Age | Commit message (Collapse) | Author | Files | Lines |
|
The AMR FT field is used to infer the length of the payload, if
a value higher than 8 (SID) is received, skip it.
This fixes a possible crash in osmux_snprintf() in case we receive
a malformed osmux header.
This is also addresses the crash described in c733ae5b6e.
|
|
valgrind reports the following crash backtrace:
!<001c> osmux.c:687 No room for OSMUX payload: only 49 bytes
==12800==
==12800== Process terminating with default action of signal 11 (SIGSEGV)
==12800== Access not within mapped region at address 0xDFA8E473
==12800== at 0x4073FD2: osmux_snprintf (osmux.c:628)
==12800== by 0x80524F1: osmux_deliver (osmux.c:50)
==12800== by 0x407371C: osmux_xfrm_input_deliver (osmux.c:302)
==12800== by 0x4073792: osmux_batch_timer_expired (osmux.c:312)
==12800== by 0x405A4A0: osmo_timers_update (timer.c:243)
==12800== by 0x405A79A: osmo_select_main (select.c:133)
==12800== by 0x8049A53: main (mgcp_main.c:307)
The problem is that osmux_snprintf() is not handling multi-batch
messages (ie. messages that contain several osmux batches). More
specifically, the offset to print the osmux batches was reset
when parsing every osmux batch.
The problem also manifested with wrong outputs.
Reported by Mattias Lundstrom.
|
|
|
|
Valgrind complains about a possible use after free:
==12800== Invalid read of size 4
==12800== at 0x4073DF6: osmux_tx_sched (linuxlist.h:119)
==12800== by 0x8052B0F: osmux_read_from_bsc_nat_cb (osmux.c:261)
==12800== by 0x453F967: ???
==12800== Address 0x453f710 is 48 bytes inside a block of size 145
+free'd
==12800== at 0x402750C: free (vg_replace_malloc.c:427)
==12800== by 0x4064ADE: talloc_free (talloc.c:609)
==12800== by 0x405AAAA: msgb_free (msgb.c:72)
==12800== by 0x8052492: scheduled_tx_bts_cb (osmux.c:196)
==12800== by 0x4072CF8: osmux_tx_cb (osmux.c:554)
==12800== by 0x4073F03: osmux_tx_sched (osmux.c:582)
==12800== by 0x8052B0F: osmux_read_from_bsc_nat_cb (osmux.c:261)
==12800== by 0x453F967: ???
The problem is that osmux_tx_sched may immediately call osmux_tx_cb for
the first extracted RTP message from the osmux batch, which releases the
message after that.
Remove the message from our list of messages to be transmitted before
the message is passed to the tx callback.
Reported by Mattias Lundstrom.
|
|
|
|
|
|
|
|
Avoid spamming lots of cloned RTP packets in case of severe
gaps.
|
|
Holger spotted that the caller may loop forever in case it receives
big RTP/RCTP packets, that are likely to be spoofed.
|
|
Reported by Holger.
|
|
Double timing validation to avoid hitting errors easily.
|
|
Disable timing debugging by default.
|
|
Emulate RTP message loss to test osmux_replay_lost_packets code
in src/osmux.c.
After this test, lcov reports 90.3% line coverage of osmux.c
|
|
Make sure all strings are null-terminated.
Spotted by Holger Hans Peter Freyther.
|
|
It was not matching with the current code.
|
|
According to RFC3267, AMR FT upper 9 should be discarded. This patch
adds extra validation to make sure that input RTP traffic encapsulating
AMR payload and OSMUX amr_ft field are OK with regards to that
restriction.
|
|
If the test takes longer than 10 seconds (it barely takes less than
a second according to `time'), bail out and report an error.
|
|
According to RFC3267, AMR FT 8 is reserved to SID and its size is
8 bytes.
|
|
Osmux infers the size of the AMR payload from the FT type.
Make sure we get enough data from the network according to
what we expect.
|
|
Use the library we just built instead for one already installed
in the system.
|
|
|
|
This patch adds the testsuite infrastructure and it populates it
with one test for osmux.
The osmux tests makes sure that:
* We get the same number of RTP messages in the input and the output path.
* The payload of the RTP message is reconstructed correctly.
* The reconstructed timing is correct.
|
|
|
|
rtp.c:154:26: warning: The left operand to '/' is always 0
frame_diff = (usec_diff / 20000);
~~~~~~~~~ ^
rtp.c:157:43: warning: The left operand to '-' is always 0
long int frame_diff_excess = frame_diff - 1;
~~~~~~~~~~ ^
rtp.c:153:39: warning: The right operand to '+' is always 0
usec_diff = tv_diff.tv_sec * 1000000 + tv_diff.tv_usec;
^ ~~~~~~~~~~~~~~~
rtp.c:153:29: warning: The left operand to '*' is always 0
usec_diff = tv_diff.tv_sec * 1000000 + tv_diff.tv_usec;
~~~~~~~~~~~~~~ ^
4 warnings generated.
Reported by Holger Hans Peter Freyther.
|
|
git-version-gen was printing the version as UNKNOWN, create a new
tag to overcome this.
|
|
|
|
|
|
osmux.c:622:20: warning: Value stored to 'osmuxh' during its
initialization is never read
struct osmux_hdr *osmuxh = (struct osmux_hdr *)msg->data;
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reported by Holger Hans Peter Freyther.
|
|
|
|
|
|
If osmux notices a gap between two RTP packets, fill it with
the last RTP packet seen. Without this patch, 10% of packet loss
is enough to get garbage, with it we get glitches in the conversation
with 30%, and pretty much broken conversation with 40% of it.
|
|
This should reduce the amount of batch nodes that are created
by the maximum number of allowed circuit IDs.
|
|
Add sanity checking to avoid crashes on malformed OSMUX packets
|
|
Instead of using the osmuxh->circuit_id.
|
|
Useful for debugging purposes. Modify also examples to use it.
|
|
|
|
CC osmux-test-input.o
osmux-test-input.c:85:2: warning: initialization from incompatible pointer type [enabled by default]
osmux-test-input.c:85:2: warning: (near initialization for ‘h_input.deliver’) [enabled by default]
|
|
Don't make any assumption on the payload type.
|
|
Good for debugging leaks.
|
|
Use talloc_size not talloc. Should fix:
0xb779401a in rb_erase (node=0x200200, root=0xb779c908) at rbtree.c:230
0xb779401a in rb_erase (node=0x200200, root=0xb779c908) at rbtree.c:230
0xb778ee48 in osmo_timer_del (timer=0x94aacd0) at timer.c:110
0xb778ef65 in osmo_timer_add (timer=0x94aacd0) at timer.c:72
0xb778f03c in osmo_timer_schedule (timer=0x94aacd0, seconds=0, microseconds=64000)
0xb77360ff in osmux_xfrm_input (h=0x94a4280, msg=0x94b8a50, ccid=18) at osmux.c:390
Due to uninitialization batch structures.
|
|
ccid array was not initialized appropriately
|
|
|
|
The cmr is the requested codec for the other peer, the ft actually
contains the current codec mode. cmr may contain 15 which means
"don't care".
|
|
there will be one osmux_out_handle per endpoint.
|
|
|
|
|
|
|
|
Remove these functions:
- osmux_xfrm_input_get_ccid
- osmux_xfrm_input_register_ccid
The ccid will be managed by the BSC and it will be stored in the
mgcp_endpoint structure.
Also adjust all tests and examples using the API.
|
|
Shows up with gcc-4.7
ipa.c: In function 'osmo_ipa_rcvmsg_base':
ipa.c:210:6: warning: variable 'ret' set but not used [-Wunused-but-set-variabl
|
|
It should be 16000 and add DELTA_RTP_TIMESTAMP which is 160.
|