osmo-pcu

Commit Graph

Author	SHA1	Message	Date
Holger Hans Peter Freyther	9d938388f6	emu: Add a crash re-producer for the SGSN (and the concept of tests) Introduce the concept of tests that will be ran one after the other. This new test will send static message that will lead to the opening of a PDP context. At this point one should use ping with a large packet size and suspend/stop the emulator. Once the NS connection is considered dead the SGSN will crash with a double free. Reproduce: 0.) Add IMSI 901700000003094 to the ACL 1.) Stop/Suspend the emulation process so the NS Alive times out 2.) Use ping IP -s 2048 This will create a double free... #4 0xb7bb2646 in talloc_abort_double_free () at talloc.c:175 #5 0xb7bbd41a in talloc_chunk_from_ptr (ptr=0x8091208) at talloc.c:190 #6 _talloc_free (ptr=0x8091208) at talloc.c:517 #7 talloc_free (ptr=ptr@entry=0x8091208) at talloc.c:990 #8 0xb7bb319b in msgb_free (m=m@entry=0x8091208) at msgb.c:72 #9 0x0804db54 in sndcp_send_ud_frag (fs=0xbfffcc6c) at gprs_sndcp.c:423 #10 sndcp_unitdata_req (msg=msg@entry=0x808eed8, lle=0x808fbc8, nsapi=5 '\005', mmcontext=mmcontext@entry=0x80903e8) at gprs_sndcp.c:471	2013-09-04 21:29:00 +04:00
Holger Hans Peter Freyther	bc1e52cfbf	emu: Use OpenBSC code to decode the LLC and add assertions Use the OpenBSC SGSN code to parse the LLC data and look into the data we receive. Add assertions to verify the the sequence number is increasing.	2013-09-04 21:28:53 +04:00
Holger Hans Peter Freyther	741481d3e0	emu: Send a static GPRS ATTACH request and wait for the reply. This will send a static message. It will trigger the GMM code on the SGSN and might ask us for the IMEI/IMSI or send us an accept. As we are not replying at all the SGSN needs to send new requests and we can observe if the sequence number is increasing like it should.	2013-09-04 21:28:53 +04:00

Author

SHA1

Message

Date

Holger Hans Peter Freyther

9d938388f6

emu: Add a crash re-producer for the SGSN (and the concept of tests)

Introduce the concept of tests that will be ran one after the other.
This new test will send static message that will lead to the opening
of a PDP context. At this point one should use ping with a large
packet size and suspend/stop the emulator. Once the NS connection is
considered dead the SGSN will crash with a double free.

Reproduce:
0.) Add IMSI 901700000003094 to the ACL
1.) Stop/Suspend the emulation process so the NS Alive times out
2.) Use ping IP -s 2048

This will create a double free...

 #4  0xb7bb2646 in talloc_abort_double_free () at talloc.c:175
 #5  0xb7bbd41a in talloc_chunk_from_ptr (ptr=0x8091208) at talloc.c:190
 #6  _talloc_free (ptr=0x8091208) at talloc.c:517
 #7  talloc_free (ptr=ptr@entry=0x8091208) at talloc.c:990
 #8  0xb7bb319b in msgb_free (m=m@entry=0x8091208) at msgb.c:72
 #9  0x0804db54 in sndcp_send_ud_frag (fs=0xbfffcc6c) at gprs_sndcp.c:423
 #10 sndcp_unitdata_req (msg=msg@entry=0x808eed8, lle=0x808fbc8, nsapi=5 '\005',
    mmcontext=mmcontext@entry=0x80903e8) at gprs_sndcp.c:471

2013-09-04 21:29:00 +04:00

Holger Hans Peter Freyther

bc1e52cfbf

emu: Use OpenBSC code to decode the LLC and add assertions

Use the OpenBSC SGSN code to parse the LLC data and look into
the data we receive. Add assertions to verify the the sequence
number is increasing.

2013-09-04 21:28:53 +04:00

Holger Hans Peter Freyther

741481d3e0

emu: Send a static GPRS ATTACH request and wait for the reply.

This will send a static message. It will trigger the GMM code
on the SGSN and might ask us for the IMEI/IMSI or send us an
accept. As we are not replying at all the SGSN needs to send new
requests and we can observe if the sequence number is increasing
like it should.

2013-09-04 21:28:53 +04:00

3 Commits