Age | Commit message (Collapse) | Author | Files | Lines |
|
The ctr field of the osmux header is 3 bits long, make sure we
don't run over that boundary. This should not happen in practise
unless we have to deal with network congestion or broken RTP
stacks, but osmux should not crash in that case.
|
|
Make sure that osmux_replay_lost_packets() doesn't try to fill gaps
if we see RTP messages whose sequence number is in the past.
|
|
With the fan-out approach to test multi-batch added int (078d532 tests:
osmux: test multi-batch support), this doesn't need the explicit
skip as there are already gaps to be filled.
|
|
Extend this to test multi-batch in one packet support, eg.
OSMUX message (len=158) OSMUX seq=016 ccid=000 ft=1 ctr=6 amr_f=0 amr_q=1
amr_ft=02 amr_cmr=02 ff d4 f9 ff fb e7 eb f9 9f f8 f2 26 33 65 54 ff d4 f9 ff
fb e7 eb f9 9f f8 f2 26 33 65 54 ff d4 f9 ff fb e7 eb f9 9f f8 f2 26 33 65 54
ff d4 f9 ff fb e7 eb f9 9f f8 f2 26 33 65 54 ff d4 f9 ff fb e7 eb f9 9f f8 f2
26 33 65 54 ff d4 f9 ff fb e7 eb f9 9f f8 f2 26 33 65 54 ff d4 f9 ff fb e7 eb
f9 9f f8 f2 26 33 65 54 ]OSMUX seq=017 ccid=001 ft=1 ctr=2 amr_f=0 amr_q=1
amr_ft=02 amr_cmr=02 ff d4 f9 ff fb e7 eb f9 9f f8 f2 26 33 65 54 ff d4 f9 ff
fb e7 eb f9 9f f8 f2 26 33 65 54 ff d4 f9 ff fb e7 eb f9 9f f8 f2 26 33 65 54 ]
|
|
This patch is a cleanup. Pass the pointer to the header, so we don't
need to obtain it from the message buffer again.
|
|
With this patch, osmux_xfrm_input() returns 0 (means "message has been
processed") instead of 1 (means "retry") if the RTP message is too big
to fit into one osmux batch. This fixes a likely infinite loop in the
caller, which will retry forever for a message does not fit into the
batch.
Unlikely to happen in normal scenario, as RTP+AMR messages are way
smaller than the interface MTU.
|
|
|
|
Use AMR_FT_MAX instead of 9. This patch is a cleanup.
|
|
The AMR FT field is used to infer the length of the payload, if
a value higher than 8 (SID) is received, skip it.
This fixes a possible crash in osmux_snprintf() in case we receive
a malformed osmux header.
This is also addresses the crash described in c733ae5b6e.
|
|
valgrind reports the following crash backtrace:
!<001c> osmux.c:687 No room for OSMUX payload: only 49 bytes
==12800==
==12800== Process terminating with default action of signal 11 (SIGSEGV)
==12800== Access not within mapped region at address 0xDFA8E473
==12800== at 0x4073FD2: osmux_snprintf (osmux.c:628)
==12800== by 0x80524F1: osmux_deliver (osmux.c:50)
==12800== by 0x407371C: osmux_xfrm_input_deliver (osmux.c:302)
==12800== by 0x4073792: osmux_batch_timer_expired (osmux.c:312)
==12800== by 0x405A4A0: osmo_timers_update (timer.c:243)
==12800== by 0x405A79A: osmo_select_main (select.c:133)
==12800== by 0x8049A53: main (mgcp_main.c:307)
The problem is that osmux_snprintf() is not handling multi-batch
messages (ie. messages that contain several osmux batches). More
specifically, the offset to print the osmux batches was reset
when parsing every osmux batch.
The problem also manifested with wrong outputs.
Reported by Mattias Lundstrom.
|
|
|
|
Valgrind complains about a possible use after free:
==12800== Invalid read of size 4
==12800== at 0x4073DF6: osmux_tx_sched (linuxlist.h:119)
==12800== by 0x8052B0F: osmux_read_from_bsc_nat_cb (osmux.c:261)
==12800== by 0x453F967: ???
==12800== Address 0x453f710 is 48 bytes inside a block of size 145
+free'd
==12800== at 0x402750C: free (vg_replace_malloc.c:427)
==12800== by 0x4064ADE: talloc_free (talloc.c:609)
==12800== by 0x405AAAA: msgb_free (msgb.c:72)
==12800== by 0x8052492: scheduled_tx_bts_cb (osmux.c:196)
==12800== by 0x4072CF8: osmux_tx_cb (osmux.c:554)
==12800== by 0x4073F03: osmux_tx_sched (osmux.c:582)
==12800== by 0x8052B0F: osmux_read_from_bsc_nat_cb (osmux.c:261)
==12800== by 0x453F967: ???
The problem is that osmux_tx_sched may immediately call osmux_tx_cb for
the first extracted RTP message from the osmux batch, which releases the
message after that.
Remove the message from our list of messages to be transmitted before
the message is passed to the tx callback.
Reported by Mattias Lundstrom.
|
|
|
|
|
|
|
|
Avoid spamming lots of cloned RTP packets in case of severe
gaps.
|
|
Holger spotted that the caller may loop forever in case it receives
big RTP/RCTP packets, that are likely to be spoofed.
|
|
Reported by Holger.
|
|
Double timing validation to avoid hitting errors easily.
|
|
Disable timing debugging by default.
|
|
Emulate RTP message loss to test osmux_replay_lost_packets code
in src/osmux.c.
After this test, lcov reports 90.3% line coverage of osmux.c
|
|
Make sure all strings are null-terminated.
Spotted by Holger Hans Peter Freyther.
|
|
It was not matching with the current code.
|
|
According to RFC3267, AMR FT upper 9 should be discarded. This patch
adds extra validation to make sure that input RTP traffic encapsulating
AMR payload and OSMUX amr_ft field are OK with regards to that
restriction.
|
|
If the test takes longer than 10 seconds (it barely takes less than
a second according to `time'), bail out and report an error.
|
|
According to RFC3267, AMR FT 8 is reserved to SID and its size is
8 bytes.
|
|
Osmux infers the size of the AMR payload from the FT type.
Make sure we get enough data from the network according to
what we expect.
|
|
Use the library we just built instead for one already installed
in the system.
|
|
|
|
This patch adds the testsuite infrastructure and it populates it
with one test for osmux.
The osmux tests makes sure that:
* We get the same number of RTP messages in the input and the output path.
* The payload of the RTP message is reconstructed correctly.
* The reconstructed timing is correct.
|
|
|
|
rtp.c:154:26: warning: The left operand to '/' is always 0
frame_diff = (usec_diff / 20000);
~~~~~~~~~ ^
rtp.c:157:43: warning: The left operand to '-' is always 0
long int frame_diff_excess = frame_diff - 1;
~~~~~~~~~~ ^
rtp.c:153:39: warning: The right operand to '+' is always 0
usec_diff = tv_diff.tv_sec * 1000000 + tv_diff.tv_usec;
^ ~~~~~~~~~~~~~~~
rtp.c:153:29: warning: The left operand to '*' is always 0
usec_diff = tv_diff.tv_sec * 1000000 + tv_diff.tv_usec;
~~~~~~~~~~~~~~ ^
4 warnings generated.
Reported by Holger Hans Peter Freyther.
|
|
git-version-gen was printing the version as UNKNOWN, create a new
tag to overcome this.
|
|
|
|
|
|
osmux.c:622:20: warning: Value stored to 'osmuxh' during its
initialization is never read
struct osmux_hdr *osmuxh = (struct osmux_hdr *)msg->data;
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reported by Holger Hans Peter Freyther.
|
|
|
|
|
|
If osmux notices a gap between two RTP packets, fill it with
the last RTP packet seen. Without this patch, 10% of packet loss
is enough to get garbage, with it we get glitches in the conversation
with 30%, and pretty much broken conversation with 40% of it.
|
|
This should reduce the amount of batch nodes that are created
by the maximum number of allowed circuit IDs.
|
|
Add sanity checking to avoid crashes on malformed OSMUX packets
|
|
Instead of using the osmuxh->circuit_id.
|
|
Useful for debugging purposes. Modify also examples to use it.
|
|
|
|
CC osmux-test-input.o
osmux-test-input.c:85:2: warning: initialization from incompatible pointer type [enabled by default]
osmux-test-input.c:85:2: warning: (near initialization for ‘h_input.deliver’) [enabled by default]
|
|
Don't make any assumption on the payload type.
|
|
Good for debugging leaks.
|
|
Use talloc_size not talloc. Should fix:
0xb779401a in rb_erase (node=0x200200, root=0xb779c908) at rbtree.c:230
0xb779401a in rb_erase (node=0x200200, root=0xb779c908) at rbtree.c:230
0xb778ee48 in osmo_timer_del (timer=0x94aacd0) at timer.c:110
0xb778ef65 in osmo_timer_add (timer=0x94aacd0) at timer.c:72
0xb778f03c in osmo_timer_schedule (timer=0x94aacd0, seconds=0, microseconds=64000)
0xb77360ff in osmux_xfrm_input (h=0x94a4280, msg=0x94b8a50, ccid=18) at osmux.c:390
Due to uninitialization batch structures.
|
|
ccid array was not initialized appropriately
|
|
|