diff options
author | Pau Espin Pedrol <pespin@sysmocom.de> | 2019-11-08 18:50:25 +0100 |
---|---|---|
committer | Pau Espin Pedrol <pespin@sysmocom.de> | 2019-11-08 18:50:29 +0100 |
commit | de80976d94ca0f38651dcdc6c337d53e7f2ee04a (patch) | |
tree | cf04130a34faa27b03d6fc2ef8b83e2c55654b95 | |
parent | 284314ab0a3ff64db0ebd42f9f05ae60c60bf6c0 (diff) |
gmm: Fix assertion hit during RA UPD REQ before completting gmm attach
Output:
20191107021548500 DMM <0002> gprs_gb.c:40 MM_STATE_Gb(2596296189)[0x6120000084a0]{Idle}: Received Event E_MM_PDU_RECEPTION
20191107021548500 DMM <0002> gprs_gmm.c:1531 MM(/d4b6d7af) -> GMM RA UPDATE REQUEST type="RA updating"
20191107021548501 DMM <0002> gprs_gmm.c:1615 MM(/d4b6d7af) The MM context cannot be used, RA: 901-70-2758-208
Assert failed mmctx->gb.llme == NULL gprs_gmm.c:1620
Scenario reproducing the crash can be triggered with TTCN3
SGSN_Tests.TC_attach_req_id_req_ra_update.
Basically, SGSN first receives an ATTACH REQ with a given RA ID, then
SGSN switches to state CommonProcedureInitiated and sends GMM ID REQ,
and MS/PCU answers immediatelly with a RA Update instead with a new RA
ID.
Related: OS#3957, OS#4245
Change-Id: I64fa5cf1b427d3abb99e553e584897261a827ce6
-rw-r--r-- | src/sgsn/gprs_gmm.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/sgsn/gprs_gmm.c b/src/sgsn/gprs_gmm.c index b6b16854b..17daa7dcd 100644 --- a/src/sgsn/gprs_gmm.c +++ b/src/sgsn/gprs_gmm.c @@ -1615,9 +1615,9 @@ static int gsm48_rx_gmm_ra_upd_req(struct sgsn_mm_ctx *mmctx, struct msgb *msg, osmo_rai_name(&mmctx->ra)); /* mmctx is set to NULL and gprs_llgmm_unassign(llme) will be called below, let's make sure we don't keep dangling llme - pointers in mmctx (OS#3957). */ + pointers in mmctx (OS#3957, OS#4245). */ if (mmctx->ran_type == MM_CTX_T_GERAN_Gb) - OSMO_ASSERT(mmctx->gb.llme == NULL); + mmctx->gb.llme = NULL; mmctx = NULL; } |