Even if it is using BSC/NITB types let's put it in the header
file than just declaring it at a place that could bitrot in a
way that doesn't lead a warning.
The "default-route" for SMPP will be used after a local
subscriber look-up. Sometimes we want to route everything
to SMPP. Make this possible by changing this routine.
The idea of "subscriber_get_channel" was that different
requests would be coordinated. At the same time we have
seen that the "queue" can get stuck at both 31C3 and the
rhizomatica installations.
Voice calls and SMS do not need coordination. We should
be able to send SMS on a voice channel and switch the MS
from a SDCCH to a TCH in case we establish a voice call.
The SMS code itself needs to coordinate to obey the limit
of one SMS per direction but this should be enforced in
the sms layer and not on the subscriber.
Modify the code to have a simple paging coordination. The
subscriber code will schedule the paging and register who
would like to know about success/failure.
This allowed to greatly simplify the paging response
handling for the transaction code (and in fact we could
move the transaction list into the subscriber structure
now). The code gained to support to cancel the notification
of a request (but not the paging itself yet).
TODO: Cancel paging request in case no one cares about it
anymore.
In case the default TCH/F codec is "EFR" and we do an early
assignment from SDCCH to a TCH we would assign the TCH/H
codec. This is because the lchan_type will be neither a
TCH/H nor a TCH/F.
At the same time the _gsm48_lchan_modify code to check for
half vs. full-rate is the other way around. Align both.
It is full-rate if it is not a TCH_H. This will have some
other complications down the way (early assignment on
cells with only TCH/H). So the mode should not depend on
the _current_ channel but the kind of channel we want.
Currently the handling of the buffers is not done consistently. Some
code assumes that the whole buffer may be used to store the string
while at other places, the last buffer byte is left untouched in the
assumption that it contains a terminating NUL-character. The latter
is the correct behaviour.
This commit changes to code to not touch the last byte in the buffers
and to rely on the last byte being NUL. So the maximum IMSI/IMEI
length is GSM_IMSI_LENGTH-1/GSM_IMEI_LENGTH-1.
For information: We assume that we allocate the structure with
talloc_zero. This means we have NULed the entire imsi array and then
only write sizeof - 1 characters to it. So the last byte remains NUL.
Fixes: Coverity CID 1206568, 1206567
Sponsored-by: On-Waves ehf
Currently some VTY command do neither check the length of the source
string before calling strncpy nor ensure NUL-termination afterwards.
This can to destination string buffers whose contents are not
NUL-teminated.
This commit adds checks and corresponding warnings to the VTY
commands 'subscriber TYPE ID name .NAME" and "subscriber TYPE ID
extension EXTENSION".
Fixes: Coverity CID 1206570, 1206569
Sponsored-by: On-Waves ehf
The write_queue is designed to have a maximum amount of pending
messages and will refuse to take new messages when it has been
reached. The caller can decide if it wants to flush the queue
and add the message again, create a log. But in all cases the
ownership of the msgb has not been transferred. Fix the potential
memory leak in the failure situation.
In case:
* No message_payload and a 0 sm_length was used
* esm_class indicates UDH being present
* 7bit encoding was requested
The code would execute:
ud_len = *sms_msg + 1;
Which is a NULL pointer dereference and would lead
to a crash of the NITB. Enforce the limits of the
sm_length parameter and reject the messae otherwise.
Fixes: Coverity CID 1042373
We are deferencing conn earlier in this function without doing
a null check. At the time deliver_to_esme is called the conn
will always exist and even the lchan is likely to be present.
Remove the null check for conn right now.
Fixes: Coverity CID 1210594
Move the "logging filter imsi IMSI" into the BTS/NITB code to
allow to set the gsm_subscriber and only compare it. This way
we simply compare the subscriber address and don't have to care
if the subscriber data is still valid.
This extends osmo_nitb to offer a UDP feed of real-time measurement
reports, which can be used by (a variety of) external tools for
visualization or other processing.
We also add a small ncurses based tool (meas_vis) which shows a
baragraph display of the last few mobile stations that were active,
indicating their uplink/downlink receive level and quality.
<WARNING>
This sends non-portable structures like gsm_meas_rep over UDP
and assumes the receiver has identical alignment and endianness! Before
this feature is merged, it either needs to be converted to a unix domain
socket (but they don't do multicast, which would be nice) or the wire
format needs to change into something portable with defined alignment
and encoding
</WARNING>
The trans_alloc function still uses the subscr object to access the
network object.
This patch adds an explicit net parameter to this function and
removes the access to subscr to obtain it.
Sponsored-by: On-Waves ehf
Currently every subcriber object directly refers to the gsm_network
which contains a flag shared by every related subscriber
(keep_subscr). This adds a dependency on gsm_network even if only the
function defined in gsm_subscriber_base.c are used.
This patch adds a new struct gsm_subscriber_group which contains the
keep_subscr flag and a back reference to the network object. The
latter is not dereferenced in gsm_subscriber_base.c, so it can safely
be set to NULL when only that part of the gsm_subscriber API is being
used. It also changes that API to use gsm_subscriber_group instead of
gsm_network parameters.
Since there are some places where a pointer to the gsm_network is
needed but where only a gsm_subscriber is available, a 'net' back
pointer is added to the group struct, too. Nevertheless subscr group
and network could be separated completely, but this is not the topic
of this commit.
Sponsored-by: On-Waves ehf
Currently the net pointer is obtained from trans->subscr->net. On the
other hand, the list gsm_trans object is managed by the net object.
This patch adds the back pointer to the structure and replaces all
trans->subscr->net by trans->net expressions. In trans_alloc() the
trans->net pointer is obtained from the subscr object.
Sponsored-by: On-Waves ehf
Currently the temporary string 'tmp' is freed before parts of it are
referenced. This lets address sanitizer complain when evaluating
strlen(imsi), where imsi points into the 'tmp' data block.
This patch moves the talloc_free to the end of the function and uses
a rc variable instead of using early returns.
Addresses:
testSubscriberAddRemove (__main__.TestCtrlNITB) ... Launch:
./src/osmo-nitb/osmo-nitb -c
./doc/examples/osmo-nitb/nanobts/openbsc.cfg -l test_hlr.sqlite3
Connecting to host 127.0.0.1:4249
Sending "SET 1000 subscriber-modify-v1 2620345,445566"
Decoded replies: {}
ERROR
Sponsored-by: On-Waves ehf
The type in the schema is integer but we need to use ulonglong to
read it as otherwise the read will fail.
DBI: -7: The requested variable type does not match what libdbi thinks it should be
The sender_id is gone so the code that attempted to delete SMS
didn't work anymore. Delete the SMS based on src_addr or the
dest_addr.
Fixes:
======================================================================
ERROR: testSubscriberAddRemove (__main__.TestCtrlNITB)
----------------------------------------------------------------------
Traceback (most recent call last):
File "tests/ctrl_test_runner.py", line 379, in testSubscriberAddRemove
r = self.do_set('subscriber-delete-v1', '2620345')
File "tests/ctrl_test_runner.py", line 114, in do_set
return self.recv_msgs()[id]
KeyError: 1002
This is mostly based on Alexander's migration code. The code
adds transaction handling and some sanity checks and cleanups
to the code. We made the decision to fork the sms_from_result
method and freeze it to that version. This way sms_from_result
can move forward without having to deal with legacy.
That was a bad idea from the very beginning. A visible result of this is a wrong
SMS routing when you change subscriber extensions, while having queued SMS. It's
also a very wrong thing from the code layering perspective.
I think the next logical step should be to remove "receiver" pointer from
the gsm_sms structure into a structure, special for the internal SMS queue.
This is an incompatible database schema change. Store the type of
the address in the database for both the sender and the receiver.
Currently it is possible to use SMPP to store a SMS and the NPI
and TON will be lost on the delivery of the SMS. The schema is
changed to make the delivery always use the right NPI/TON. This
patch is not ready for the master branch as there is no upgrade
path for the HLR yet.
Sadly there is no proper foreign key relationship on the tables
that related to the Subscriber. This means we can't use a DELETE
with Cascade and need to delete everything by hand. To make things
worse maybe the SMS/Paging code is still using the subscriber
making the operation more dangerous. I had added NULL checks for
sender_id/receiver_id at 30C3 so we should not crash in this
situation.
Fixes: SYS#274
The test has been manually verified. Executing the select for
the subscribers showed:
sqlite> select * from Subscriber;
1|2014-03-23 12:12:46|2014-03-23 12:19:09|2620345||445567|1||0|
This created a subscriber with the right IMSI, MSISDN and has
it authorized.
Fixes: SYS#275
The new definitions are: half rate and AMR
Change of definition name for bad frame, because it applies to all types of
traffic, not only TCH/F.
Increase MNCC interface version to 4. Version 3 is skipped, because it was
used by older version of Linux-Call-Router which is incompatible with the
current version of the MNCC interface.
The size parameter of msgb_alloc is uint16_t so any length value above
65535 will allocate a msgb with incorrect size.
This patch changes the type of rdlen and rc to ssize_t (the return value
of read) and guards against the read length being larger than
UINT16_MAX.
To reproduce the issue run:
echo -en "\x00\x01\x00\x01\x01" |socat stdin tcp:localhost:2775
The first 4 bytes are the length including the length field. For
length < 4 the subsequent msgb_put(msg, sizeof(uint32_t)) will fail,
resulting in an abort. The code also expects (in smpp_msgb_cmdid()) the
existence of 4 more bytes for the SMPP command ID.
This patch checks that the length received is large enough to hold all
8 bytes in the msgb and drops the connection if that's not the case.
The issue is reproducible with:
echo -e "\x00\x00\x00\x02\x00" |socat stdin tcp:localhost:2775
Read returning -1 is an error here so make sure to print the actual
reason and close the socket. Before this patch we just looped over the
fd with read returning -1 every time.
EINTR is handled to not cause an error and we don't need to check
EAGAIN/EWOULDBLOCK since the callback is only called in case there is
something to read.
To avoid copy&paste issues the check is implemented as a macro and the
log message moved into a separate if.
When one SMS has been delivered check if a second SMS can be scheduled
to that subscriber. If nothing can be scheduled kick the normal SMS queue
as one slot has become free now. Otherwise send the SMS and create a
pending entry.
It was possible that two SMS would be delivered at the same time
which violates GSM 04.11. We should solely rely on the sms queue
to schedule more SMS to the subscriber.
As can clearly be seen from SMPP Spec v3.4 Chapter 5.2.19,
a SUBMIT-SM with data_coding == 0x08 is UCS2, not with 0x80.
Thanks to ciaby@rhizomatica.org for reporting the bug.
Each RP-DATA should have a unique msg reference. Currently 42 is
used for all of these. Remember the last reference we used and
increment it on the next SMS. Do not track if the reference is
still in use a clash is a lot less likely now. First unless SMPP
is used only one SMS is delivered at a time, second the transaction
space is a lot smaller than the one for the reference.
Incoming DTAP messages from MS are discarded during silent calls,
which leads to the repeated delivery of SMS since the ACKs are not
being processed.
This patch adds some log messages that have been helpful to track
this down.
Sponsored-by: On-Waves ehf
E1 based BTS use TRAU muxer to decode TRAU frames. After changing
channel from one timeslot to another (due to handover or assignment),
the TRAU muxer must be updated. The call reference of the call is
disconnected from the old channel and connected to the new channel.
The check is removed from gsm48_cc_rx_setup() and gsm48_cc_rx_call_conf().
Receiving a layer 3 message implies that the transaction has a subscriber
connection and a logical channel.
This patch fixes the Coverity issues with CID 115311 and CID 1155312.
Speech codings which are not supported by BTS will be removed from the
bearer capability information element after parsing. This way it is not
required for the MNCC application to consider support of each BTS.
Only GSM full rate is supported by default.
Currently the NET_DST information element (see GSM 24.008) is not
included in generated MM info messages even when the DST field in the
timezone info has been set via the VTY or the control interface.
This patch modifies gsm48_tx_mm_info() to append this information
element if (and only if) a non-zero DST has been configured. The
DST IE is not part of GSM 4.8. Therefore it will only be sent, if the
DST offset is configured to a value != 0.
The DST functionality has been verified with wireshark by Jacob.
Sponsored-by: On-Waves ehf
Currently we only set the SUBSCR on RSL messages. Extend it to
messages that go through MNCC. For call control/bridging it is
difficult to pick the right subscriber. We should support a list
or at least two legs in the imsi filter context.
In case the unpack of a USSD request is failing the channel would
remain open and the phone would not receive a response. Simply
reject the interrogation.
Example interrogation:
0000 1b 7b 1c 0d a1 0b 02 01 01 02 01 0e 30 03 04 01
0010 11 7f 01 00
Sylvain pointed out that in the current crash log the transaction
we try to read the SMS from is actually a transaction for Call
Control. On AMD64 the struct layout is different and that leads to
a crash when the CC transaction is in front of the SMS transaction.
Look at the trans->protocol to fix the crash. The issue got
introduced in 6a3d765bf9 (2010)
when I added the SAPI N Reject handling.
#0 smpp_sms_cb (subsys=1, signal=4, handler_data=0xbb8270, signal_data=0x7fff33574ea0)
at smpp_openbsc.c:284
284 if (sms->source != SMS_SOURCE_SMPP)
(gdb) bt
#0 smpp_sms_cb (subsys=1, signal=4, handler_data=0xbb8270, signal_data=0x7fff33574ea0)
at smpp_openbsc.c:284
#1 0x00007f424e4a094c in osmo_signal_dispatch (subsys=1, signal=4,
signal_data=0x7fff33574ea0) at signal.c:105
#2 0x000000000042b070 in send_signal (sig_no=<optimized out>, trans=<optimized out>,
sms=<optimized out>, paging_result=<optimized out>) at gsm_04_11.c:125
#3 0x000000000042ccd2 in gsm411_sapi_n_reject (conn=0xec6790) at gsm_04_11.c:1000
#4 0x0000000000408983 in send_sapi_reject (link_id=<optimized out>, conn=<optimized out>)
at bsc_api.c:733
#5 rll_ind_cb (_data=<optimized out>, lchan=<optimized out>, link_id=<optimized out>,
rllr_ind=<optimized out>) at bsc_api.c:755
#6 rll_ind_cb (lchan=<optimized out>, link_id=<optimized out>, _data=<optimized out>,
rllr_ind=<optimized out>) at bsc_api.c:736
#7 0x000000000041f8d2 in complete_rllr (rllr=<optimized out>, type=<optimized out>)
at bsc_rll.c:55
#8 0x00007f424e4a03bc in osmo_timers_update () at timer.c:243
#9 0x00007f424e4a069b in osmo_select_main (polling=0) at select.c:133
#10 0x0000000000407394 in main (argc=<optimized out>, argv=0x7fff33575238) at bsc_hack.c:346
(gdb) frame 3
#3 0x000000000042ccd2 in gsm411_sapi_n_reject (conn=0xec6790) at gsm_04_11.c:1000
1000 send_signal(S_SMS_UNKNOWN_ERROR, trans, sms, 0);
(gdb) p trans
$1 = (struct gsm_trans *) 0xedba80
(gdb) p *trans
....
data = 0x1}}, sms = 0x3439323400000003}}}
(gdb) p trans->protocol
$4 = 3 '\003'
Avoid a crash when reading a SMS and a Subscriber could not be resolved.
It is not clear why the read was failing. The sender_id and the receiver_id
was valid for the given sms. I assume that the database has been locked
due external access to it.
The side-effect is that in case of such a failure the sms_queue will start
to deliver starting from subscriber id = 0 again.
#1 0x0000000000428bec in sms_from_result (net=0x156a270, result=0x15eda30) at db.c:1146
#2 0x000000000042a8e0 in db_sms_get_unsent_by_subscr (net=0x156a270,
min_subscr_id=<optimized out>, failed=<optimized out>) at db.c:1255
#3 0x000000000042e900 in take_next_sms (smsq=<optimized out>) at sms_queue.c:193
#4 sms_submit_pending (_data=0x158e300) at sms_queue.c:227
#5 0x00007f3fd30de3bc in osmo_timers_update () at timer.c:243
#6 0x00007f3fd30de69b in osmo_select_main (polling=0) at select.c:133
#7 0x0000000000406fbc in main (argc=9, argv=<optimized out>) at bsc_hack.c:346
(gdb) frame 1
#1 0x0000000000428bec in sms_from_result (net=0x156a270, result=0x15eda30) at db.c:1146
1146 strncpy(sms->src.addr, sms->sender->extension, sizeof(sms->src.addr)-1);
(gdb) p *sms
(gdb) p sms->sender
$1 = (struct gsm_subscriber *) 0x0
(gdb) p sender_id
$2 = <optimized out>
conn->loc_operation is already NULL (e.g. due a five second timeout but
we are still processing a RSL message after we initiated the release
procedure). Do not attempt to authorize a subcriber without knowing the
key_sequence.
This can cause more problems but we will need to test this in the field.
(gdb) bt
#0 gsm0408_authorize (conn=0x19fc2f0, msg=<optimized out>) at gsm_04_08.c:323
#1 gsm0408_authorize (conn=0x19fc2f0, msg=<optimized out>) at gsm_04_08.c:319
#2 0x000000000043a99a in mm_rx_id_resp (conn=0x19fc2f0, msg=<optimized out>)
at gsm_04_08.c:495
#3 gsm0408_rcv_mm (msg=<optimized out>, conn=0x19fc2f0) at gsm_04_08.c:1041
#4 gsm0408_dispatch (conn=0x19fc2f0, msg=<optimized out>) at gsm_04_08.c:3232
(gdb) p *conn
$5 = {entry = {next = 0x1746930, prev = 0x1a14270}, subscr = 0x1745eb0,
expire_timer_stopped = 1 '\001', loc_operation = 0x0, sec_operation = 0x0,
anch_operation = 0x0, silent_call = 0, put_channel = 0, sccp_con = 0x0, in_release = 0,
lchan = 0x7f8c79007218, ho_lchan = 0x0, bts = 0x1719f90, T10 = {node = {
rb_parent_color = 0, rb_right = 0x0, rb_left = 0x0}, list = {next = 0x0, prev = 0x0},
timeout = {tv_sec = 0, tv_usec = 0}, active = 0, cb = 0, data = 0x0},
secondary_lchan = 0x0}
When modern Smartphones receive "Not in VLR". The baseband firmware
apparently does not try to do an IMSI ATTACH but just remains un-happy
and will not connect to the network anymore.
Let's revert it and see if we can find the real issue about the
sms being invalid. Sylvain has pointed out that we get invoked
from a timer and might not have stopped it properly.
This reverts commit 80ba9b5dd6.
I am not sure why it is crashing so this is a speculative fix based on
something we already did in 3e9b2ec257.
#0 sms_find_pending (smsq=0x2706300, sms=<optimized out>) at sms_queue.c:77
#1 sms_sms_cb (subsys=<optimized out>, signal=4, handler_data=0x26e2270,
signal_data=0x7fffdac256c0) at sms_queue.c:396
#2 0x00007fcdea94394c in osmo_signal_dispatch (subsys=1, signal=4,
signal_data=0x7fffdac256c0) at signal.c:105
#3 0x000000000042acc0 in send_signal (sig_no=<optimized out>, trans=<optimized out>,
sms=<optimized out>, paging_result=<optimized out>) at gsm_04_11.c:124
#4 0x000000000042c8e2 in gsm411_sapi_n_reject (conn=0x2722d30) at gsm_04_11.c:999
#5 0x00000000004085d3 in send_sapi_reject (link_id=<optimized out>, conn=<optimized out>)
at bsc_api.c:733
#6 rll_ind_cb (_data=<optimized out>, lchan=<optimized out>, link_id=<optimized out>,
rllr_ind=<optimized out>) at bsc_api.c:755
#7 rll_ind_cb (lchan=<optimized out>, link_id=<optimized out>, _data=<optimized out>,
rllr_ind=<optimized out>) at bsc_api.c:736
#8 0x000000000041f522 in complete_rllr (rllr=<optimized out>, type=<optimized out>)
at bsc_rll.c:55
#9 0x00007fcdea9433bc in osmo_timers_update () at timer.c:243
#10 0x00007fcdea94369b in osmo_select_main (polling=0) at select.c:133
#11 0x0000000000406fbc in main (argc=9, argv=<optimized out>) at bsc_hack.c:346
The legacy functions have a bad/wrong return value for the number
of septets in the string. Change the code to use the new functions
which will fix encoding issues as well.
Location Update Requests time out and get rejected because the
subscriber is not authorized. Authorizing the subscriber through
openBSC or sqlite3 doesn't help the subscriber is still seen and
shown as not authorized
The value is read as uint, this is the wrong type it's a (u)longlong
in libdbi 0.9.0 and later.
Decoding and encoding of FR and EFR TRAU frames are put into seperate
functions. CRC check is done to detect bad EFR TRAU frames.
The test case includes FR and EFR transcoding.
EFR support was tested with Nokia InSite BTS and Siemens BS11.
These functions are currently located in libmsc/gsm_04_08.c together
with other symbols that (transitively) depend on many external
symbols (and thus libraries) that aren't otherwise needed by e.g.
osmo-bsc.
Since gsm48_tx_mm_serv_ack() will be needed by osmo-bsc, these
functions are moved to avoid the dependency on gsm_04_08.o.
Sponsored-by: On-Waves ehf
The MS do not show the USSD messages yet. This patch modifies the
implementation to insert a CM Service Accept before the ussdNotify
to finish the establishment of the MM connection according to
3GPP TS 04.10/3.2.1.
This fix has been tested with a Blackberry phone that has shown
an ussd_grace_txt after rf_locked has been set to '1'. Without this
patch, that message wasn't shown. The phone has sent a CC Setup
and other messages before processing the channel release message sent
by the BSC, but these messages have not been forwarded to the MSC (as
expected).
Ticket: OW#957
Sponsored-by: On-Waves ehf
Remove ournode_exit_cmd, ournode_end_cmd, and bsc_install_default()
since this functionality is provided by the current libosmocore.
Replace calls to bsc_install_default() by call to
vty_install_default() with the following semantic patch:
@rule1@
expression N;
@@
- bsc_install_default(N);
+ vty_install_default(N);
Ticket: OW#952
Sponsored-by: On-Waves ehf
Add bsc_install_default() and replace all install_default()
This patch adds bsc_install_default() which calls install_default()
and add 'exit' and 'end'. All other calls to install_default() are
replaced by calls to bsc_install_default().
Since 'exit' and 'end' are now added automatically to each node, the
explicit registrations of these commands are removed by this patch,
too.
The related tests succeed now without work-arounds (except for the
'config' node itself which is part of libosmocore).
There's a VTY option by which for every ESME the user can specify if the
E.212 or E.164 number should be used in DELIVER-SM. The ALERT
notifications generate by subscriber LU have so far always contained the
E.212 (IMSI) rather than E.164 (MSISDN) which is a bit inconsistent.
Rather than copying code, we create a new function that implements
ALERTing all ESMEs.
If the MS memory for SMS is exceeded and we get an RP-layer error, we
need to report that back to the (transaction-mode) ESME. Otherwise the
ESME will wait forever after sending a SUBMIT-SM without ever receiving
a response to it.
Thanks to Holger for catching this.
Disable the periodic LU using "no periodic location update" VTY
command. In that case set the expire_lu to 0 which will then be
translated to a NULL in the database layer. This leads to a bit of
copy and paste in the db_sync_subscriber method but I don't see
how we could easily use 'datetime(%i, 'unixepoch')' and 'NULL'
at the same time.
Change the query to find expired queries to check for NOT NULL
and the time being in the past. This means if there are still
old subscribers in the database they might not be expired. One
would need to execute a query like "UPATE Subscriber SET expire_lu
= 0 WHERE expire_lu is null". The same applies when disabling the
periodic LU. One would need to update the database by hand.
Manual tests executed/passed:
1.) periodic LU enabled:
* use gst LUTest.st to do a LU
* UPDATE Subscriber SET expire_lu=datetime('now');
* observe the subscriber being expired (it was)
2.) periodic LU disabled:
* use gst LUTest.st to do a LU
* verify that the expire_lu is NULL in the database
We were expiring subscribers during active calls. This is because
the T3212 is stopped under certain conditions but we didn't stop
that timer at all.
Remember if T3212 timer was stopped due something done by NITB and
update the expiration time at the end of the radio connection, as
the phone should restart it when returning to MM Idle.
It is a bit difficult to decide when we should set the flag. E.g.
in a CM Service Request we don't know if we accept the service and
during a LU we already send MM messages before we accept or reject
the subscriber.
The easiest is to set the flag when receiving a paging response
on known subscribers and at the end of the authentication process.
Do not expire a subscriber that has an active connection that is
marked with the flag, e.g. we would still expire a subscriber that
is being paged.
Manual tests executed/passed:
* gst LUTest.st verified that a expiration date was set
* gst SMSTest.st (doing another LU but forcing a timeout on the
SMS sending). Verified that the expire_lu was updated.
Make sure to not ever have issues with this code again, move the
utility code to a new file and create a basic testcase. The method
currently has 100% line and branch coverage. My initial patched
missed the smpp_utils.c file and I re-did the copying (and verifying
the branch coverage)
bsc_api.c:417:3: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 7 has type ‘unsigned int’ [-Wformat]
bsc_api.c: In function ‘handle_ass_fail’:
bsc_api.c:458:3: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 7 has type ‘unsigned int’ [-Wformat]
db.c: In function ‘db_sync_subscriber’:
db.c:785:3: warning: format ‘%i’ expects argument of type ‘int’, but argument 8 has type ‘time_t’ [-Wformat]
osmo_msc.c: In function ‘msc_release_connection’:
osmo_msc.c:145:20: warning: unused variable ‘trans’ [-Wunused-variable]
smpp_smsc.c: In function ‘link_accept_cb’:
smpp_smsc.c:891:24: warning: assignment from incompatible pointer type [enabled by default]
smpp_smsc.c:271:1: warning: ‘esme_by_system_id’ defined but not used [-Wunused-function]
smpp_openbsc.c: In function ‘smpp_openbsc_init’:
smpp_openbsc.c:545:2: warning: implicit declaration of function ‘smpp_vty_init’ [-Wimplicit-function-declaration]
osmo_bsc_ctrl.c: In function ‘verify_bts_loc’:
osmo_bsc_ctrl.c:340:19: warning: variable ‘height’ set but not used [-Wunused-but-set-variable
smpp_mirror.c: In function ‘main’:
smpp_mirror.c:297:2: warning: implicit declaration of function ‘osmo_init_logging’ [-Wimplicit-function-declaration]
The esme->acl is treated like it can be NULL in other places
of the code. Assume it can be NULL during this check as well.
Dereference after null check (FORWARD_NULL)
9. var_deref_op: Dereferencing null pointer "esme->acl".
Fixes: Coverity CID 1042374
As Holger pointed out, they contained a GPLv2+ disclaimer rather than
the AGPLv3+ which we use for OpenBSC. This is not an incompaibility,
but was done unintentionally. The code was always mean to be under
AGPLv3+.
Nevertheless, anyone using those two files in a version up to this
commit have the right to use it under GPLv2+ as well. This is not
applicable for any versions after this commit.
A CM service request must be acknowledged also, when encryption is already
enabled.
Without encryption enabled, the security status is GSM_SECURITY_NOTAVAIL,
which causes a CM service acknowledge. On initial CM service request, the
security status is GSM_SECURITY_SUCCEED, if encryption is enabled. This
will not lead to an acknowledge, because the cyphering command implies an
acknowlege. An additional CM service request requires an acknowledge, so
I added a new security status: GSM_SECURITY_ALREADY
Coverity pointed out that we use trans->subscr after a NULL check,
it is our believe that every transaction will have a subscriber.
Remove the check and add an assert before we are dispatching things.
Fixes: Coverity CID 1040740, CID 1040739
This fixes both a GCC and a Coverity warning:
GCC:
gsm_subscriber.c: In function ‘subscr_expire_callback’:
gsm_subscriber.c:389:2: warning: format ‘%i’ expects argument of type ‘int’, but argument 8 has type ‘long long unsigned int’ [-Wformat]
Coverity:
CID 1040712
system_id is a char array, which makes the NULL check a tautology,
so we should check with strlen if the string is empty or not.
This is fixing the "write" command of VTY that would otherwise
create a config file that can not be parsed.
If an ESME has the dcs_transparent config flag, then the TP-DCS
of MO-SMS is transparently passed to SMPP and not converted to SMPP
specific data_coding values.
This is needed in cases where ESMEs actually care about the exact
TP-DCS, as the conversion from TP-DCS to SMPP data_coding is not
bijective.
There are multiple ways how the TS 03.38 TP-DCS can indicate 8bit or
7bit messages. SMPP has it's own data coding specification, which is
different from TS 03.38.
However, some SMPP ESMEs want to be able to have fine-grained control
over the TP-DCS indicated in the TPDU header. If such values like 0xF6
are used in SMPP, we now transparently pass them on to the GSM side.
An ESME can now be configured in the VTY to enable osmocom-extensions,
which will add vendor-specific SMPP TLVs for RxLev/RxQual/ARFCN/IMEI and
transmit power to the SMPP DELIVER-SM message type.
As bsc_gsmnet is NULL at the time we call smpp_openbsc_init(),
we later run into segfaults with subscribers that don't have a
subscr->net set.
However, we cannot delay smpp_openbsc_init() until after
bsc_bootstrap_network(), as we then fail to parse the SMPP specific
VTY/config file options...
Katerina pointed out that some nodes are not fully documented and
proposed some messages. The token/timeout messages were correct, I
have modified the other messages. I removed the full-stop from the
PING/PONG documentation as we are normally not using a full sentence.
when the SMS code was moved into libosmocore, its logging prefix was
changed from 'sms' to 'lsms', which breaks existing config files.
This introduces a deprecated/hidden vty command to make sure those
config files are still parsed OK, and will simply print a warning
message about the config needing some update.
If after release has been sent, the call control layer waits for:
- reception of release complete
- or timeout
- or release of transaction (due to radio link failure)
In this case, an MNCC_REL_CNF is sent to upper layer. The callref must
still exist, so the upper layer can handle this confirm.
If transaction is destroyed, but callref still exists, the
mncc_release_ind function is called. If the upper layer already sent an
MNCC_REL_REQ, the state N19 was entered. In this case it expects an
MNCC_REL_CNF.
The issue can be reproduced by typing the following 9 or more times.
OpenBSC> subscriber id 2 sms sender id 2 send bla
For some unknown reason the phone sends us a CP-ERROR for a transaction
identifier we have allocated and used but don't remember. Due the way
we use the SMC/SMR we 'establish' the machine and this results in a CP-ACK
being sent out. But the CP-ERROR is not having the content we want for
an establish so we send out a RP-ERROR. This will result in a CP-ERROR
because the phone does not know the transaction...
Avoid the issue by checking the direction of the transaction. If we do
not know the transaction and it is supposed to be allocated by us then
just ignore it and do not create a new transaction.
Set the subscriber expiry timeout to twice the duration of the location
update period and provide functions subscr_expire() and
db_subscriber_expire() to mark subscribers offline that have missed two
location update periods.
This patch increases the DB revision to 3, so the hlr will be
incompatible with prior versions.
We should allow 0 for T3212 as well to disable the location update
period. In that case we will need a way to indicate that in the
database.
This was reported by Kevin when he was testing handover. The problem
is the order of the signal handlers for S_ABISIP_CRCX_ACK. Right now
the handover signal handler is called before the one inside the libmsc
gsm_04_08.c. This means S_HANDOVER_ACK is signalled _before_ there is a
rtp socket created for the channel. The result is that the MDCX will
never be sent and the called will not be properly switched _after_ the
handover detection.
I do not want to play with the order of signal handlers, remove the
CRCX ack handling from the handover_logic.c and force the NITB (and
later the BSC) to check if the lchan is involved with a handover and
do the switching in there. This means right now we do what two signal
handlers did in one.
Reproduced and tested with the FakeBTS Handover test.
Log message:
<0004> abis_rsl.c:1954 (bts=1,trx=0,ts=3,ss=0) IPAC_CRCX_ACK ...
<000c> gsm_04_08.c:1400 no RTP socket for new_lchan
<001a> rtp_proxy.c:533 rtp_socket_create(): success
<001a> rtp_proxy.c:615 rtp_socket_bind(rs=0x48703c8, IP=0.0.0.0): ...
If subscriber A is calling B and has sent a CC Setup message we will
allocate the MO and MT transaction and link them together. When the
BTS or the lchan is failing the BSC API will send a clear request,
as part of the clear request all pending transactions will be released.
As part of taking down the transaction, the remote leg will be informed
and will send a MNCC_REL_REQ. This results in a call to trans_free. The
llist_for_each_entry_safe does not handle removing other elements from
the list and we would segfault.
One way to fix this is to move the transaction list into the subscriber
connection. This might require to create the subscriber connection for
MT handling earlier. Otherwise one could have one transaction list inside
the subscriber connection and a global list for MT- transactions.
This has been reported and analyzed by Tobias Engel. The IMSI Detach
is dispatched as part of the complete layer3 message. I had patched
the code to release the anchor and call msc_release_connection to
release the connection as fast as possible (otherwise the anchor would
trigger in a couple of seconds).
With commit 70ae5d3000 I made this more
generic to release the connection immediately if there are no operations,
no transaction and no silent call. This leads to the subscriber connection
being released twice and eventually causing a segfault. Remove the
msc_release_connection invocation from the IMSI Detach code as the connection
will be taken down by the BSC API.
This has been tested using the FakeBTS and an IMSI Detach message. The
channel is released immediately and the nitb does not crash.
Rebased, tested and fixed by Holger Freyther. Release the transaction
only once the SMC is asking for the release and set the cb's to NULL
to catch a use after free early.
This has been rebased and fixed by Holger Freyther. The change of
the debug area was split out in a previous commit and the is_mt was
put back into the transaction code.
The transaction is now freed from the RELEASE_REQ sent by the SMC
layer and not inside the error path. When clearing the SMC instance
we also clear the callbacks.
This should and does happen as part of the trans_free/msc_release_connection
code. There is no easy way to determine that the lchan is now 'free' for other
things.. Let the transaction code sort this out. This code just needs to make
sure that transactions are always freed.
This is more a work around and one still needs to implement a
proper dispatch on the opening of the connection. If there is no
operation left, no transaction and no silent call, close down the
channel.
Holger Hans Peter Freyther
Harald Welte
Daniel Willmann
Andreas Eversberg
Alexander Huemer
Sylvain Munaut