This test is to trigger the use-after free issue in commit bff7b0d80972. If
compiled with address-sanitizer the test will abort without the fix.
Change-Id: I5e8c6626ba43342740f08d699383bdded739079f
Ticket: OW#3049
Sponsored-by: On-Waves ehf
In case the link_info is deleted we have to stop handling the stored messages
inside link_info. Not doing so can lead to invalid memory being accessed.
Change-Id: Ieb8503e9e94e7a5ac450ad8aa1713ec4f21cdea5
Ticket: OW#3049
Sponsored-by: On-Waves ehf
it seesm more recent RBS2000 models have much larger CCP and CI value ranges
than those of older models.
Change-Id: Ib116c1fac901b293929fce34223d1fd0af15d2bc
The code for supporting the configuration of the OM2000 CON (LAPD
Concentrator) MO was so far incomplete and not used from the OM2000 FSM
initialization. This patch adds
* VTY commands for configuration of CON Groups and Paths
* The FSM integration to actually configure the CON MO
Change-Id: I56dc1b5e35adef3a2078bcf9536537eb0f454192
This happens e.g. with DAHDI driver, when the DAHDI device cannot be
opened. Let's not prematurely seg-fault early in the RBS2000 signal
handler, but take the proper error handlign for this.
Change-Id: I9223fb1568d3db7e278f07240c4be334c6602a13
talloc_ctx.c: In function ‘talloc_ctx_init’:
talloc_ctx.c:40:2: warning: implicit declaration of function ‘msgb_talloc_ctx_init’ [-Wimplicit-function-declaration]
msgb_talloc_ctx_init(ctx_root, 0);
^~~~~~~~~~~~~~~~~~~~
Change-Id: Ib8ebc02d5cf0d2b4019473d3750ae7c6f8a32896
For TCH/F_PDCH, return an invalid chan comb (0) and print an error message
that hints at the proper pchan type to use instead: TCH/F_TCH/H_PDCH
Change-Id: Ibe0f944573f0a6d1be4bf7cf4986c4b2b3bd6d0d
When OM2K sets up the timeslots with the BTS, the dynamic channel state
is not yet resolved to any particular pchan type. Instead of using the
dyn state, always advertise dynamic timeslots as pchan2comb(TCH/F).
In the past, the Ericsson dynamic timeslots were handled as pchan type
TCH/F_PDCH. This is a mistake, as this pchan type is intended for
the ip.access dynamic PDCH way of dynamic channels. In any case, in the
initial state of this pchan type, the timeslot was initialized as
pchan2comb(TCH/F) because the ts->flags do not reflect an active PDCH
yet. In short, this patch does not change the behavior of TCH/F_PDCH
timeslots, only clarifies it.
It would in fact make sense to disallow use of TCH/F_PDCH for OM2K,
but that should probably be a separate patch.
The proper pchan to use for Ericsson dynamic timeslots is
TCH/F_TCH/H_PDCH. These do not use ts->flags, but ts->dyn.* as state,
which first reflects pchan_want == pchan_is == GSM_PCHAN_NONE. Hence
the timeslot was initialized by OM2K as pchan type zero, which is
unknown / invalid. So, instead of using pchan_is, which is not yet
reflecting anything meaningful, always initialize as TCH/F chan comb,
as Ericsson hardware apparently expects it.
Change-Id: If0693f7c5c85977b0e4acbc701ee5d635434d0d1
talloc_free the cfg only after asserting num_bsc count sanity.
This caused a failure in the 'bsc-nat' test with -fsanitize build.
Should fix the Osmocom_Sanitizer build on jenkins.osmocom.org
https://jenkins.osmocom.org/jenkins/job/Osmocom_Sanitizer/
Change-Id: Ic20aacaccffcaa58ccec6d24c884727dc1bc50e6
Throw warning message in case the MO state does not change
to enabled after sendeing an Enable-Request message.
Change-Id: Idfde8d6f71526e8acfea51835732515a4bee858e
This patch adds support for ericssons sambm negotiation.
This patch depends on libosmo-abis commit:
2788c7eacab91cd39d68e316fc8ee87763bbfeb4
Change-Id: I56b1c1cef07a61143fc0e8058480805cddfeff96
This patch adds parsing for OM2000 MO fault report map parsing,
the bits in the fault maps are counted out and displayed.
Change-Id: I6e2928f39b09bc08e9ab78bc10bc81e07f7eb55d
Contrary to standard A-bis, in the RBS2000 case the BSC connects
the signalling data links (LAPD) to the BTS. In case one of them
drop, we need to attempt to re-establish them.
This requires libosmo-abis with Change-Id I07f0f79e0cda09766f357032ffb4e7ad643d448a
Change-Id: I710b5af5d0acbdd3febd314849340f2adb7abd80
In case of the sysmoBTS and receiving a channel activation ack on a channel
that was marked as broken, release it again.
Use a normal release without SACCH deactivation and release the rqd_ta data.
Also add a local variable 'ts' to shorten some lines.
The typical situation where this would occur is with high latency between BTS
and BSC (or NITB). If a channel activation ack does not arrive in time, a
channel is marked broken, and never recovers after that. This patch will
release the channel again, which will remove the BROKEN_UNUSABLE state and
makes lchan available again. Reported by Rhizomatica.
However, in case of packet loss, i.e. when the channel activation ack never
arrives at the BSC, this patch does not provide a resolution of the
BROKEN_UNUSABLE state.
On dynamic timeslots: clearing the dyn ts state could possibly happen in
lchan_free() instead of in rsl_rx_chan_act_ack(). That's to be done in a
separate patch, if at all.
Tweaked-By: nhofmeyr
Change-Id: I63dc0deaf15ba7c21e20b1e0c7b85f0437e183ed
The GTP protocol specification requires us to include the MSISDN IE in
all non-secondary PDP context activations. However, when no real HLR is
used (e.g. via GSUP), we do not have the MSISDN information available
and so far simply sent a zero-length MSISDN IE in GTP. The latter is a
violation of the spec.
So to resolve this, we now send a 15-digit all-zero dummy MSISDN IE, as
described in TS 23.003.
Change-Id: I8d0a5d52d6cd2a00b5dda060bd41d45056dfa84d
When receiving the 'Start Result' message, for CF and TRXC MO
we directly transition to performing the Operational Info. In that
case, we need to return after sending the Operational Info and skip
the usual processing for the default case below.
Change-Id: I99860d198b337ffe461b240bda20dc10e1b5b2cb
Our existing OM2000 code for initializing all Managed Objects of a BTS
at startup was never complete. Rather than trying to fix the old-style
code, introudce a hierarchy of osmo_fsm's reflecting the full protocol
hand-shake and sequence of bringing up the individual MO's.
If this works out well, it mihgt make sense to convert the TS 12.21 OML
code for other BTS models, too.
Change-Id: I3e11b28ba22b8c227e0401e6207fdda5381dda8c
Extend both 'show lchan <bts> <trx> <lchan>' and 'show lchan summary' to
include information on dynamic timeslots.
Have one common function that prints " as foo" or " switching foo -> bar" to
the vty, use it in lchan_dump_full_vty() and lchan_dump_short_vty().
In lchan_dump_short_vty(), split the vty_out call in two in order to interleave
the dyn ts info right after the pchan.
The summary hence looks e.g. like this for osmocom style dyn ts:
BTS 0, TRX 0, Timeslot 5 TCH/F_TCH/H_PDCH as PDCH, Lchan 0, Type NONE, State ACTIVE - L1 MS Power: 0 dBm RXL-FULL-dl: -110 dBm RXL-FULL-ul: -110 dBm
or
BTS 0, TRX 0, Timeslot 4 TCH/F_TCH/H_PDCH switching NONE -> PDCH, Lchan 0, Type NONE, State BROKEN UNUSABLE - L1 MS Power: 0 dBm RXL-FULL-dl: -110 dBm RXL-FULL-ul: -110 dBm
Change-Id: I3eb72ac7f0a520a8eefe171b9fb357f149aa3fda
count_codecs() is called on every chan act ack, also for channels other than
TCH/F and TCH/H. So this logging happens a lot during normal operation but adds
no real information.
Also, RSL would be the wrong logging category for this -- RSL is about the RSL
communications, not whether our internal code tries to count lchan codecs for
the wrong channel types.
Change-Id: Ibdac3bbe48745fe6a1c31d6f87369c9066c0374a
As per TS 23.014, a GSM MSC must implement mobile-originated DTMF
generation. We gate the DTMF signalling messages to MNCC, and expect
the external MNCC handler to deal with it. However, the internal MNCC
handler simply ignored such singalling messages, rather than rejecting
DTMF altogether.
It turns out failure to respond to START DTMF will cause some phones to
behave in interesting ways, particularly with modem
firmware v6.01.00, see https://osmocom.org/issues/1817). In this case
the phone is not able to release the call as the pending response to the
START DTMF is probably keping a reference or lock of some sort.
Change-Id: I336f0cd0a6396b522d228479a417fd4d606157ac
GSM 04.18, which is the successor of GSM 04.08, describes
additional RR 3g specific message types. This commit adds
log output for those messages. The behaviour is not changed
all affected message types are still forwared to the MSC
as they were before.
See also 3GPP TS 04.18, section 10.4, table 10.4.1
The change requires to update libosmocore as well, see
also commit f48fdb3a108da0dc23d7af4ac021e98e11f07152 in
libosmocore.git for details.
Change-Id: I41f2242fdf59c3eb4b3f8f7f003c17f7e0df01aa
the OML attribute tables are hardcoded. To set variable parameters,
the hardcoded data structure (tlv) is patched on byte level during
runtime. This patch replaces this mechanism.
- Replace hardcoded OML attribute tables with dynamically
generated TLV structures.
- Add unit tests to check if the OML attribute tables are
generated correctly
- Put OML attribute table generator code in a separate file:
bts_ipaccess_nanobts_omlattr.c
Change-Id: Ibeb34a84912d6cf695f553a34c69320fca7d08fa
Use channel type name instead of number and log it with DEBUG facility
otherwise it produces lots of irrelevant messages for SDCCH*
Change-Id: I11b04e0cb02bf6ed01f6076cb31a56d8921d735e
- missing break in gprs_sndcp_pcomp.c, line 143
- string overflow in slhc_test.c, line 211
- sizeof mismatch in gprs_sndcp_xid.c, line 1369 and 1378
- mismatching signedness in gprs_sndcp_xid.c, line 1377
- needless < 0 comparison in gprs_sndcp_xid.c, line 477
- needless < 0 comparison in gprs_sndcp_xid.c, line 209
- missing returncode check in v42bis_test.c, line 320
- wrong pointer dereferentialization in gprs_sndcp_comp.c, line 73
Change-Id: I4f9adf251f5119e67ffe76baad6f1f996ac8dbad
When DL DTX is active and silent period is in progress dtx.cache is
populated by SID UPDATE message which about to be scheduled next. If at
that moment FACCH message arrives (which have higher priority) we have
to send ONSET message to L1 but we can't invalidate cache with SID
UPDATE as it will be used for SID FIRST message to resume silent period
after FACCH transmission is over (provided there were no incoming voice
in between). Hence the necessity for separate buffer to store content of
FACCH message while we're sending ONSET to L1 while keeping SID UPDATE
cached.
Change-Id: I316e81af893b24766bf259baaed7a0be75a11694
Related: OS#1801
We count the codec when the channel was successful setted up
Using sign_link->trx->bts instead of msg->trx to get the bts.
Add OSMO_ASSERT for bts within count_codecs()
Change-Id: Ib49c7c337980a7d6f189d7a0551ca2e4c3822f45
Value 4 used as magic number by both OpenBSC and OsmoBTS so it make
sense to add it to shared header. See
ebb483b69a5319e522ba5f713e9cb6f68a814a6a in osmo-bts for details.
Change-Id: I9c6ad68f4c6aa72d39ec7e5a6968b36ec20e79f4
Drop extern definitions of talloc_msgb_ctx and use msgb_talloc_ctx_init()
instead.
In sgsn_test.c, use a local variable msgb_ctx to do the talloc report
from the return value of msgb_talloc_ctx_init().
Change-Id: I2f9ace855f0ecbdc9adf5d75bcb1a3d666570de4
There's "channel-descrption bs-ag-blks-res" vty command which sets
BS-AG-BLKS-RES which might be too high if CCCH is combined with
SDCCHs. Previously proper value was silently enforced. Log this
situation explicitly and add spec reference to the comment.
Change-Id: I53e2b881fc28472d6709f063fb265a4e6a0fffcd
- consolidate all DTX-specific things in a separate struct
- rename struct fields to better reflect meaning
- add pointer to DL FSM for AMR
- remove unused flag
- expand buffer to hold cached payload alongside with CMR/CMI
Change-Id: Idac8609faf9b5ced818fde899ccfc6ed0c42e8fd
Just as a general precaution deemed to fit such a convenience function that
lives in libcommon, no actual failure observed.
Change-Id: I8e77fe1abc402469fd037e2fde2f46e2c8114f59
Found this by coincidence, no actual failure case was observed.
lchan_lookup() does have a return NULL code path, so we should not blindly use
its returned pointer.
Change-Id: I34ce126d36420b8194c88c0faa865294334a6658
This reverts commit 38e9ea3f7f.
Introduced a reproducable segfault, because msg->trx is not actually set/used
in the openbsc code paths.
Program received signal SIGSEGV, Segmentation fault.
count_codecs (lchan=0x1, bts=<optimized out>) at ../../../src/libbsc/abis_rsl.c:104
104 rate_ctr_inc(&bts->network->bsc_ctrs->ctr[BSC_CTR_CODEC_V1_FR]);
(gdb) bt
#0 count_codecs (lchan=0x1, bts=<optimized out>) at ../../../src/libbsc/abis_rsl.c:104
#1 0x0000000000425661 in abis_rsl_rx_dchan (msg=<optimized out>) at ../../../src/libbsc/abis_rsl.c:1516
#2 abis_rsl_rcvmsg (msg=0x8143f0) at ../../../src/libbsc/abis_rsl.c:2611
#3 0x00007ffff71420d0 in handle_ts1_read (bfd=<optimized out>) at ../../src/input/ipaccess.c:271
#4 ipaccess_fd_cb (bfd=0x815af8, what=1) at ../../src/input/ipaccess.c:386
#5 0x00007ffff7779b62 in osmo_fd_disp_fds (_eset=0x7fffffffe590, _wset=0x7fffffffe510, _rset=0x7fffffffe490) at ../../src/select.c:149
#6 osmo_select_main (polling=polling@entry=0) at ../../src/select.c:189
#7 0x0000000000406fac in main (argc=<optimized out>, argv=0x7fffffffe738) at ../../../src/osmo-nitb/bsc_hack.c:385
Add flag to explicitly track the state of DTX DL for AMR HR whe
SID_FIRST_P1 has been sent to L1 already but no next frame available
yet: this can be followed by SID_FIRST_P2 or SID_FIRST_INH depending on
arrival of voice frame within next 60 ms.
Change-Id: Id28b07b8e83cfe5e84de48a2f124084036580cd4
In addition to RTP payload SID cache got to store CMR/CMI prefix. Extend
the buffer so it can fit in.
Change-Id: Ibd4a63604a82cad3ce65f0752bffefa4b083e1b3
Fixes: Coverity CID#149508
active_calls describe all calls in active state.
call.complete Call got terminated by disconnect requested either by MS or MSC.
call.incomplete Call got terminated by any other reason.
call.active Calls reached active state.
Change-Id: I49b93af2e6a0ba16c2fb00b7b83974e8a6a16df3
Daniel Willmann
Harald Welte
Neels Hofmeyr
Philipp Maier
root