aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNeels Hofmeyr <neels@hofmeyr.de>2019-08-21 16:56:41 +0200
committerNeels Hofmeyr <neels@hofmeyr.de>2019-08-21 16:58:32 +0200
commit9a8da50c279009c075d911516ebef7ea390f7e3d (patch)
treebdd0534a4b71b9a7a069b7339ac6d43182a2cac4
parentff2650322ff5a880096cc03ec70b2f9f2c05c4ba (diff)
fix segfault: don't send CC REL on NULL msc_a
Apparently, if a conn disappears during an ongoing call, the CC code tried to send a CC REL on a NULL msc_a during cleanup, which lead to a crash (cccamp2019). Guard against that. Crash: #0 msc_a_tx_dtap_to_i (msc_a=0x0, dtap=0x55a4bf2fa0f0) at ../../../../src/osmo-msc/src/libmsc/msc_a.c:1565 #1 0x000055a4be1bb03c in trans_tx_gsm48 (trans=0x55a4bf2d52a0, trans=0x55a4bf2d52a0, trans=0x55a4bf2d52a0, msg=<optimized out>) at ../../../../src/osmo-msc/src/libmsc/gsm_04_08_cc.c:82 #2 gsm48_cc_tx_release (trans=trans@entry=0x55a4bf2d52a0, arg=arg@entry=0x7ffdd731a0e0) at ../../../../src/osmo-msc/src/libmsc/gsm_04_08_cc.c:1101 #3 0x000055a4be1bee65 in _gsm48_cc_trans_free (trans=trans@entry=0x55a4bf2d52a0) at ../../../../src/osmo-msc/src/libmsc/gsm_04_08_cc.c:278 #4 0x000055a4be1ab654 in trans_free (trans=trans@entry=0x55a4bf2d52a0) at ../../../../src/osmo-msc/src/libmsc/transaction.c:170 #5 0x000055a4be1bd091 in mncc_tx_to_gsm_cc (net=<optimized out>, msg=msg@entry=0x55a4bf2d3b68) at ../../../../src/osmo-msc/src/libmsc/gsm_04_08_cc.c:1971 #6 0x000055a4be1bf1e5 in mncc_tx_to_cc (net=<optimized out>, arg=arg@entry=0x55a4bf2d3b68) at ../../../../src/osmo-msc/src/libmsc/gsm_04_08_cc.c:2049 #7 0x000055a4be18ed63 in mncc_sock_read (bfd=0x55a4bf2563b8, bfd=0x55a4bf2563b8) at ../../../../src/osmo-msc/src/libmsc/mncc_sock.c:121 #8 mncc_sock_cb (bfd=0x55a4bf2563b8, flags=1) at ../../../../src/osmo-msc/src/libmsc/mncc_sock.c:189 #9 0x00007fcfad607ce1 in osmo_fd_disp_fds (_eset=0x7ffdd731a9a0, _wset=0x7ffdd731a920, _rset=0x7ffdd731a8a0) at ../../../src/libosmocore/src/select.c:223 #10 osmo_select_main (polling=<optimized out>) at ../../../src/libosmocore/src/select.c:263 #11 0x000055a4be17dd56 in main (argc=3, argv=<optimized out>) at ../../../../src/osmo-msc/src/osmo-msc/msc_main.c:723 Change-Id: Ia1bb0410ad0618c182a5f6da06af342b6d483eff
-rw-r--r--src/libmsc/gsm_04_08_cc.c12
-rw-r--r--src/libmsc/msc_a.c9
2 files changed, 19 insertions, 2 deletions
diff --git a/src/libmsc/gsm_04_08_cc.c b/src/libmsc/gsm_04_08_cc.c
index f974e901e..52178614a 100644
--- a/src/libmsc/gsm_04_08_cc.c
+++ b/src/libmsc/gsm_04_08_cc.c
@@ -1074,8 +1074,16 @@ static int gsm48_cc_rx_release(struct gsm_trans *trans, struct msgb *msg)
static int gsm48_cc_tx_release(struct gsm_trans *trans, void *arg)
{
struct gsm_mncc *rel = arg;
- struct msgb *msg = gsm48_msgb_alloc_name("GSM 04.08 CC REL");
- struct gsm48_hdr *gh = (struct gsm48_hdr *) msgb_put(msg, sizeof(*gh));
+ struct msgb *msg;
+ struct gsm48_hdr *gh;
+
+ if (!trans->msc_a) {
+ LOG_TRANS(trans, LOGL_DEBUG, "Cannot send CC REL, there is no MSC-A connection\n");
+ return -EINVAL;
+ }
+
+ msg = gsm48_msgb_alloc_name("GSM 04.08 CC REL");
+ gh = (struct gsm48_hdr *) msgb_put(msg, sizeof(*gh));
gh->msg_type = GSM48_MT_CC_RELEASE;
diff --git a/src/libmsc/msc_a.c b/src/libmsc/msc_a.c
index 553761fe3..b3e2e32c3 100644
--- a/src/libmsc/msc_a.c
+++ b/src/libmsc/msc_a.c
@@ -1562,6 +1562,15 @@ int msc_a_tx_dtap_to_i(struct msc_a *msc_a, struct msgb *dtap)
{
struct ran_msg ran_msg;
+ if (!msc_a) {
+ struct gsm48_hdr *gh = msgb_l3(dtap) ? : dtap->data;
+ uint8_t pdisc = gsm48_hdr_pdisc(gh);
+ LOGP(DMSC, LOGL_ERROR, "Attempt to send DTAP to NULL MSC-A, dropping message: %s %s\n",
+ gsm48_pdisc_name(pdisc), gsm48_pdisc_msgtype_name(pdisc, gsm48_hdr_msg_type(gh)));
+ msgb_free(dtap);
+ return -EIO;
+ }
+
if (msc_a->c.ran->type == OSMO_RAT_EUTRAN_SGS) {
/* The SGs connection to the MME always is at the MSC-A. */
return sgs_iface_tx_dtap_ud(msc_a, dtap);