diff options
author | Harald Welte <laforge@gnumonks.org> | 2017-10-31 15:29:35 -0400 |
---|---|---|
committer | Harald Welte <laforge@gnumonks.org> | 2017-12-05 14:54:59 +0000 |
commit | 5b70bb673d5857cc2208712d3bbab29fd650cb09 (patch) | |
tree | f0d8333fa5f8af4714a4a6dab9e6c5715adb7115 | |
parent | 70c4dc8d706973c65e6bf088156f5862f4e036b4 (diff) |
DTX: avoid illegal character contained in DTX FSM allocation which causes BTS crash
Problem:
lchan->tch.dtx.dl_amr_fsm struct failed to allocate in l1sap_chan_act routine
in l1sap.c due to illegal characters contained in lchan->name which are passed to
osmo_fsm_inst_alloc routine. As a result, lchan->tch.dtx.dl_amr_fsm is NULL
causing BTS crashed (SEG FAULT) when trying to access this struct.
Below is snapshot of crash log obtained by GDB:
...
Fri Nov 24 18:13:55 2017 <0000> rsl.c:1653 payload type: 98
Fri Nov 24 18:13:55 2017 <0000> rsl.c:1463 (bts=0,trx=0,ts=2,ss=0)
RSL Tx IPAC_MDCX_ACK (local 127.0.0.1:11538, remote 127.0.0.1:30012)
Program received signal SIGSEGV, Segmentation fault.
0x00031930 in dtx_dl_amr_fsm_step (lchan=lchan@entry=0xb69592a8,
rtp_pl=rtp_pl@entry=0x87ae8 " \024\351Y\363_\337\345\351f\177\373\300\210\201\200\210",
rtp_pl_len=17, fn=1728481, l1_payload=0x10dd25 "", marker=marker@entry=true,
len=len@entry=0x10ddc4 "\024", ft_out=0xbefff7d7 "\002",
ft_out@entry=0xbefff7cf "\276\341_\032") at msg_utils.c:233
233 msg_utils.c: No such file or directory.
...
Fix:
* Use different formatting for lchan name passed to osmo_fsm_inst_alloc routine
* Refuse channel activation if FSM could not be generated (as opposed to crash)
Related: OS#2606
Reported-by: Minh-Quang Nguyen <minh-quang.nguyen@nutaq.com>
Change-Id: I929ce3703dc57acf8db569ae0e346265644d0b3c
-rw-r--r-- | src/common/l1sap.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/src/common/l1sap.c b/src/common/l1sap.c index d2941108..18aee935 100644 --- a/src/common/l1sap.c +++ b/src/common/l1sap.c @@ -1354,12 +1354,20 @@ int l1sap_chan_act(struct gsm_bts_trx *trx, uint8_t chan_nr, struct tlv_parsed * return -RSL_ERR_EQUIPMENT_FAIL; /* Init DTX DL FSM if necessary */ - if (trx->bts->dtxd && lchan->type != GSM_LCHAN_SDCCH) + if (trx->bts->dtxd && lchan->type != GSM_LCHAN_SDCCH) { + char name[32]; + snprintf(name, sizeof(name), "bts%u-trx%u-ts%u-ss%u", lchan->ts->trx->bts->nr, + lchan->ts->trx->nr, lchan->ts->nr, lchan->nr); lchan->tch.dtx.dl_amr_fsm = osmo_fsm_inst_alloc(&dtx_dl_amr_fsm, tall_bts_ctx, lchan, LOGL_DEBUG, - lchan->name); + name); + if (!lchan->tch.dtx.dl_amr_fsm) { + l1sap_chan_act_dact_modify(trx, chan_nr, PRIM_INFO_DEACTIVATE, 0); + return -RSL_ERR_EQUIPMENT_FAIL; + } + } return 0; } |