aboutsummaryrefslogtreecommitdiffstats
path: root/tests/emu/openbsc_clone.h
diff options
context:
space:
mode:
authorHolger Hans Peter Freyther <holger@moiji-mobile.com>2013-07-31 21:59:29 +0200
committerIvan Kluchnikov <kluchnikovi@gmail.com>2013-09-04 21:29:00 +0400
commit9d938388f678e8c753e128199185f17a35a45247 (patch)
treeece4f4830cef79cd95595db9f4c089926abafbd3 /tests/emu/openbsc_clone.h
parentbc1e52cfbf89dc9c669281181f99dc5098ea8364 (diff)
emu: Add a crash re-producer for the SGSN (and the concept of tests)
Introduce the concept of tests that will be ran one after the other. This new test will send static message that will lead to the opening of a PDP context. At this point one should use ping with a large packet size and suspend/stop the emulator. Once the NS connection is considered dead the SGSN will crash with a double free. Reproduce: 0.) Add IMSI 901700000003094 to the ACL 1.) Stop/Suspend the emulation process so the NS Alive times out 2.) Use ping IP -s 2048 This will create a double free... #4 0xb7bb2646 in talloc_abort_double_free () at talloc.c:175 #5 0xb7bbd41a in talloc_chunk_from_ptr (ptr=0x8091208) at talloc.c:190 #6 _talloc_free (ptr=0x8091208) at talloc.c:517 #7 talloc_free (ptr=ptr@entry=0x8091208) at talloc.c:990 #8 0xb7bb319b in msgb_free (m=m@entry=0x8091208) at msgb.c:72 #9 0x0804db54 in sndcp_send_ud_frag (fs=0xbfffcc6c) at gprs_sndcp.c:423 #10 sndcp_unitdata_req (msg=msg@entry=0x808eed8, lle=0x808fbc8, nsapi=5 '\005', mmcontext=mmcontext@entry=0x80903e8) at gprs_sndcp.c:471
Diffstat (limited to 'tests/emu/openbsc_clone.h')
-rw-r--r--tests/emu/openbsc_clone.h32
1 files changed, 32 insertions, 0 deletions
diff --git a/tests/emu/openbsc_clone.h b/tests/emu/openbsc_clone.h
index d62ff22a..b3cc033a 100644
--- a/tests/emu/openbsc_clone.h
+++ b/tests/emu/openbsc_clone.h
@@ -23,6 +23,8 @@
extern "C" {
#endif
+#include <osmocom/gsm/protocol/gsm_04_08.h>
+
#include <stdint.h>
enum gprs_llc_cmd {
@@ -57,6 +59,36 @@ struct gprs_llc_hdr_parsed {
int gprs_llc_hdr_parse(struct gprs_llc_hdr_parsed *ghp, const uint8_t *llc_hdr, int len);
+/* Table 10.4 / 10.4a, GPRS Mobility Management (GMM) */
+#define GSM48_MT_GMM_ATTACH_ACK 0x02
+
+/* Chapter 9.4.2 / Table 9.4.2 */
+struct gsm48_attach_ack {
+ uint8_t att_result:4, /* 10.5.5.7 */
+ force_stby:4; /* 10.5.5.1 */
+ uint8_t ra_upd_timer; /* 10.5.7.3 */
+ uint8_t radio_prio; /* 10.5.7.2 */
+ struct gsm48_ra_id ra_id; /* 10.5.5.15 */
+ uint8_t data[0];
+} __attribute__((packed));
+
+enum gsm48_gprs_ie_mm {
+ GSM48_IE_GMM_CIPH_CKSN = 0x08, /* 10.5.1.2 */
+ GSM48_IE_GMM_TIMER_READY = 0x17, /* 10.5.7.3 */
+ GSM48_IE_GMM_ALLOC_PTMSI = 0x18, /* 10.5.1.4 */
+ GSM48_IE_GMM_PTMSI_SIG = 0x19, /* 10.5.5.8 */
+ GSM48_IE_GMM_AUTH_RAND = 0x21, /* 10.5.3.1 */
+ GSM48_IE_GMM_AUTH_SRES = 0x22, /* 10.5.3.2 */
+ GSM48_IE_GMM_IMEISV = 0x23, /* 10.5.1.4 */
+ GSM48_IE_GMM_DRX_PARAM = 0x27, /* 10.5.5.6 */
+ GSM48_IE_GMM_MS_NET_CAPA = 0x31, /* 10.5.5.12 */
+ GSM48_IE_GMM_PDP_CTX_STATUS = 0x32, /* 10.5.7.1 */
+ GSM48_IE_GMM_PS_LCS_CAPA = 0x33, /* 10.5.5.22 */
+ GSM48_IE_GMM_GMM_MBMS_CTX_ST = 0x35, /* 10.5.7.6 */
+};
+
+extern const struct tlv_definition gsm48_gmm_att_tlvdef;
+
#ifdef __cplusplus
}
#endif