From f76ed2d089acf4079828c810acb70acaa13892d7 Mon Sep 17 00:00:00 2001
From: Holger Hans Peter Freyther <holger@moiji-mobile.com>
Date: Fri, 27 Dec 2013 22:47:09 +0100
Subject: sms: Fix crash on RLL Establish Request timeouts with active call

Sylvain pointed out that in the current crash log the transaction
we try to read the SMS from is actually a transaction for Call
Control. On AMD64 the struct layout is different and that leads to
a crash when the CC transaction is in front of the SMS transaction.

Look at the trans->protocol to fix the crash. The issue got
introduced in 6a3d765bf97349535602ed5b2b55d2093aa18d71 (2010)
when I added the SAPI N Reject handling.

 #0  smpp_sms_cb (subsys=1, signal=4, handler_data=0xbb8270, signal_data=0x7fff33574ea0)
     at smpp_openbsc.c:284
 284		if (sms->source != SMS_SOURCE_SMPP)
 (gdb) bt
 #0  smpp_sms_cb (subsys=1, signal=4, handler_data=0xbb8270, signal_data=0x7fff33574ea0)
     at smpp_openbsc.c:284
 #1  0x00007f424e4a094c in osmo_signal_dispatch (subsys=1, signal=4,
     signal_data=0x7fff33574ea0) at signal.c:105
 #2  0x000000000042b070 in send_signal (sig_no=<optimized out>, trans=<optimized out>,
     sms=<optimized out>, paging_result=<optimized out>) at gsm_04_11.c:125
 #3  0x000000000042ccd2 in gsm411_sapi_n_reject (conn=0xec6790) at gsm_04_11.c:1000
 #4  0x0000000000408983 in send_sapi_reject (link_id=<optimized out>, conn=<optimized out>)
     at bsc_api.c:733
 #5  rll_ind_cb (_data=<optimized out>, lchan=<optimized out>, link_id=<optimized out>,
     rllr_ind=<optimized out>) at bsc_api.c:755
 #6  rll_ind_cb (lchan=<optimized out>, link_id=<optimized out>, _data=<optimized out>,
     rllr_ind=<optimized out>) at bsc_api.c:736
 #7  0x000000000041f8d2 in complete_rllr (rllr=<optimized out>, type=<optimized out>)
     at bsc_rll.c:55
 #8  0x00007f424e4a03bc in osmo_timers_update () at timer.c:243
 #9  0x00007f424e4a069b in osmo_select_main (polling=0) at select.c:133
 #10 0x0000000000407394 in main (argc=<optimized out>, argv=0x7fff33575238) at bsc_hack.c:346
 (gdb) frame 3
 #3  0x000000000042ccd2 in gsm411_sapi_n_reject (conn=0xec6790) at gsm_04_11.c:1000
 1000				send_signal(S_SMS_UNKNOWN_ERROR, trans, sms, 0);
 (gdb) p trans
 $1 = (struct gsm_trans *) 0xedba80
 (gdb) p *trans
  ....
          data = 0x1}}, sms = 0x3439323400000003}}}
 (gdb) p trans->protocol
 $4 = 3 '\003'
---
 openbsc/src/libmsc/gsm_04_11.c | 31 ++++++++++++++++++-------------
 1 file changed, 18 insertions(+), 13 deletions(-)

(limited to 'openbsc')

diff --git a/openbsc/src/libmsc/gsm_04_11.c b/openbsc/src/libmsc/gsm_04_11.c
index 19b6030c5..97a67ee53 100644
--- a/openbsc/src/libmsc/gsm_04_11.c
+++ b/openbsc/src/libmsc/gsm_04_11.c
@@ -988,19 +988,24 @@ void gsm411_sapi_n_reject(struct gsm_subscriber_connection *conn)
 
 	net = conn->bts->network;
 
-	llist_for_each_entry_safe(trans, tmp, &net->trans_list, entry)
-		if (trans->conn == conn) {
-			struct gsm_sms *sms = trans->sms.sms;
-			if (!sms) {
-				LOGP(DLSMS, LOGL_ERROR, "SAPI Reject but no "
-					"SMS.\n");
-				continue;
-			}
-
-			send_signal(S_SMS_UNKNOWN_ERROR, trans, sms, 0);
-			sms_free(sms);
-			trans->sms.sms = NULL;
-			trans_free(trans);
+	llist_for_each_entry_safe(trans, tmp, &net->trans_list, entry) {
+		struct gsm_sms *sms;
+
+		if (trans->conn != conn)
+			continue;
+		if (trans->protocol != GSM48_PDISC_SMS)
+			continue;
+
+		sms = trans->sms.sms;
+		if (!sms) {
+			LOGP(DLSMS, LOGL_ERROR, "SAPI Reject but no SMS.\n");
+			continue;
 		}
+
+		send_signal(S_SMS_UNKNOWN_ERROR, trans, sms, 0);
+		sms_free(sms);
+		trans->sms.sms = NULL;
+		trans_free(trans);
+	}
 }
 
-- 
cgit v1.2.3