aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHarald Welte <laforge@gnumonks.org>2017-10-31 15:29:35 -0400
committerHarald Welte <laforge@gnumonks.org>2017-12-05 14:54:59 +0000
commit5b70bb673d5857cc2208712d3bbab29fd650cb09 (patch)
treef0d8333fa5f8af4714a4a6dab9e6c5715adb7115
parent70c4dc8d706973c65e6bf088156f5862f4e036b4 (diff)
DTX: avoid illegal character contained in DTX FSM allocation which causes BTS crash
Problem: lchan->tch.dtx.dl_amr_fsm struct failed to allocate in l1sap_chan_act routine in l1sap.c due to illegal characters contained in lchan->name which are passed to osmo_fsm_inst_alloc routine. As a result, lchan->tch.dtx.dl_amr_fsm is NULL causing BTS crashed (SEG FAULT) when trying to access this struct. Below is snapshot of crash log obtained by GDB: ... Fri Nov 24 18:13:55 2017 <0000> rsl.c:1653 payload type: 98 Fri Nov 24 18:13:55 2017 <0000> rsl.c:1463 (bts=0,trx=0,ts=2,ss=0) RSL Tx IPAC_MDCX_ACK (local 127.0.0.1:11538, remote 127.0.0.1:30012) Program received signal SIGSEGV, Segmentation fault. 0x00031930 in dtx_dl_amr_fsm_step (lchan=lchan@entry=0xb69592a8, rtp_pl=rtp_pl@entry=0x87ae8 " \024\351Y\363_\337\345\351f\177\373\300\210\201\200\210", rtp_pl_len=17, fn=1728481, l1_payload=0x10dd25 "", marker=marker@entry=true, len=len@entry=0x10ddc4 "\024", ft_out=0xbefff7d7 "\002", ft_out@entry=0xbefff7cf "\276\341_\032") at msg_utils.c:233 233 msg_utils.c: No such file or directory. ... Fix: * Use different formatting for lchan name passed to osmo_fsm_inst_alloc routine * Refuse channel activation if FSM could not be generated (as opposed to crash) Related: OS#2606 Reported-by: Minh-Quang Nguyen <minh-quang.nguyen@nutaq.com> Change-Id: I929ce3703dc57acf8db569ae0e346265644d0b3c
-rw-r--r--src/common/l1sap.c12
1 files changed, 10 insertions, 2 deletions
diff --git a/src/common/l1sap.c b/src/common/l1sap.c
index d2941108..18aee935 100644
--- a/src/common/l1sap.c
+++ b/src/common/l1sap.c
@@ -1354,12 +1354,20 @@ int l1sap_chan_act(struct gsm_bts_trx *trx, uint8_t chan_nr, struct tlv_parsed *
return -RSL_ERR_EQUIPMENT_FAIL;
/* Init DTX DL FSM if necessary */
- if (trx->bts->dtxd && lchan->type != GSM_LCHAN_SDCCH)
+ if (trx->bts->dtxd && lchan->type != GSM_LCHAN_SDCCH) {
+ char name[32];
+ snprintf(name, sizeof(name), "bts%u-trx%u-ts%u-ss%u", lchan->ts->trx->bts->nr,
+ lchan->ts->trx->nr, lchan->ts->nr, lchan->nr);
lchan->tch.dtx.dl_amr_fsm = osmo_fsm_inst_alloc(&dtx_dl_amr_fsm,
tall_bts_ctx,
lchan,
LOGL_DEBUG,
- lchan->name);
+ name);
+ if (!lchan->tch.dtx.dl_amr_fsm) {
+ l1sap_chan_act_dact_modify(trx, chan_nr, PRIM_INFO_DEACTIVATE, 0);
+ return -RSL_ERR_EQUIPMENT_FAIL;
+ }
+ }
return 0;
}