Currently an error_cause of 0 is being used to indicate normal
operation. Albeit this is not a defined GMM cause, the value is not
explicitly reserved.
This commit adds the macro SGSN_ERROR_CAUSE_NONE and uses it for
initialisation (instead of relying on talloc_zero) and comparisons.
The value is set to -1 to be on the safe side. The VTY code is
updated to set the error_cause when using the
'update-subscriber imsi IMSI update-location-result CAUSE' command.
Sponsored-by: On-Waves ehf
Currently the access to subscr->sgsn_data->error_cause is not
protected against subscr == NULL like it is done in other code paths
of sgsn_auth_update.
This commit adds a conditional to avoid a NULL-dereference.
Fixes: Coverity CID 1264589
Sponsored-by: On-Waves ehf
Currently, if assert_subscr were called with subscr == NULL, the
later call to subscr_put might fail, as Coverity has complained. In
addition, the call to subscr_put would free the subscr object if it
were in the cache with a refcount of 0 at the time assert_substr was
called.
This patch adds a check for the subscr being non-NULL and reorders
the checks, so that the subscr_put comes last.
Fixes: Coverity CID 1264590
Sponsored-by: On-Waves ehf
Currently sgsn_alloc_ptmsi uses rand() to get a new P-TMSI and then
sets to upper 2 MSB. Therefore there is no lower limit of the
distance between 2 identical P-TMSI.
This patch changes the implementation to discard any random value
above 2^30 and to generate a new random number in that case until a
fitting number is found (or a repetition limit is reached). This way,
all number below 2^30 within the PRNG's period are used.
Ticket: OW#1362
Sponsored-by: On-Waves ehf
Currently no GSUP LocationCancellationResult message is sent back to
the peer (HLR), if the procedure succeeded at the SGSN's side.
This patch adds the missing message and put the whole request
handling of this procedure into a separate function.
Ticket: OW#1338
Sponsored-by: On-Waves ehf
Currently gprs_subscr_rx_gsup_message creates a subscriber entry if
such an entry doesn't exist for the IMSI within an
InsertSubscriberData GSUP message. This behaviour is not compliant to
GSM 09.02, 20.3.3.2 (Subscriber data management/SGSN) where it is
defined, that an error ("Unidentified subscriber") shall be returned.
This patch removes the case distinction, so that an existing
subscriber entry is required for all incoming GSUP messages.
Sponsored-by: On-Waves ehf
Currently, an incoming GSUP request message isn't answered at all if
it is not handled due to an error or missing implementation.
This patch adds GSUP error replies for these requests (and only for
requests). It also adds tests for these cases.
Note that several of these tests check for
GMM_CAUSE_MSGT_NOTEXIST_NOTIMPL, which will have to be changed, when
the features are implemented.
Sponsored-by: On-Waves ehf
GSM 09.02, 19.4.1.4 mandates that no other MAP procedures shall be
started until the PURGE_MS procedure has been completed.
This patch implements this by adding corresponding state and checks
to gprs_subscr_purge, gprs_subscr_location_update, and
gprs_subscr_update_auth_info. If an Update Location or a Send Auth
Info Req procedure is not started because of blocking, the retry
mechanism is aborted to shorten the blocking time. The outstanding
Purge MS procedure itself is not aborted.
Sponsored-by: On-Waves ehf
Currently, when the PURGE_MS_REQ to the HLR gets lost (e.g. by a
connection or peer failure), the expired subscriber entry will not get
deleted.
This commit adds a retry mechanism then restarts the procedure after
a timeout (currently 10s). The maximum number of retries is limited
(currently to 3 PURGE_MS messages). If none of these procedures is
completed (either with success or error), the subscriber data is
deleted.
Sponsored-by: On-Waves ehf
When a subscriber entry is going to be deleted by SGSN and when the
subscriber info has been obtained from a remote peer via GSUP, the
peer should be informed before the entry is really deleted. For this
purpose, MAP defines the PURGE MS procedure (see GSM 09.02, 19.1.4).
This patch adds support for the PURGE_MS_REQ/_ERR/_RES messages and
invokes the procedure when the subscriber entry is going to be
removed. This only applies if GSUP is being used, the Update
Location procedure has been completed successfully, and the
subscriber has not been cancelled. The removal of the entry is
delayed until a PURGE_MS_RES or PURGE_MS_ERR message is received.
Note that GSM 09.02, 19.1.4.4 implies that the subscriber data is not
to be removed when the procedure fails which is not the way the
feature has been implemented.
Note that handling 'P-TMSI freezing' is not implemented.
Ticket: OW#1338
Sponsored-by: On-Waves ehf
This commit implements the encoding and decoding of the messages
- Purge MS Request
- Purge MS Error
- Purge MS Result
and adds corresponding tests.
Sponsored-by: On-Waves ehf
Currently the definitions of the message PURGE_MS_RES and
PURGE_MS_ERR are missing in the specification.
This patch adds those definitions.
Sponsored-by: On-Waves ehf
This commit adds talloc reports to log remaining NULL chunks after the
terminates. It also adds explicit checks for empty subscriber lists.
Sponsored-by: On-Waves ehf
This test replaces gprs_gsup_client_send by a custom function, that
emulates a GSUP remote peer by calling gprs_subscr_rx_gsup_message
with responses for all requests. It then executes a full
Attach/Detach cycle.
Sponsored-by: On-Waves ehf
Set the expiry delay after the subscriber has been deleted (e.g. by
freeing the MM context). If cancelled, the subscriber will be deleted
immediately and no timeout will be set. If the expiry time is set to
SGSN_TIMEOUT_NEVER, no timer will be started and the subscriber entry
will be kept until it is cancelled.
The following VTY command is added to the sgsn node:
- subscriber-expiry-time <0-999999> set expiry time in seconds
- no subscriber-expiry-time set to SGSN_TIMEOUT_NEVER
The default is an expiry time of 0 seconds, which means that the
subscriber entries are wiped out immediately after an MM context is
destroyed.
Note that unused MM contexts are not expired yet. Therefore the
subscriber will only be expired after a successful MM detach.
Sponsored-by: On-Waves ehf
The code sequence that checks, whether a subscriber is still
reachable for a given IMSI, is repeated several times.
This patch puts this code sequence into a single function and adds a
check for the IMSI after the entry has been found. In addition,
some comments are extended.
Sponsored-by: On-Waves ehf
Currently the subscribers are not really deleted by
cleanup_subscr_by_imsi, but kept in RAM instead.
This patch fixes this and adds a test to verify, that the subscriber
is really deleted afterwards.
Sponsored-by: On-Waves ehf
Currently the error causes MSC_TEMP_NOTREACH, NET_FAIL, and
CONGESTION are silently dropped to force the MS to continue. On the
other hand, GSM 04.08/24.008, 4.7.3.1.4 in combination with 4.7.3.1.5,
require the MS to retry the attachment procedure for cause codes
above 15 instead of disabling GPRS. All of the mentioned GMM causes
have codes above 15, so using a REJECT message including the cause
code is a better choice. This way, the retry algorithm based on T3311
(15s, 5 times) and T3302 (default 12min) could be used.
This patch modifies gprs_subscr_handle_gsup_auth_err and
gprs_subscr_handle_gsup_upd_loc_err to proceed like when the access
has beed denied, except that the corresponding subscriber's
information fields are not cleared.
This has been successfully tested which an iphone which enters a
retry loop as it is being described in the specification.
Sponsored-by: On-Waves ehf
To unify the layout of the logging messages in gprs_subscriber.c,
this patch replaces each LOGP by LOGGSUBSCRP, unless a non-NULL
pointer to a subscr is not available. In those cases, it uses
LOGMMCTXP if a pointer to an MM context is available or LOGP
otherwise.
Sponsored-by: On-Waves ehf
This patch adds a new logging macro, that logs to DGPRS and provides
a uniform prefix containing the IMSI without using the mm reference.
This is an improvement over using LOGMMCTXP, since the new macro also
provides an IMSI if no MM context is attached.
Sponsored-by: On-Waves ehf
Currently the GSUP message handling function in gprs_subscriber.c and
the functions in gprs_gsup_messages.c are not consistent with respect
to the return codes if an error happens. Albeit all error return
codes are negative, the semantics of the absolute value are not
clearly defined. In addition, some return codes are not passed to the
calling function.
This path changes these functions to always return a negated GMM
cause value in case of errors. Return values of called parser
functions are not longer ignored.
Sponsored-by: On-Waves ehf
Currently always a cause with the meaning of 'access denied' is
assumed. gprs_subscr_handle_gsup_auth_err just clears the auth
triplets and the authorized flag before calling the update function.
gprs_subscr_handle_gsup_upd_loc_err only clears the authorized flag
and calls the update function. This means, that an MS will not retry
to attach even on temporary network errors.
This patch changes these functions to use the GSUP error cause value
to decide, whether to clear the corresponding subscriber fields, to
just continue with the corresponding update function, or to log,
ignore and not pass the cause to the MS in case the error is directly
related to the GSUP protocol. The subscriber's error_cause field is
updated, if the update function is going to be called. The
error_cause fielt is reset on non-error GSUP messages.
Sponsored-by: On-Waves ehf
This patch extends gsm0408_gprs_access_denied and
gsm0408_gprs_access_cancelled to accept GMM cause codes. These are
then passed to the MS, unless gsm0408_gprs_access_cancelled is called
with cause 0 (no error -> updateProcedure).
Since gsm0408_gprs_access_denied uses GMM_CAUSE_GPRS_NOTALLOWED if
the cause is not set, and the subscriber's error_cause is never set
(and thus always 0), the SGSN's behaviour does not change with this
patch.
Sponsored-by: On-Waves ehf
Conflicts:
openbsc/include/openbsc/gprs_sgsn.h
[hfreyther: Conflict due the removal of the unused
authenticate flag]
Currently the mapping between GSM 04.08 (GPRS) protocol specific
numbers and their textual description was put into gprs_gmm.c and not
exported.
This commit moves the mappings to a new file gsm_04_08_gprs.c,
renames some of them, and exports them via gsm_04_08_gprs.h.
The following identifiers are renamed to match the corresponding type
names:
- gmm_cause_names -> gsm48_gmm_cause_names
- gsm_cause_names -> gsm48_gsm_cause_names
Sponsored-by: On-Waves ehf
This commit adds a line to the output of 'show sgsn' if the GSUP
client has been initialized:
- Remote authorization: [not] connected to HOST:PORT via GSUP
Sponsored-by: On-Waves ehf
Currently, the reconnect mechanism relies on gsup_client_updown_cb
which in turn gets called based on the OS' view of connection state.
This patch adds a timer based PING mechanism that regularly sends
PING messages and forces a reconnect if a PONG message won't be
received until the next PING message is scheduled. The current ping
interval is 20s.
Sponsored-by: On-Waves ehf
Conflicts:
openbsc/src/gprs/gprs_gsup_client.c
[hfreyther: Conflicts due the potential memleak fix by me. Removed
another TODO from the code as we stop the ping/pong timer]
Currently the IPA CCM messages are not handled by the GSUP client.
This means, that the client doesn't answer to PING and ID_GET and
logs notices when receiving PONG or ID_ACK. At least the PING
functionality (remotely originated PING) shall be supported.
This patch extends gsup_client_read_cb by a call to
ipaccess_bts_handle_ccm. Only when the return code is 0, the message
is processed further and checked for an OSMO/GSUP message. ID_GET
messages are answered by a dummy description, where only the
unit_name is set to 'SGSN'.
Sponsored-by: On-Waves ehf
The ipa_client_conn_open function does not distinguish between a
connection being already established or waiting for establishment.
In either case, the application gets informed about the connection
state via the updown_cb. The 'up' parameter is only set, if
poll/select consider the socket as writable.
This patch handles both cases equally and fully relies on the
updown_cb to adjust the gsupc obejct state.
Sponsored-by: On-Waves ehf
Currently, messages are added to the tx queue even if the connection
is down for some reason and all of these messages are eventually sent
after a re-connect. The MS has probably sent several Attach Requests
while the connection was down and will continue doing so. Therefore
these stored messages could be dropped.
This patch clears the queue before re-connecting and also extends
gprs_gsup_client_send to return immediately, when the connection is
not established instead of calling ipa_client_conn_send.
Sponsored-by: On-Waves ehf
[hfreyther: Replaced
while (!llist_empty(&gsupc->link->tx_queue))
llist_del(gsupc->link->tx_queue.next);
with new libosmo-abis API]
Currently the GSUP connection to a server is not restarted if the
connection cannot be established or is terminated during operation.
This commit adds a timer based connection mechanism, basically
consisting of a timer callback that calls gsup_client_connect. The
timer is eventually triggered (up == 0) or cleared (up != 0) by
gsup_client_updown_cb. It adds calls to osmo_timer_del() to
gsup_client_connect and gprs_gsup_client_destroy. The latter is now
called instead of talloc_free in gprs_gsup_client_create on error to
be on the safe side.
Sponsored-by: On-Waves ehf
This patch extends test_gmm_attach to optionally resend Attach
Requests until the SGSN responds to it instead of calling
OSMO_ASSERT at a few places. The test_gmm_attach_subscr_gsup_auth
test optionally uses this feature. It is called once in either mode.
Sponsored-by: On-Waves ehf
This test calls test_gmm_attach() where the mocked subscriber
functions insert GSUP messages instead of manipulating the
subscriber structure directly.
Sponsored-by: On-Waves ehf
Currently, several lines of boiler plate are needed around a call to
gprs_subscr_rx_gsup_message.
This patch puts all of this (including the call to
gprs_subscr_rx_gsup_message) into a separate function.
Sponsored-by: On-Waves ehf
This flag is used to determine, whether the Update Location procedure
shall be invoked. This is currently only set, when the 'remote'
authorization policy is set. When the flag is set, sgsn_auth_update
will not never be called directly by sgsn_auth_request, if an Attach
Request procedure is pending, even if the remote connection fails for
some reason.
Sponsored-by: On-Waves ehf
Currently the flag 'authenticate' is managed per subscriber.
This patch replaces that flag by a global cfg.require_authentication
flag that enables/disables the use of the Auth & Ciph procedure for
every subscriber. The flag is set by the VTY, if and only if the
authorization policy is 'remote'.
The VTY command
- update-subscriber imsi IMSI insert authenticate <0-1>
is removed.
Sponsored-by: On-Waves ehf
This commit adds GSUP client configuration (via VTY), connection set
up, and real message sending.
The following configuration commands are added:
- gsup remote-ip A.B.C.D set server IP address
- gsup remote-port PORT set server TCP port
Ticket: OW#1338
Sponsored-by: On-Waves ehf
This commit adds the client code to get subscriber information from a
remote server. It provides an IPA over TCP connection to transmit and
receive GSUP messages.
Sponsored-by: On-Waves ehf
Currently the message structure is not cleared before the message is
parsed which can cause information leaking between messages if the
same gprs_gsup_message object is used. Especially list elements (auth
tuples and pdp info) are not replaced by an IE, but the IE is
appended.
This patch uses the assignment operator to clear gprs_gsup_message,
gsm_auth_tuple, and gprs_gsup_pdp_info before using them. This also
replaces the use of memcpy of the latter.
Sponsored-by: On-Waves ehf
Currently auth tuples are always appended to the lists when
gprs_gsup_decode is called with a gsup_msg structure. This makes a
test case fail, where the same gsup_msg is used again and again
without clearing it after each use.
Sponsored-by: On-Waves ehf
Currently, the gprs_gsup_decode function doesn't check the return
value of gprs_shift_v_fixed before using the value pointer. The
function fails, if the GSUP message length (not including IPA
headers) is 0. In this case, a segfault can happen, depending on the
value of the uninitialized 'value' pointer. The test case doesn't
trigger a segfault, but valgrind complains about reading
uninitialized data.
This patch adds a check for the return value that would return with
an error code if the shift function failed.
Sponsored-by: On-Waves ehf
Currently, the tests only use valid GSUP messages. This does not
check the robustness of the parser.
This commit adds a test for truncated messages and another for
modified messages.
Thanks to Holger for the basic truncation test.
Sponsored-by: On-Waves ehf
Currently the mocked bssgp_tx_dl_ud function used for testing in
sgsn_test.c does not free the msg as it is done by the original
function. This leads to a msgb leak in the test.
This patch fixes the test code accordingly and uncomments the
assertion that checks for left-over msgbs.
Sponsored-by: On-Waves ehf
This commit adds talloc reports to log remaining chunks after the
testing has been finished. It also adds a (currently disabled) check,
that no msgbs are allocated after running the tests.
Sponsored-by: On-Waves ehf
This patch extends gprs_subscr_query_auth_info and
gprs_subscr_location_update to create GSUP messages with the help of
a static gprs_subscr_tx_gsup_message function. A corresponding
gprs_subscr_rx_gsup_message is added which takes a messages, gets the
subscr, and updates it accordingly.
Sponsored-by: On-Waves ehf
[hfreyther: Added a msgb_free gprs_subscr_tx_gsup_message]
This patch adds functions to encode and decode GSUP messages. This
does not include the layer 1 framing (IPA). The messages so far
supported are: send_auth_info_*, update_location_*,
location_cancellation_*.
Sponsored-by: On-Waves ehf
Currently the result of the osmo_hexparse function in
update_subscr_insert_auth_triplet is not handled correctly. There is
a misplaced leading exclamation mark in a few conditional
expressions. This effectively disables the error checks, as it is
noticed by Coverity ("Missing parentheses" followed by "Logically
dead code").
This patch removes the exclamation marks.
Fixes: Coverity CID 1260435 and CID 1260434
Sponsored-by: On-Waves ehf
The code assumes that sqlite3.h is in the standard include
path. Maybe sqlite3 wasn't installed or resides in a non
standard (/usr/local) location? Fix the build as it has been
broken since 1st of January.
This is a normal situation under high load: The BTS is out of resources
and the BSC cannot allocate any dedicated channel. We may send an IMM
ASS REJECT back to the MS. All well within normal parameters, not an
error that needs to be reported back to the caller, who propagates it
all the way up to libosmo-abis.
Move the "logging filter imsi IMSI" into the BTS/NITB code to
allow to set the gsm_subscriber and only compare it. This way
we simply compare the subscriber address and don't have to care
if the subscriber data is still valid.
Most of the "fixes" have nothing to do with gcc-4.9.2 but are a
question of ABI/Architecture (e.g. x86 vs. AMD64). Revert these
for now.
This partially reverts commit 7b1d25a11e.
abis_test.c: In function ‘test_simple_sw_config’:
abis_test.c:68:2: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘int’ [-Wformat=]
printf("Start: %ld len: %zu\n", descr[0].start - simple_config, descr[0].len);
^
abis_test.c: In function ‘test_dual_sw_config’:
abis_test.c:111:2: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘int’ [-Wformat=]
printf("Start: %ld len: %zu\n", descr[0].start - dual_config, descr[0].len);
^
abis_test.c:115:2: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘int’ [-Wformat=]
printf("Start: %ld len: %zu\n", descr[1].start - dual_config, descr[1].len);
^
abis_test.c: In function ‘test_sw_selection’:
abis_test.c:132:2: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘int’ [-Wformat=]
printf("Start: %ld len: %zu\n", descr[0].start - load_config, descr[0].len);
^
abis_test.c:136:2: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘int’ [-Wformat=]
printf("Start: %ld len: %zu\n", descr[1].start - load_config, descr[1].len);
In fact, the DB write code has been split out so we could later also
have a binary that would listen to realtime meas_feed packets and stuff
them into a database without any intermediate PCAP step.
The database schema contains a couple of convenience wrapper views, most
notably the "overview" view.
This extends osmo_nitb to offer a UDP feed of real-time measurement
reports, which can be used by (a variety of) external tools for
visualization or other processing.
We also add a small ncurses based tool (meas_vis) which shows a
baragraph display of the last few mobile stations that were active,
indicating their uplink/downlink receive level and quality.
<WARNING>
This sends non-portable structures like gsm_meas_rep over UDP
and assumes the receiver has identical alignment and endianness! Before
this feature is merged, it either needs to be converted to a unix domain
socket (but they don't do multicast, which would be nice) or the wire
format needs to change into something portable with defined alignment
and encoding
</WARNING>
The idea of ts_alloc()/ts_free() dates back to the very early days of
OpenBSC, where we didn't yet have a fixed PCHAN type assigned for every
lchan in a BTS. However, ever since, PCHAN types (channel combinations)
are configured by OML in a certain way, and we only allocate LCHANs
inside PCHANs of a matching type. There should be no PCHANs with
type GSM_PCHAN_NONE, unless those that you don't want to use for
administraive reasons or the like.
show net with an CCCH+SDCCH/4+CBCH channel active caused bts_chan_load to read
from invalid memory. Fix this by making sure the pchan array is large enough.
==30346==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff9bdc5dc8 at pc 0x5aeece bp 0x7fff9bdc5350 sp 0x7fff9bdc5348
READ of size 4 at 0x7fff9bdc5dc8 thread T0
#0 0x5aeecd in bts_chan_load /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/chan_alloc.c:490
#1 0x5af706 in network_chan_load /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/chan_alloc.c:511
#2 0x4b7410 in net_dump_vty /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/bsc_vty.c:208
#3 0x4b5f23 in show_net /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/bsc_vty.c:227
#4 0x7fdabaa425bd in cmd_execute_command_real /home/alphaone/scm/osmo/libosmocore/src/vty/command.c:2042
#5 0x7fdabaa3f124 in cmd_execute_command /home/alphaone/scm/osmo/libosmocore/src/vty/command.c:2077
#6 0x7fdabaa850e9 in vty_command /home/alphaone/scm/osmo/libosmocore/src/vty/vty.c:402
#7 0x7fdabaa75962 in vty_execute /home/alphaone/scm/osmo/libosmocore/src/vty/vty.c:666
#8 0x7fdabaa6d947 in vty_read /home/alphaone/scm/osmo/libosmocore/src/vty/vty.c:1408
#9 0x7fdabaa9165f in client_data /home/alphaone/scm/osmo/libosmocore/src/vty/telnet_interface.c:119
#10 0x7fdaba7860b6 in osmo_select_main /home/alphaone/scm/osmo/libosmocore/src/select.c:160
#11 0x43c656 in main /home/alphaone/scm/osmo/openbsc/openbsc/src/osmo-nitb/bsc_hack.c:355
#12 0x7fdab92604bc (/lib64/libc.so.6+0x224bc)
#13 0x43b6cc (/home/alphaone/local/osmo-asan/bin/osmo-nitb+0x43b6cc)
Address 0x7fff9bdc5dc8 is located in stack of thread T0 at offset 232 in frame
#0 0x4b5faf in net_dump_vty /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/bsc_vty.c:182
This frame has 3 object(s):
[32, 40) ''
[96, 104) ''
[160, 224) 'pl'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/chan_alloc.c:490 bts_chan_load
==25637==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff3f587c43 at pc 0x5bf591 bp 0x7fff3f587630 sp 0x7fff3f587628
READ of size 4 at 0x7fff3f587c43 thread T0
#0 0x5bf590 in tv_fixed_put /home/alphaone/local/osmo-asan/include/osmocom/gsm/tlv.h:237
#1 0x5b7e14 in generate_si4 /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/system_information.c:607
#2 0x5b488b in gsm_generate_si /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/system_information.c:882
#3 0x4cb247 in gsm_bts_trx_set_system_infos /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/bsc_init.c:166
#4 0x4d3c26 in bootstrap_rsl /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/bsc_init.c:272
#5 0x4ced44 in inp_sig_cb /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/bsc_init.c:316
#6 0x7f4f15b563d7 in osmo_signal_dispatch /home/alphaone/scm/osmo/libosmocore/src/signal.c:105
#7 0x7f4f156c0e3f in e1inp_int_snd_event (/home/alphaone/local/osmo-asan/lib/libosmoabis.so.4+0x17e3f)
#8 0x7f4f156be7e5 in e1inp_event (/home/alphaone/local/osmo-asan/lib/libosmoabis.so.4+0x157e5)
#9 0x583a6a in ipaccess_sign_link /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/bts_ipaccess_nanobts.c:675
#10 0x7f4f156e63b0 in handle_ts1_read (/home/alphaone/local/osmo-asan/lib/libosmoabis.so.4+0x3d3b0)
#11 0x7f4f156e4f4e in ipaccess_fd_cb (/home/alphaone/local/osmo-asan/lib/libosmoabis.so.4+0x3bf4e)
#12 0x7f4f15b540b6 in osmo_select_main /home/alphaone/scm/osmo/libosmocore/src/select.c:160
#13 0x43c656 in main /home/alphaone/scm/osmo/openbsc/openbsc/src/osmo-nitb/bsc_hack.c:355
#14 0x7f4f1462e4bc (/lib64/libc.so.6+0x224bc)
#15 0x43b6cc (/home/alphaone/local/osmo-asan/bin/osmo-nitb+0x43b6cc)
Address 0x7fff3f587c43 is located in stack of thread T0 at offset 483 in frame
#0 0x5b712f in generate_si4 /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/system_information.c:580
This frame has 8 object(s):
[32, 40) ''
[96, 104) ''
[160, 164) 'rc'
[224, 232) 'si4'
[288, 296) 'cbch_lchan'
[352, 360) 'restoct'
[416, 420) 'l2_plen'
[480, 483) 'cd'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/alphaone/local/osmo-asan/include/osmocom/gsm/tlv.h:237 tv_fixed_put
We can now configure the pyisical channel types for CBCH either in the
CCCH+SDCCH4 or in the SDCCH8 chanel combination.
Depending on whether a CBCH exists on the BTS, we also generate the SI4
with matching CBCH channel description to notify the phones of the
existance of the CBCH.
There is now a VTY command how a SMS-CB message can be sent to a given
BTS.
We do not yet have any logic at all for actual scheduling of multiple
CBCH RSL messages towards one or multiple BTSs yet, though.
We tend to comment out this code every XXC3, let's just get rid
off it. The nanoBTS has a rather odd timing behavior. Jacob has
spent hours this summer to trial/document/fix it in the MGCP code
and this code is not getting close to working around the ip.access
audio issues.
If someobody still wants to use the nanoBTS then he should help
to have the MGCP MGW use/share code with the rtp_proxy.c
This implements the MAP way of subscriber validation when the MS
tries to perform an Attach Request:
1. perform authentication (optionally invoke the sendAuthInfo
procedure), starts the Auth & Ciph procedure
2. perform update location
3. insert subscriber data
4. finish the update location
5. Attach Accept / Attach Reject
The authentication triplets are used and eventually updated if all of
them have been used.
This is currently accessible via the VTY interface by the following
commands:
- update-subscriber imsi IMSI update-auth-info
- update-subscriber imsi IMSI update-location-result (ok|ERR-CAUSE)
Sponsored-by: On-Waves ehf
This commit add data structures, functions, initialization, and VTY
commands for per subscriber authentication triplets.
The following VTY command is added:
- update-subscriber imsi IMSI \
insert auth-triplet <1-5> sres SRES rand RAND kc KC
Note that the triplets are not really used by the SGSN yet.
Sponsored-by: On-Waves ehf
Currently, when a BSSGP SUSPEND is received and the corresponding MM
context is already in the state GMM_REGISTERED_SUSPENDED, a
SUSPEND_NACK is returned which is not covered by GSM 08.18, 7.4.1.
The same goes for RESUME in the state GMM_REGISTERED_NORMAL.
This commit changes gprs_gmm_rx_suspend and gprs_gmm_rx_resume to not
complain (and thus answer a NACK) when the MM context is either in
GMM_REGISTERED_SUSPENDED or GMM_REGISTERED_NORMAL.
Note that GSM 08.18, 7.4.1 and 7.5.1 only mention to send an NACK if
the MS is not known. Even with this patch, the SGSN returns a NACK if
either the MS is unknown _or_ the MM context ist not in one of the
state GMM_REGISTERED_SUSPENDED and GMM_REGISTERED_NORMAL.
Sponsored-by: On-Waves ehf
Currently the parser functions for single information elements are
defined within gprs_gb_parse.c and not exported explicitely. In
addition they are named like libosmocore's TLV parser functions and
do not have a proper name prefix. Since it is planned to use them for
other protocols, they need to be globally accessible.
This patch moves them to gprs_utils.c and renames them.
The new names are:
lv_shift -> gprs_shift_lv
v_fixed_shift -> gprs_shift_v_fixed
lv_shift -> gprs_shift_lv
v_fixed_shift -> gprs_shift_v_fixed
In the long term, these functions should be moved to libosmocore (and
renamed again).
Sponsored-by: On-Waves ehf
The new lchan will be in speech mode already but for AMR we will
need to provide a working multirate config in the channel activation,
otherwise the channel act might be nacked.
Copy the config from the current lchan into the new lchan. The
abis code simply added the mrconf if the speech mode was amr.
Before this commit the invalidate mrconf with all zeroes was
copied/sent.
In case of a ho_chan_activ_nack (sent due another bug inside
both sysmobts and openbsc) the code would not stop the timer
but free the datastructure. This can lead to a clear segfault
when the timer has expired. Create a "free" function which is
responsible to detach the handover structure, stop the timer
(which is idempotent) and free the structure.
In case a BTS is dropped, iterate over the list of BTS and check
if a dependency is now missing and then drop the BTS. This check
could lead to check of 256*256 checks (e.g. all BTS on each other
in the chain and the master is being dropped). The performance
aspect of it doesn't matter for our usecase. We expect to have
pairs of BTS right now.
E.g. for the sysmoBTS2050 we have the requirement that the first
board connects before the second due clocking. The easiest point
to enforce this is the BSC. Add a simple bitmask based system to
allow to express dependencies for IP based systems.
This commit mainly extends sgsn_auth.c to use and support the
auth_state SGSN_AUTH_AUTHENTICATE. It will be activated when IMSI and
IMEI are available, authentication is required
(subscr->sgsn_data->authenticate is set), but the MM context is not
marked as authenticated. If the state has been set to
SGSN_AUTH_AUTHENTICATE and sgsn_auth_update() is called, the GMM
layer will be informed by invoking gsm0408_gprs_authenticate().
Sponsored-by: On-Waves ehf
Currently the Authentication and Ciphering procedure is not yet
invoked by the GMM layer.
This patch starts this procedure from within gsm48_gmm_authorize when
the mm->auth_state has been set to SGSN_AUTH_AUTHENTICATE and a call
to gsm0408_gprs_authenticate has been issued directly or indirectly
by the call to sgsn_auth_request.
Sponsored-by: On-Waves ehf
Currently the gprs_subscr_update function is called when the
'update-subscriber ... insert ...' command is executed. This will
eventually notify the GMM layer which is rather the purpose of the
'commit' command.
This patch removes the call from update_subscr_insert.
Sponsored-by: On-Waves ehf
There will be an increasing number of SGSN related fields per
subscriber. Instead of extending gsm_subscriber accordingly, a single
struct sgsn_subscriber_data object is assigned to it. The talloc
context used to allocated that object is the subscr object itself.
Therefore it will be freed automatically along with the subscr
object.
Sponsored-by: On-Waves ehf
Jacob Erlbeck
Harald Welte