Currently the result of the osmo_hexparse function in
update_subscr_insert_auth_triplet is not handled correctly. There is
a misplaced leading exclamation mark in a few conditional
expressions. This effectively disables the error checks, as it is
noticed by Coverity ("Missing parentheses" followed by "Logically
dead code").
This patch removes the exclamation marks.
Fixes: Coverity CID 1260435 and CID 1260434
Sponsored-by: On-Waves ehf
The code assumes that sqlite3.h is in the standard include
path. Maybe sqlite3 wasn't installed or resides in a non
standard (/usr/local) location? Fix the build as it has been
broken since 1st of January.
This is a normal situation under high load: The BTS is out of resources
and the BSC cannot allocate any dedicated channel. We may send an IMM
ASS REJECT back to the MS. All well within normal parameters, not an
error that needs to be reported back to the caller, who propagates it
all the way up to libosmo-abis.
Move the "logging filter imsi IMSI" into the BTS/NITB code to
allow to set the gsm_subscriber and only compare it. This way
we simply compare the subscriber address and don't have to care
if the subscriber data is still valid.
Most of the "fixes" have nothing to do with gcc-4.9.2 but are a
question of ABI/Architecture (e.g. x86 vs. AMD64). Revert these
for now.
This partially reverts commit 7b1d25a11e.
abis_test.c: In function ‘test_simple_sw_config’:
abis_test.c:68:2: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘int’ [-Wformat=]
printf("Start: %ld len: %zu\n", descr[0].start - simple_config, descr[0].len);
^
abis_test.c: In function ‘test_dual_sw_config’:
abis_test.c:111:2: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘int’ [-Wformat=]
printf("Start: %ld len: %zu\n", descr[0].start - dual_config, descr[0].len);
^
abis_test.c:115:2: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘int’ [-Wformat=]
printf("Start: %ld len: %zu\n", descr[1].start - dual_config, descr[1].len);
^
abis_test.c: In function ‘test_sw_selection’:
abis_test.c:132:2: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘int’ [-Wformat=]
printf("Start: %ld len: %zu\n", descr[0].start - load_config, descr[0].len);
^
abis_test.c:136:2: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘int’ [-Wformat=]
printf("Start: %ld len: %zu\n", descr[1].start - load_config, descr[1].len);
I'm merging this code, as it is proven to be very useful. The only
reason to keep it out of master was the fact that the UDP data
structures it sends are non-portable, so you can only run it reliably on
localhost or between identical systems (hardware/compiler/os).
As this hasn't been fixed in the past >= 2 years, I am merging the code
now anyway. We can still introduce a portable protocol by increasing
the protocol version at a later point.
There are two options:
a) we make 'struct gsm_meas_rep' portable. This requires an ABI
change with libosmocore, as it contains struct gsm_meas_rep_unidir :(
b) we introduce a completely separate wire format with corresponding
encoding and decoding functions.
In fact, the DB write code has been split out so we could later also
have a binary that would listen to realtime meas_feed packets and stuff
them into a database without any intermediate PCAP step.
The database schema contains a couple of convenience wrapper views, most
notably the "overview" view.
This extends osmo_nitb to offer a UDP feed of real-time measurement
reports, which can be used by (a variety of) external tools for
visualization or other processing.
We also add a small ncurses based tool (meas_vis) which shows a
baragraph display of the last few mobile stations that were active,
indicating their uplink/downlink receive level and quality.
<WARNING>
This sends non-portable structures like gsm_meas_rep over UDP
and assumes the receiver has identical alignment and endianness! Before
this feature is merged, it either needs to be converted to a unix domain
socket (but they don't do multicast, which would be nice) or the wire
format needs to change into something portable with defined alignment
and encoding
</WARNING>
The idea of ts_alloc()/ts_free() dates back to the very early days of
OpenBSC, where we didn't yet have a fixed PCHAN type assigned for every
lchan in a BTS. However, ever since, PCHAN types (channel combinations)
are configured by OML in a certain way, and we only allocate LCHANs
inside PCHANs of a matching type. There should be no PCHANs with
type GSM_PCHAN_NONE, unless those that you don't want to use for
administraive reasons or the like.
show net with an CCCH+SDCCH/4+CBCH channel active caused bts_chan_load to read
from invalid memory. Fix this by making sure the pchan array is large enough.
==30346==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff9bdc5dc8 at pc 0x5aeece bp 0x7fff9bdc5350 sp 0x7fff9bdc5348
READ of size 4 at 0x7fff9bdc5dc8 thread T0
#0 0x5aeecd in bts_chan_load /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/chan_alloc.c:490
#1 0x5af706 in network_chan_load /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/chan_alloc.c:511
#2 0x4b7410 in net_dump_vty /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/bsc_vty.c:208
#3 0x4b5f23 in show_net /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/bsc_vty.c:227
#4 0x7fdabaa425bd in cmd_execute_command_real /home/alphaone/scm/osmo/libosmocore/src/vty/command.c:2042
#5 0x7fdabaa3f124 in cmd_execute_command /home/alphaone/scm/osmo/libosmocore/src/vty/command.c:2077
#6 0x7fdabaa850e9 in vty_command /home/alphaone/scm/osmo/libosmocore/src/vty/vty.c:402
#7 0x7fdabaa75962 in vty_execute /home/alphaone/scm/osmo/libosmocore/src/vty/vty.c:666
#8 0x7fdabaa6d947 in vty_read /home/alphaone/scm/osmo/libosmocore/src/vty/vty.c:1408
#9 0x7fdabaa9165f in client_data /home/alphaone/scm/osmo/libosmocore/src/vty/telnet_interface.c:119
#10 0x7fdaba7860b6 in osmo_select_main /home/alphaone/scm/osmo/libosmocore/src/select.c:160
#11 0x43c656 in main /home/alphaone/scm/osmo/openbsc/openbsc/src/osmo-nitb/bsc_hack.c:355
#12 0x7fdab92604bc (/lib64/libc.so.6+0x224bc)
#13 0x43b6cc (/home/alphaone/local/osmo-asan/bin/osmo-nitb+0x43b6cc)
Address 0x7fff9bdc5dc8 is located in stack of thread T0 at offset 232 in frame
#0 0x4b5faf in net_dump_vty /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/bsc_vty.c:182
This frame has 3 object(s):
[32, 40) ''
[96, 104) ''
[160, 224) 'pl'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/chan_alloc.c:490 bts_chan_load
==25637==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff3f587c43 at pc 0x5bf591 bp 0x7fff3f587630 sp 0x7fff3f587628
READ of size 4 at 0x7fff3f587c43 thread T0
#0 0x5bf590 in tv_fixed_put /home/alphaone/local/osmo-asan/include/osmocom/gsm/tlv.h:237
#1 0x5b7e14 in generate_si4 /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/system_information.c:607
#2 0x5b488b in gsm_generate_si /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/system_information.c:882
#3 0x4cb247 in gsm_bts_trx_set_system_infos /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/bsc_init.c:166
#4 0x4d3c26 in bootstrap_rsl /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/bsc_init.c:272
#5 0x4ced44 in inp_sig_cb /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/bsc_init.c:316
#6 0x7f4f15b563d7 in osmo_signal_dispatch /home/alphaone/scm/osmo/libosmocore/src/signal.c:105
#7 0x7f4f156c0e3f in e1inp_int_snd_event (/home/alphaone/local/osmo-asan/lib/libosmoabis.so.4+0x17e3f)
#8 0x7f4f156be7e5 in e1inp_event (/home/alphaone/local/osmo-asan/lib/libosmoabis.so.4+0x157e5)
#9 0x583a6a in ipaccess_sign_link /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/bts_ipaccess_nanobts.c:675
#10 0x7f4f156e63b0 in handle_ts1_read (/home/alphaone/local/osmo-asan/lib/libosmoabis.so.4+0x3d3b0)
#11 0x7f4f156e4f4e in ipaccess_fd_cb (/home/alphaone/local/osmo-asan/lib/libosmoabis.so.4+0x3bf4e)
#12 0x7f4f15b540b6 in osmo_select_main /home/alphaone/scm/osmo/libosmocore/src/select.c:160
#13 0x43c656 in main /home/alphaone/scm/osmo/openbsc/openbsc/src/osmo-nitb/bsc_hack.c:355
#14 0x7f4f1462e4bc (/lib64/libc.so.6+0x224bc)
#15 0x43b6cc (/home/alphaone/local/osmo-asan/bin/osmo-nitb+0x43b6cc)
Address 0x7fff3f587c43 is located in stack of thread T0 at offset 483 in frame
#0 0x5b712f in generate_si4 /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/system_information.c:580
This frame has 8 object(s):
[32, 40) ''
[96, 104) ''
[160, 164) 'rc'
[224, 232) 'si4'
[288, 296) 'cbch_lchan'
[352, 360) 'restoct'
[416, 420) 'l2_plen'
[480, 483) 'cd'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/alphaone/local/osmo-asan/include/osmocom/gsm/tlv.h:237 tv_fixed_put
We can now configure the pyisical channel types for CBCH either in the
CCCH+SDCCH4 or in the SDCCH8 chanel combination.
Depending on whether a CBCH exists on the BTS, we also generate the SI4
with matching CBCH channel description to notify the phones of the
existance of the CBCH.
There is now a VTY command how a SMS-CB message can be sent to a given
BTS.
We do not yet have any logic at all for actual scheduling of multiple
CBCH RSL messages towards one or multiple BTSs yet, though.
We tend to comment out this code every XXC3, let's just get rid
off it. The nanoBTS has a rather odd timing behavior. Jacob has
spent hours this summer to trial/document/fix it in the MGCP code
and this code is not getting close to working around the ip.access
audio issues.
If someobody still wants to use the nanoBTS then he should help
to have the MGCP MGW use/share code with the rtp_proxy.c
This implements the MAP way of subscriber validation when the MS
tries to perform an Attach Request:
1. perform authentication (optionally invoke the sendAuthInfo
procedure), starts the Auth & Ciph procedure
2. perform update location
3. insert subscriber data
4. finish the update location
5. Attach Accept / Attach Reject
The authentication triplets are used and eventually updated if all of
them have been used.
This is currently accessible via the VTY interface by the following
commands:
- update-subscriber imsi IMSI update-auth-info
- update-subscriber imsi IMSI update-location-result (ok|ERR-CAUSE)
Sponsored-by: On-Waves ehf
This commit add data structures, functions, initialization, and VTY
commands for per subscriber authentication triplets.
The following VTY command is added:
- update-subscriber imsi IMSI \
insert auth-triplet <1-5> sres SRES rand RAND kc KC
Note that the triplets are not really used by the SGSN yet.
Sponsored-by: On-Waves ehf
Currently, when a BSSGP SUSPEND is received and the corresponding MM
context is already in the state GMM_REGISTERED_SUSPENDED, a
SUSPEND_NACK is returned which is not covered by GSM 08.18, 7.4.1.
The same goes for RESUME in the state GMM_REGISTERED_NORMAL.
This commit changes gprs_gmm_rx_suspend and gprs_gmm_rx_resume to not
complain (and thus answer a NACK) when the MM context is either in
GMM_REGISTERED_SUSPENDED or GMM_REGISTERED_NORMAL.
Note that GSM 08.18, 7.4.1 and 7.5.1 only mention to send an NACK if
the MS is not known. Even with this patch, the SGSN returns a NACK if
either the MS is unknown _or_ the MM context ist not in one of the
state GMM_REGISTERED_SUSPENDED and GMM_REGISTERED_NORMAL.
Sponsored-by: On-Waves ehf
Currently the parser functions for single information elements are
defined within gprs_gb_parse.c and not exported explicitely. In
addition they are named like libosmocore's TLV parser functions and
do not have a proper name prefix. Since it is planned to use them for
other protocols, they need to be globally accessible.
This patch moves them to gprs_utils.c and renames them.
The new names are:
lv_shift -> gprs_shift_lv
v_fixed_shift -> gprs_shift_v_fixed
lv_shift -> gprs_shift_lv
v_fixed_shift -> gprs_shift_v_fixed
In the long term, these functions should be moved to libosmocore (and
renamed again).
Sponsored-by: On-Waves ehf
The new lchan will be in speech mode already but for AMR we will
need to provide a working multirate config in the channel activation,
otherwise the channel act might be nacked.
Copy the config from the current lchan into the new lchan. The
abis code simply added the mrconf if the speech mode was amr.
Before this commit the invalidate mrconf with all zeroes was
copied/sent.
In case of a ho_chan_activ_nack (sent due another bug inside
both sysmobts and openbsc) the code would not stop the timer
but free the datastructure. This can lead to a clear segfault
when the timer has expired. Create a "free" function which is
responsible to detach the handover structure, stop the timer
(which is idempotent) and free the structure.
In case a BTS is dropped, iterate over the list of BTS and check
if a dependency is now missing and then drop the BTS. This check
could lead to check of 256*256 checks (e.g. all BTS on each other
in the chain and the master is being dropped). The performance
aspect of it doesn't matter for our usecase. We expect to have
pairs of BTS right now.
E.g. for the sysmoBTS2050 we have the requirement that the first
board connects before the second due clocking. The easiest point
to enforce this is the BSC. Add a simple bitmask based system to
allow to express dependencies for IP based systems.
This commit mainly extends sgsn_auth.c to use and support the
auth_state SGSN_AUTH_AUTHENTICATE. It will be activated when IMSI and
IMEI are available, authentication is required
(subscr->sgsn_data->authenticate is set), but the MM context is not
marked as authenticated. If the state has been set to
SGSN_AUTH_AUTHENTICATE and sgsn_auth_update() is called, the GMM
layer will be informed by invoking gsm0408_gprs_authenticate().
Sponsored-by: On-Waves ehf
Currently the Authentication and Ciphering procedure is not yet
invoked by the GMM layer.
This patch starts this procedure from within gsm48_gmm_authorize when
the mm->auth_state has been set to SGSN_AUTH_AUTHENTICATE and a call
to gsm0408_gprs_authenticate has been issued directly or indirectly
by the call to sgsn_auth_request.
Sponsored-by: On-Waves ehf