cellular-infrastructure
/
osmo-msc
mirror of https://gerrit.osmocom.org/osmo-msc
9
0
Fork 0
Code Issues Releases Wiki Activity

sms: Fix crash on RLL Establish Request timeouts with active call 

Sylvain pointed out that in the current crash log the transaction
we try to read the SMS from is actually a transaction for Call
Control. On AMD64 the struct layout is different and that leads to
a crash when the CC transaction is in front of the SMS transaction.

Look at the trans->protocol to fix the crash. The issue got
introduced in 6a3d765bf9 (2010)
when I added the SAPI N Reject handling.

 #0  smpp_sms_cb (subsys=1, signal=4, handler_data=0xbb8270, signal_data=0x7fff33574ea0)
     at smpp_openbsc.c:284
 284		if (sms->source != SMS_SOURCE_SMPP)
 (gdb) bt
 #0  smpp_sms_cb (subsys=1, signal=4, handler_data=0xbb8270, signal_data=0x7fff33574ea0)
     at smpp_openbsc.c:284
 #1  0x00007f424e4a094c in osmo_signal_dispatch (subsys=1, signal=4,
     signal_data=0x7fff33574ea0) at signal.c:105
 #2  0x000000000042b070 in send_signal (sig_no=<optimized out>, trans=<optimized out>,
     sms=<optimized out>, paging_result=<optimized out>) at gsm_04_11.c:125
 #3  0x000000000042ccd2 in gsm411_sapi_n_reject (conn=0xec6790) at gsm_04_11.c:1000
 #4  0x0000000000408983 in send_sapi_reject (link_id=<optimized out>, conn=<optimized out>)
     at bsc_api.c:733
 #5  rll_ind_cb (_data=<optimized out>, lchan=<optimized out>, link_id=<optimized out>,
     rllr_ind=<optimized out>) at bsc_api.c:755
 #6  rll_ind_cb (lchan=<optimized out>, link_id=<optimized out>, _data=<optimized out>,
     rllr_ind=<optimized out>) at bsc_api.c:736
 #7  0x000000000041f8d2 in complete_rllr (rllr=<optimized out>, type=<optimized out>)
     at bsc_rll.c:55
 #8  0x00007f424e4a03bc in osmo_timers_update () at timer.c:243
 #9  0x00007f424e4a069b in osmo_select_main (polling=0) at select.c:133
 #10 0x0000000000407394 in main (argc=<optimized out>, argv=0x7fff33575238) at bsc_hack.c:346
 (gdb) frame 3
 #3  0x000000000042ccd2 in gsm411_sapi_n_reject (conn=0xec6790) at gsm_04_11.c:1000
 1000				send_signal(S_SMS_UNKNOWN_ERROR, trans, sms, 0);
 (gdb) p trans
 $1 = (struct gsm_trans *) 0xedba80
 (gdb) p *trans
  ....
          data = 0x1}}, sms = 0x3439323400000003}}}
 (gdb) p trans->protocol
 $4 = 3 '\003'
This commit is contained in:
Holger Hans Peter Freyther 2013-12-27 22:47:09 +01:00
parent 900394acf3
commit f76ed2d089
1 changed files with 17 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
openbsc/src/libmsc/gsm_04_11.c
View File

@ -988,19 +988,24 @@ void gsm411_sapi_n_reject(struct gsm_subscriber_connection *conn)
net = conn->bts->network;
llist_for_each_entry_safe(trans, tmp, &net->trans_list, entry)
if (trans->conn == conn) {
struct gsm_sms *sms = trans->sms.sms;
if (!sms) {
LOGP(DLSMS, LOGL_ERROR, "SAPI Reject but no "
"SMS.\n");
continue;
}
llist_for_each_entry_safe(trans, tmp, &net->trans_list, entry) {
struct gsm_sms *sms;
send_signal(S_SMS_UNKNOWN_ERROR, trans, sms, 0);
sms_free(sms);
trans->sms.sms = NULL;
trans_free(trans);
if (trans->conn != conn)
continue;
if (trans->protocol != GSM48_PDISC_SMS)
continue;
sms = trans->sms.sms;
if (!sms) {
LOGP(DLSMS, LOGL_ERROR, "SAPI Reject but no SMS.\n");
continue;
}
send_signal(S_SMS_UNKNOWN_ERROR, trans, sms, 0);
sms_free(sms);
trans->sms.sms = NULL;
trans_free(trans);
}
}