepalive_timer_cb() ** CID 1156988: Unchecked return value from library (CHECKED_RETURN) /src/libmgcp/mgcp_protocol.c: 983 in handle_modify_con() Sponsored-by: On-Waves ehf
2014-01-16Remove obsolete check of conn and lchan pointers not beeing NULLAndreas Eversberg1-4/+2
The check is removed from gsm48_cc_rx_setup() and gsm48_cc_rx_call_conf(). Receiving a layer 3 message implies that the transaction has a subscriber connection and a logical channel. This patch fixes the Coverity issues with CID 115311 and CID 1155312.
2014-01-16Merge branch 'jerlbeck/features/mgcp-rtp-keep-alive'Holger Hans Peter Freyther9-55/+312
2014-01-16mgcp: Send RTP keepalive dummy packets to netJacob Erlbeck5-10/+149
So far, a single dummy packet has been sent immediately after the reception of a MDCX message. There is no dedicated keep alive mechanism (it just worked because the audio from the MS has always been forwarded to the NAT until the 'mgcp: Set output_enabled flags based on the MGCP mode' patch). This patch adds explicit, timer based keep alive handling that can be enable per trunk. A VTY command 'rtp keep-alive' command is added for configuration which can be used to set the interval in seconds, to send a single packet after the reception of a CRCX/MDCX when RTP data from the net is expected ('once'), or to disable the feature completely ('no rtp keep-alive'). In 'send-recv' connections, only the initial packet is sent if enabled (even when an interval has been configured). The default is 'once'. Note that this removes the mgcp_change_cb() from mgcp_main.c. Sponsored-by: On-Waves ehf
2014-01-16mgcp/rtp: Send dummy packet to the RTCP destination, tooJacob Erlbeck1-2/+9
Currently a dummy packet is only sent to the RTP port. This is not enough if RTCP must also cross the SNAT. This patch sends an additional dummy packet to the RTCP net destination if omit_rtcp is not set. Sponsored-by: On-Waves ehf
2014-01-16mgcp/rtp: Make offset computation understandableJacob Erlbeck1-4/+4
Rename the timestamp variable to make in clear, that the input timestamp is meant. Add a helper variable to illustrate the offset computation. Sponsored-by: On-Waves ehf
2014-01-16mgcp: Set output_enabled flags based on the MGCP modeJacob Erlbeck2-14/+37
This patch enhances parse_conn_mode() to set the output_enabled flags of each end based on the MGCP mode. Ticket: OW#1044 Sponsored-by: On-Waves ehf
2014-01-16mgcp/test: Show the number of dummy packets sentJacob Erlbeck2-1/+34
This patch extends the test_messages test to show the number of dummy packets that has been passed to sendto(). This way, dummy packets are even being counted when sendto() itself failes (e.g. due to the fd being -1). Sponsored-by: On-Waves ehf
2014-01-16mgcp/test: Reset pkt_period_* after each testJacob Erlbeck2-1/+3
Currently these value may leak into the next test. This patch will reset them after each message has been processed. Sponsored-by: On-Waves ehf
2014-01-16mgcp/test: Test the connection mode parserJacob Erlbeck2-3/+50
This modifies the test MGCP messages to include M:recvonly (CRCX), M:sendrecv (MDCX) and M:sendonly (MDCX) outputs the resulting output_enabled flags and the conn_mode after processing the message. Sponsored-by: On-Waves ehf
2014-01-16mgcp/rtp: Add flag to disable RTP outputJacob Erlbeck4-2/+14
This patch make it possible to have a valid endpoint that drops all outgoing RTP packets. The number of dropped packets is shown by the VTY 'show mgcp' command. By default, this feature is disabled. To enable packet dropping, the corresponding output_enabled field must be set to 0. Ticket: OW#1044 Sponsored-by: On-Waves ehf
2014-01-16mgcp/rtp: Refactor mgcp_send to avoid code duplicationJacob Erlbeck1-28/+22
Currently there are two symmetric code paths which are selected by the packet destination (NET or BTS). This patch introduces 3 variables that take the different values and unifies both code paths into one. Sponsored-by: On-Waves ehf
2014-01-16Merge remote-tracking branch 'origin/jerlbeck/features/range-encode'Holger Hans Peter Freyther15-286/+580
2014-01-16si: Implement range 128, 256, 1024 encodingJacob Erlbeck2-17/+12
This commit adds the implementation of these range formats to the encoder. In addition, the work-around that tried range 512 first is removed, so that the selection is primarily based on the max distance between frequencies. Ticket: OW#1061 Sponsored-by: On-Waves ehf
2014-01-16si: Add generic range w(k) encoderJacob Erlbeck1-58/+83
Currently the encoding of the chan_list is done by a hard-coded sequence of macros that closely resembles figure 10.5.16 in 3GPP TS 04.08. This patch replaces this by an algorithmic solution that can be used for all range encodings and is based on the property W(2^i) to W(2^(i+1)-1) are on w1_len-i bits when present (see section in TS 04.08). Ticket: OW#1061 Sponsored-by: On-Waves ehf
2014-01-16si: Fix range1024 encodingJacob Erlbeck4-39/+33
f0 is currently set to arfcns[0] in range_enc_determine_range(), while GSM 04.08 requires f0 to be ARFCN 0 in range1024 encoding. This patch modifies range_enc_determine_range() to force f0 to be 0 if this encoding is used. This way the case distinction in range_enc_filter_arfcns() is not longer necessary. Sponsored-by: On-Waves ehf
2014-01-16si: Fix range512 encodingJacob Erlbeck2-10/+3
This patch fixes a bug in the range encoder that leads to wrong encoding when 17 or more ARFCNs are encoded. Sponsored-by: On-Waves ehf
2014-01-16si/test: Merge si tests into gsm48 testsJacob Erlbeck8-196/+167
Currently tests covering features of the GSM 04.08 specification are spread over the si and gsm0408 subdirs in tests. This commit merges all tests from 'si' into 'gsm0408' and removes the 'si' test sub-directory. Sponsored-by: On-Waves ehf
2014-01-16si/test: Add tests for range encoding/decodingJacob Erlbeck3-0/+265
This commit adds test range encoding tests. They check the property decoding(encoding(L)) = L and optionally dump the results and encoded sequences to stdout. There a 2 test modes: - A list of fixed tests - A random number based test loop per ARFCN list size (only dumps the first failing test) Sponsored-by: On-Waves ehf
2014-01-16si: Add a config option to disable SI2ter/SI2bis/SI5ter/SI5bis messagesJacob Erlbeck4-0/+51
The iPhone5 (US) appears to have some issues with the SIs generated, or the nanoBTS is not sending them correctly. Add a configurable hack to put all bands into the SI2/SI5 message. It is enabled by the bts VTY command 'force-combined-si'. This is a quick change without much reflection and watching for side effects. I have verfied that a network with ARFCN 134 and neighbors ARFCN 130 and 512 do not get generate the SI2ter and announce everything inside the SI2. This patch is conceptually based on 'si: Add a hack to disable SI2ter/SI2bis/SI5ter/SI5bis messages' (692daaf2d2). Ticket: OW#1062 Sponsored-by: On-Waves ehf
2014-01-14Each BTS can be configured for speech support (other than GSM full rate)Andreas Eversberg4-1/+119
Speech codings which are not supported by BTS will be removed from the bearer capability information element after parsing. This way it is not required for the MNCC application to consider support of each BTS. Only GSM full rate is supported by default.
2014-01-09Add VTY option for Nokia BTS that does not send RELease CONFirm messageAndreas Eversberg4-2/+70
This option is a workarround for a bug found in Nokia InSite BTS firmware version 3.0.0. There is no RELease CONFirm message for local end release. Nokia MetroSite with firmware version 4.178.16 is not affected. TS 04.06 Chapter "Local end release procedure" states that a confirm must be sent by layer 2 when receiving a local end release request. In order to correctly switch a channel (handover or assignment), local end release is required.
2014-01-08nitb: Set the DST field in generated MM info messagesJacob Erlbeck1-0/+15
Currently the NET_DST information element (see GSM 24.008) is not included in generated MM info messages even when the DST field in the timezone info has been set via the VTY or the control interface. This patch modifies gsm48_tx_mm_info() to append this information element if (and only if) a non-zero DST has been configured. The DST IE is not part of GSM 4.8. Therefore it will only be sent, if the DST offset is configured to a value != 0. The DST functionality has been verified with wireshark by Jacob. Sponsored-by: On-Waves ehf
2013-12-29smpp: In case we know the receiver set the context for loggingHolger Hans Peter Freyther1-0/+2
2013-12-29mncc: Add the context we get from the MNCC interfaceHolger Hans Peter Freyther1-0/+13
Currently we only set the SUBSCR on RSL messages. Extend it to messages that go through MNCC. For call control/bridging it is difficult to pick the right subscriber. We should support a list or at least two legs in the imsi filter context.
2013-12-28ussd: Reject and release unhandled SS requests/interrogationTobias Engel1-1/+9
In case the unpack of a USSD request is failing the channel would remain open and the phone would not receive a response. Simply reject the interrogation. Example interrogation: 0000 1b 7b 1c 0d a1 0b 02 01 01 02 01 0e 30 03 04 01 0010 11 7f 01 00
2013-12-27sms: Fix crash on RLL Establish Request timeouts with active callHolger Hans Peter Freyther1-13/+18
Sylvain pointed out that in the current crash log the transaction we try to read the SMS from is actually a transaction for Call Control. On AMD64 the struct layout is different and that leads to a crash when the CC transaction is in front of the SMS transaction. Look at the trans->protocol to fix the crash. The issue got introduced in 6a3d765bf97349535602ed5b2b55d2093aa18d71 (2010) when I added the SAPI N Reject handling. #0 smpp_sms_cb (subsys=1, signal=4, handler_data=0xbb8270, signal_data=0x7fff33574ea0) at smpp_openbsc.c:284 284 if (sms->source != SMS_SOURCE_SMPP) (gdb) bt #0 smpp_sms_cb (subsys=1, signal=4, handler_data=0xbb8270, signal_data=0x7fff33574ea0) at smpp_openbsc.c:284 #1 0x00007f424e4a094c in osmo_signal_dispatch (subsys=1, signal=4, signal_data=0x7fff33574ea0) at signal.c:105 #2 0x000000000042b070 in send_signal (sig_no=<optimized out>, trans=<optimized out>, sms=<optimized out>, paging_result=<optimized out>) at gsm_04_11.c:125 #3 0x000000000042ccd2 in gsm411_sapi_n_reject (conn=0xec6790) at gsm_04_11.c:1000 #4 0x0000000000408983 in send_sapi_reject (link_id=<optimized out>, conn=<optimized out>) at bsc_api.c:733 #5 rll_ind_cb (_data=<optimized out>, lchan=<optimized out>, link_id=<optimized out>, rllr_ind=<optimized out>) at bsc_api.c:755 #6 rll_ind_cb (lchan=<optimized out>, link_id=<optimized out>, _data=<optimized out>, rllr_ind=<optimized out>) at bsc_api.c:736 #7 0x000000000041f8d2 in complete_rllr (rllr=<optimized out>, type=<optimized out>) at bsc_rll.c:55 #8 0x00007f424e4a03bc in osmo_timers_update () at timer.c:243 #9 0x00007f424e4a069b in osmo_select_main (polling=0) at select.c:133 #10 0x0000000000407394 in main (argc=<optimized out>, argv=0x7fff33575238) at bsc_hack.c:346 (gdb) frame 3 #3 0x000000000042ccd2 in gsm411_sapi_n_reject (conn=0xec6790) at gsm_04_11.c:1000 1000 send_signal(S_SMS_UNKNOWN_ERROR, trans, sms, 0); (gdb) p trans $1 = (struct gsm_trans *) 0xedba80 (gdb) p *trans .... data = 0x1}}, sms = 0x3439323400000003}}} (gdb) p trans->protocol $4 = 3 '\003'
2013-12-27db: Avoid crash we have seen with the dbi code when reading a SMSHolger Hans Peter Freyther2-0/+16
Avoid a crash when reading a SMS and a Subscriber could not be resolved. It is not clear why the read was failing. The sender_id and the receiver_id was valid for the given sms. I assume that the database has been locked due external access to it. The side-effect is that in case of such a failure the sms_queue will start to deliver starting from subscriber id = 0 again. #1 0x0000000000428bec in sms_from_result (net=0x156a270, result=0x15eda30) at db.c:1146 #2 0x000000000042a8e0 in db_sms_get_unsent_by_subscr (net=0x156a270, min_subscr_id=<optimized out>, failed=<optimized out>) at db.c:1255 #3 0x000000000042e900 in take_next_sms (smsq=<optimized out>) at sms_queue.c:193 #4 sms_submit_pending (_data=0x158e300) at sms_queue.c:227 #5 0x00007f3fd30de3bc in osmo_timers_update () at timer.c:243 #6 0x00007f3fd30de69b in osmo_select_main (polling=0) at select.c:133 #7 0x0000000000406fbc in main (argc=9, argv=<optimized out>) at bsc_hack.c:346 (gdb) frame 1 #1 0x0000000000428bec in sms_from_result (net=0x156a270, result=0x15eda30) at db.c:1146 1146 strncpy(sms->src.addr, sms->sender->extension, sizeof(sms->src.addr)-1); (gdb) p *sms (gdb) p sms->sender $1 = (struct gsm_subscriber *) 0x0 (gdb) p sender_id $2 = <optimized out>
2013-12-27bsc: Reduce the RLL timeout to be smaller than TC1/max_retr+1Holger Hans Peter Freyther1-1/+1
Sylvain pointed out that the RLL and the SMC timeout is the same. This can lead to have a SMC re-transmission before the first RLL Establish Request has timed out. Reduce the RLL timeout. GSM 08.58 does not specify a timeout so right now I just reduce it to seven seconds.
2013-12-27libmsc: Set the "trans->conn" to NULL to catch invalid usageHolger Hans Peter Freyther1-1/+1
Make finding use-after-free more easy and set it to NULL.
2013-12-27lu crash: Fix a crash that likely occurred during the LU procedureHolger Hans Peter Freyther1-0/+3
conn->loc_operation is already NULL (e.g. due a five second timeout but we are still processing a RSL message after we initiated the release procedure). Do not attempt to authorize a subcriber without knowing the key_sequence. This can cause more problems but we will need to test this in the field. (gdb) bt #0 gsm0408_authorize (conn=0x19fc2f0, msg=<optimized out>) at gsm_04_08.c:323 #1 gsm0408_authorize (conn=0x19fc2f0, msg=<optimized out>) at gsm_04_08.c:319 #2 0x000000000043a99a in mm_rx_id_resp (conn=0x19fc2f0, msg=<optimized out>) at gsm_04_08.c:495 #3 gsm0408_rcv_mm (msg=<optimized out>, conn=0x19fc2f0) at gsm_04_08.c:1041 #4 gsm0408_dispatch (conn=0x19fc2f0, msg=<optimized out>) at gsm_04_08.c:3232 (gdb) p *conn $5 = {entry = {next = 0x1746930, prev = 0x1a14270}, subscr = 0x1745eb0, expire_timer_stopped = 1 '\001', loc_operation = 0x0, sec_operation = 0x0, anch_operation = 0x0, silent_call = 0, put_channel = 0, sccp_con = 0x0, in_release = 0, lchan = 0x7f8c79007218, ho_lchan = 0x0, bts = 0x1719f90, T10 = {node = { rb_parent_color = 0, rb_right = 0x0, rb_left = 0x0}, list = {next = 0x0, prev = 0x0}, timeout = {tv_sec = 0, tv_usec = 0}, active = 0, cb = 0, data = 0x0}, secondary_lchan = 0x0}
2013-12-27periodic/lu: Attempt to implicitly attach a subscriber instead of rejectingHolger Hans Peter Freyther1-4/+17
When modern Smartphones receive "Not in VLR". The baseband firmware apparently does not try to do an IMSI ATTACH but just remains un-happy and will not connect to the network anymore.
2013-12-27Revert "gsm_04_11: Speculative fix for MT SMS and SAPI 'n Reject"Holger Hans Peter Freyther1-2/+0
Let's revert it and see if we can find the real issue about the sms being invalid. Sylvain has pointed out that we get invoked from a timer and might not have stopped it properly. This reverts commit 80ba9b5dd62cc8bfd10dae2f3b63420ef1e8452d.
2013-12-27gsm_04_11: Speculative fix for MT SMS and SAPI 'n RejectHolger Hans Peter Freyther1-0/+2
I am not sure why it is crashing so this is a speculative fix based on something we already did in 3e9b2ec257bc064b866ce6a2735206dc6131f615. #0 sms_find_pending (smsq=0x2706300, sms=<optimized out>) at sms_queue.c:77 #1 sms_sms_cb (subsys=<optimized out>, signal=4, handler_data=0x26e2270, signal_data=0x7fffdac256c0) at sms_queue.c:396 #2 0x00007fcdea94394c in osmo_signal_dispatch (subsys=1, signal=4, signal_data=0x7fffdac256c0) at signal.c:105 #3 0x000000000042acc0 in send_signal (sig_no=<optimized out>, trans=<optimized out>, sms=<optimized out>, paging_result=<optimized out>) at gsm_04_11.c:124 #4 0x000000000042c8e2 in gsm411_sapi_n_reject (conn=0x2722d30) at gsm_04_11.c:999 #5 0x00000000004085d3 in send_sapi_reject (link_id=<optimized out>, conn=<optimized out>) at bsc_api.c:733 #6 rll_ind_cb (_data=<optimized out>, lchan=<optimized out>, link_id=<optimized out>, rllr_ind=<optimized out>) at bsc_api.c:755 #7 rll_ind_cb (lchan=<optimized out>, link_id=<optimized out>, _data=<optimized out>, rllr_ind=<optimized out>) at bsc_api.c:736 #8 0x000000000041f522 in complete_rllr (rllr=<optimized out>, type=<optimized out>) at bsc_rll.c:55 #9 0x00007fcdea9433bc in osmo_timers_update () at timer.c:243 #10 0x00007fcdea94369b in osmo_select_main (polling=0) at select.c:133 #11 0x0000000000406fbc in main (argc=9, argv=<optimized out>) at bsc_hack.c:346
2013-12-26sms: Move to gsm_7bit_encode_n in the sms sending codeHolger Hans Peter Freyther1-1/+2
Do not rely on the potential wrong gsm_7bit_encode result but use gsm_7bit_encode_n with maximum available space.
2013-12-26ussd: Move to use gsm_7bit_encode_n_ussd for USSD encodingHolger Hans Peter Freyther1-1/+1
The legacy functions have a bad/wrong return value for the number of septets in the string. Change the code to use the new functions which will fix encoding issues as well.