diff options
| author | Vadim Yanitskiy <axilirator@gmail.com> | 2019-01-18 16:01:50 +0700 |
|---|---|---|
| committer | Vadim Yanitskiy <axilirator@gmail.com> | 2019-02-01 18:55:54 +0000 |
| commit | c7de62cc53fa6ad985015403dd9af8f1627136a0 (patch) | |
| tree | 619e05fb725a4baa614d7566b9abc688a6f0ef46 | |
| parent | cfd058dbf153ee95a9338fe1966eead3a6189238 (diff) | |
libmsc/gsm_04_11.c: introduce and use gsm411_assign_sm_rp_mr()
Initially, it was assumed that if there is no active RAN connection,
we can just start counting from 0x00, as there are no other SMS
related transactions, and transaction itself is allocated using
talloc_zero(). Until now it was looking good, but...
As soon as we establish RAN connection with subscriber, we already
have a transaction with SM-RP-MR 0x00, but conn->next_rp_ref also
remains 0x00 - it isn't being increased!
It means that we can face a SM-RP-MR conflict (or collision) if
another MT SMS would arrive to the MSC (from SMSC over GSUP)
when this transaction is still active, i.e. the first SMS is
still being sent, because conn->next_rp_ref++ would
return 0x00 again.
Moreover, there might be already a MO SMS transaction, and using
the conn->next_rp_ref counter wouldn't prevent us from having
duplicate SM-RP-MR value.
Let's get rid of this per-connection counter, and introduce a
function instead, that would iterate over existing transactions
and look for an unused SM-RP-MR value.
This change makes the following test cases pass:
- TC_gsup_mt_sms_rp_mr,
- TC_gsup_mo_mt_sms_rp_mr.
Discovered by: Neels Hofmeyr
Related Change-Id: (TTCN) I3a52d44f4abde9b6b471b9108c1cee905884c9bc
Related Change-Id: (TTCN) I17cbbaa64d9bce770f985588e93cd3eecd732120
Change-Id: Ife6d954c46b7d8348a4221ab677d0355eb3ee7ac
| -rw-r--r-- | include/osmocom/msc/ran_conn.h | 2 | ||||
| -rw-r--r-- | src/libmsc/gsm_04_11.c | 32 |
2 files changed, 29 insertions, 5 deletions
diff --git a/include/osmocom/msc/ran_conn.h b/include/osmocom/msc/ran_conn.h index bec7201a1..affebc8d9 100644 --- a/include/osmocom/msc/ran_conn.h +++ b/include/osmocom/msc/ran_conn.h @@ -102,8 +102,6 @@ struct ran_conn { /* LU expiration handling */ uint8_t expire_timer_stopped; - /* SMS helpers for libmsc */ - uint8_t next_rp_ref; /* Are we part of a special "silent" call */ int silent_call; diff --git a/src/libmsc/gsm_04_11.c b/src/libmsc/gsm_04_11.c index 2f39b0656..1edf2d415 100644 --- a/src/libmsc/gsm_04_11.c +++ b/src/libmsc/gsm_04_11.c @@ -1028,6 +1028,30 @@ static struct gsm_trans *gsm411_trans_init(struct gsm_network *net, struct vlr_s return trans; } +/* Assigns an (unused) SM-RP-MR value to a given transaction */ +static int gsm411_assign_sm_rp_mr(struct gsm_trans *trans) +{ + uint8_t mr; + + /* After allocation a given transaction has zero-initialized + * SM-RP-MR value, so trans_find_by_sm_rp_mr() may consider + * 0x00 as used. This is why we "poison" this transaction + * using the highest value. */ + trans->sms.sm_rp_mr = 0xff; + + /* According to 8.2.3, MR is in the range 0 through 255 */ + for (mr = 0x00; mr < 0xff; mr++) { + if (trans_find_by_sm_rp_mr(trans->net, trans->vsub, mr)) + continue; /* this MR is busy, find another one */ + /* An unused value has been found, assign it */ + trans->sms.sm_rp_mr = mr; + return 0; + } + + /* All possible values are busy */ + return -EBUSY; +} + static struct gsm_trans *gsm411_alloc_mt_trans(struct gsm_network *net, struct vlr_subscr *vsub) { @@ -1052,9 +1076,11 @@ static struct gsm_trans *gsm411_alloc_mt_trans(struct gsm_network *net, if (!trans) return NULL; - if (conn) { - /* Generate unique RP Message Reference */ - trans->sms.sm_rp_mr = conn->next_rp_ref++; + /* Assign a unique SM-RP Message Reference */ + if (gsm411_assign_sm_rp_mr(trans) != 0) { + LOGP(DLSMS, LOGL_ERROR, "Failed to assign SM-RP-MR\n"); + trans_free(trans); + return NULL; } /* Use SAPI 3 (see GSM 04.11, section 2.3) */ |