diff options
author | Holger Hans Peter Freyther <holger@moiji-mobile.com> | 2013-12-27 22:47:09 +0100 |
---|---|---|
committer | Holger Hans Peter Freyther <holger@moiji-mobile.com> | 2013-12-27 22:57:56 +0100 |
commit | f76ed2d089acf4079828c810acb70acaa13892d7 (patch) | |
tree | 091f2c1798080a55f475a704cbb6b8c9fbfa124d /openbsc/src/libmsc/gsm_04_11.c | |
parent | 900394acf3564066571bc83cf9419037fa0fa003 (diff) |
sms: Fix crash on RLL Establish Request timeouts with active call
Sylvain pointed out that in the current crash log the transaction
we try to read the SMS from is actually a transaction for Call
Control. On AMD64 the struct layout is different and that leads to
a crash when the CC transaction is in front of the SMS transaction.
Look at the trans->protocol to fix the crash. The issue got
introduced in 6a3d765bf97349535602ed5b2b55d2093aa18d71 (2010)
when I added the SAPI N Reject handling.
#0 smpp_sms_cb (subsys=1, signal=4, handler_data=0xbb8270, signal_data=0x7fff33574ea0)
at smpp_openbsc.c:284
284 if (sms->source != SMS_SOURCE_SMPP)
(gdb) bt
#0 smpp_sms_cb (subsys=1, signal=4, handler_data=0xbb8270, signal_data=0x7fff33574ea0)
at smpp_openbsc.c:284
#1 0x00007f424e4a094c in osmo_signal_dispatch (subsys=1, signal=4,
signal_data=0x7fff33574ea0) at signal.c:105
#2 0x000000000042b070 in send_signal (sig_no=<optimized out>, trans=<optimized out>,
sms=<optimized out>, paging_result=<optimized out>) at gsm_04_11.c:125
#3 0x000000000042ccd2 in gsm411_sapi_n_reject (conn=0xec6790) at gsm_04_11.c:1000
#4 0x0000000000408983 in send_sapi_reject (link_id=<optimized out>, conn=<optimized out>)
at bsc_api.c:733
#5 rll_ind_cb (_data=<optimized out>, lchan=<optimized out>, link_id=<optimized out>,
rllr_ind=<optimized out>) at bsc_api.c:755
#6 rll_ind_cb (lchan=<optimized out>, link_id=<optimized out>, _data=<optimized out>,
rllr_ind=<optimized out>) at bsc_api.c:736
#7 0x000000000041f8d2 in complete_rllr (rllr=<optimized out>, type=<optimized out>)
at bsc_rll.c:55
#8 0x00007f424e4a03bc in osmo_timers_update () at timer.c:243
#9 0x00007f424e4a069b in osmo_select_main (polling=0) at select.c:133
#10 0x0000000000407394 in main (argc=<optimized out>, argv=0x7fff33575238) at bsc_hack.c:346
(gdb) frame 3
#3 0x000000000042ccd2 in gsm411_sapi_n_reject (conn=0xec6790) at gsm_04_11.c:1000
1000 send_signal(S_SMS_UNKNOWN_ERROR, trans, sms, 0);
(gdb) p trans
$1 = (struct gsm_trans *) 0xedba80
(gdb) p *trans
....
data = 0x1}}, sms = 0x3439323400000003}}}
(gdb) p trans->protocol
$4 = 3 '\003'
Diffstat (limited to 'openbsc/src/libmsc/gsm_04_11.c')
-rw-r--r-- | openbsc/src/libmsc/gsm_04_11.c | 31 |
1 files changed, 18 insertions, 13 deletions
diff --git a/openbsc/src/libmsc/gsm_04_11.c b/openbsc/src/libmsc/gsm_04_11.c index 19b6030c5..97a67ee53 100644 --- a/openbsc/src/libmsc/gsm_04_11.c +++ b/openbsc/src/libmsc/gsm_04_11.c @@ -988,19 +988,24 @@ void gsm411_sapi_n_reject(struct gsm_subscriber_connection *conn) net = conn->bts->network; - llist_for_each_entry_safe(trans, tmp, &net->trans_list, entry) - if (trans->conn == conn) { - struct gsm_sms *sms = trans->sms.sms; - if (!sms) { - LOGP(DLSMS, LOGL_ERROR, "SAPI Reject but no " - "SMS.\n"); - continue; - } - - send_signal(S_SMS_UNKNOWN_ERROR, trans, sms, 0); - sms_free(sms); - trans->sms.sms = NULL; - trans_free(trans); + llist_for_each_entry_safe(trans, tmp, &net->trans_list, entry) { + struct gsm_sms *sms; + + if (trans->conn != conn) + continue; + if (trans->protocol != GSM48_PDISC_SMS) + continue; + + sms = trans->sms.sms; + if (!sms) { + LOGP(DLSMS, LOGL_ERROR, "SAPI Reject but no SMS.\n"); + continue; } + + send_signal(S_SMS_UNKNOWN_ERROR, trans, sms, 0); + sms_free(sms); + trans->sms.sms = NULL; + trans_free(trans); + } } |