aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPau Espin Pedrol <pespin@sysmocom.de>2021-01-26 19:13:43 +0100
committerPau Espin Pedrol <pespin@sysmocom.de>2021-01-29 12:59:30 +0100
commita06ac18d2249ba16fb9272ba83a3b1a9453a3134 (patch)
tree38573e1808819bd8745ad12fdf16e2f4dabd918e
parent41a22a7ab816df7de9cbd4f398e106cc77dd81a5 (diff)
NACC: Send only Pkt Cell Chg Continue if SI retrieve fails
If fore some reason we fail to fetch SI of target cell, we move directly to NACC_ST_TX_CELL_CHG_CONTINUE in order to submit a Cell Change Continue against the MS without providing any Packet Neighbor Cell Data beforehand, as per spec that's probably the best we can do in this scenario (TS 44.060): """ 1) The network responds with a PACKET CELL CHANGE CONTINUE message. If a mobile station as response to a PACKET CELL CHANGE NOTIFICATION message receives a PACKET CELL CHANGE CONTINUE message without receiving any neighbour cell system information, the mobile station shall stop timer T3208, stop timer T3210 if still running, leave CCN mode and continue cell reselection in NC0/NC1 mode. """ This commit also fixes a use-after-free triggered by TTCN3 test TC_nacc_outbound_rac_ci-resolve_fail_parse_response, where the "cmd" pointer passed to nacc_fsm_ctrl_reply_cb() was freed during FSM termination (its talloc ctx was under ctx->neigh_ctrl_conn) and the libosmocore code calling that callback was later on accessing cmd->defer. Since due to this change the FSM is no longer syncrhonously freed, the issue is gone. Related: SYS#4909 Change-Id: Ie3f12a08ad611b1086d3f4ab7c3d34af43c07961
-rw-r--r--src/nacc_fsm.c10
1 files changed, 5 insertions, 5 deletions
diff --git a/src/nacc_fsm.c b/src/nacc_fsm.c
index 85e29c54..fcf4b586 100644
--- a/src/nacc_fsm.c
+++ b/src/nacc_fsm.c
@@ -342,7 +342,7 @@ static void st_wait_resolve_rac_ci_on_enter(struct osmo_fsm_inst *fi, uint32_t p
err_term:
talloc_free(cmd);
- osmo_fsm_inst_term(fi, OSMO_FSM_TERM_ERROR, NULL);
+ nacc_fsm_state_chg(fi, NACC_ST_TX_CELL_CHG_CONTINUE);
}
@@ -383,14 +383,14 @@ static void st_wait_request_si_on_enter(struct osmo_fsm_inst *fi, uint32_t prev_
/* SI info not in cache, resolve it using RIM procedure against SGSN */
if (fill_rim_ran_info_req(ctx, &pdu) < 0) {
- osmo_fsm_inst_term(fi, OSMO_FSM_TERM_ERROR, NULL);
+ nacc_fsm_state_chg(fi, NACC_ST_TX_CELL_CHG_CONTINUE);
return;
}
rc = bssgp_tx_rim(&pdu, gprs_ns2_nse_nsei(ctx->ms->bts->nse));
if (rc < 0) {
LOGPFSML(fi, LOGL_ERROR, "Failed transmitting RIM PDU: %d\n", rc);
- osmo_fsm_inst_term(fi, OSMO_FSM_TERM_ERROR, NULL);
+ nacc_fsm_state_chg(fi, NACC_ST_TX_CELL_CHG_CONTINUE);
return;
}
}
@@ -578,7 +578,7 @@ void nacc_fsm_ctrl_reply_cb(struct ctrl_handle *ctrl, struct ctrl_cmd *cmd, void
cmd->type, cmd->variable, osmo_escape_str(cmd->reply, -1));
if (cmd->type != CTRL_TYPE_GET_REPLY || !cmd->reply) {
- osmo_fsm_inst_term(ctx->fi, OSMO_FSM_TERM_ERROR, NULL);
+ nacc_fsm_state_chg(ctx->fi, NACC_ST_TX_CELL_CHG_CONTINUE);
return;
}
@@ -618,7 +618,7 @@ void nacc_fsm_ctrl_reply_cb(struct ctrl_handle *ctrl, struct ctrl_cmd *cmd, void
free_ret:
talloc_free(tmp);
- osmo_fsm_inst_term(ctx->fi, OSMO_FSM_TERM_ERROR, NULL);
+ nacc_fsm_state_chg(ctx->fi, NACC_ST_TX_CELL_CHG_CONTINUE);
return;
}