cellular-infrastructure
/
osmo-bts
mirror of https://gerrit.osmocom.org/osmo-bts
9
0
Fork 0
Code Issues Releases Wiki Activity

DTX: avoid illegal character contained in DTX FSM allocation which causes BTS crash 

Problem:

 lchan->tch.dtx.dl_amr_fsm struct failed to allocate in l1sap_chan_act routine
 in l1sap.c due to illegal characters contained in lchan->name which are passed to
 osmo_fsm_inst_alloc routine. As a result, lchan->tch.dtx.dl_amr_fsm is NULL
 causing BTS crashed (SEG FAULT) when trying to access this struct.

 Below is snapshot of crash log obtained by GDB:
 ...
 Fri Nov 24 18:13:55 2017 <0000> rsl.c:1653 payload type: 98
 Fri Nov 24 18:13:55 2017 <0000> rsl.c:1463 (bts=0,trx=0,ts=2,ss=0)
 RSL Tx IPAC_MDCX_ACK (local 127.0.0.1:11538, remote 127.0.0.1:30012)
 Program received signal SIGSEGV, Segmentation fault.
 0x00031930 in dtx_dl_amr_fsm_step (lchan=lchan@entry=0xb69592a8,
 rtp_pl=rtp_pl@entry=0x87ae8 " \024\351Y\363_\337\345\351f\177\373\300\210\201\200\210",
    rtp_pl_len=17, fn=1728481, l1_payload=0x10dd25 "", marker=marker@entry=true,
    len=len@entry=0x10ddc4 "\024", ft_out=0xbefff7d7 "\002",
    ft_out@entry=0xbefff7cf "\276\341_\032") at msg_utils.c:233
 233     msg_utils.c: No such file or directory.
 ...

Fix:
* Use different formatting for lchan name passed to osmo_fsm_inst_alloc routine
* Refuse channel activation if FSM could not be generated (as opposed to crash)

Related: OS#2606
Reported-by: Minh-Quang Nguyen <minh-quang.nguyen@nutaq.com>
Change-Id: I929ce3703dc57acf8db569ae0e346265644d0b3c
This commit is contained in:
Harald Welte 2017-10-31 15:29:35 -04:00
parent 70c4dc8d70
commit 5b70bb673d
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/common/l1sap.c
View File

@ -1354,12 +1354,20 @@ int l1sap_chan_act(struct gsm_bts_trx *trx, uint8_t chan_nr, struct tlv_parsed *
return -RSL_ERR_EQUIPMENT_FAIL;
/* Init DTX DL FSM if necessary */
if (trx->bts->dtxd && lchan->type != GSM_LCHAN_SDCCH)
if (trx->bts->dtxd && lchan->type != GSM_LCHAN_SDCCH) {
char name[32];
snprintf(name, sizeof(name), "bts%u-trx%u-ts%u-ss%u", lchan->ts->trx->bts->nr,
lchan->ts->trx->nr, lchan->ts->nr, lchan->nr);
lchan->tch.dtx.dl_amr_fsm = osmo_fsm_inst_alloc(&dtx_dl_amr_fsm,
tall_bts_ctx,
lchan,
LOGL_DEBUG,
lchan->name);
name);
if (!lchan->tch.dtx.dl_amr_fsm) {
l1sap_chan_act_dact_modify(trx, chan_nr, PRIM_INFO_DEACTIVATE, 0);
return -RSL_ERR_EQUIPMENT_FAIL;
}
}
return 0;
}