cellular-infrastructure
/
osmo-sgsn
mirror of https://gerrit.osmocom.org/osmo-sgsn
9
0
Fork 0
Code Issues Releases Wiki Activity

gmm: Fix assertion hit during RA UPD REQ before completting gmm attach 

Output:
20191107021548500 DMM <0002> gprs_gb.c:40 MM_STATE_Gb(2596296189)[0x6120000084a0]{Idle}: Received Event E_MM_PDU_RECEPTION
20191107021548500 DMM <0002> gprs_gmm.c:1531 MM(/d4b6d7af) -> GMM RA UPDATE REQUEST type="RA updating"
20191107021548501 DMM <0002> gprs_gmm.c:1615 MM(/d4b6d7af) The MM context cannot be used, RA: 901-70-2758-208
Assert failed mmctx->gb.llme == NULL gprs_gmm.c:1620

Scenario reproducing the crash can be triggered with TTCN3
SGSN_Tests.TC_attach_req_id_req_ra_update.

Basically, SGSN first receives an ATTACH REQ with a given RA ID, then
SGSN switches to state CommonProcedureInitiated and sends GMM ID REQ,
and MS/PCU answers immediatelly with a RA Update instead with a new RA
ID.

Related: OS#3957, OS#4245
Change-Id: I64fa5cf1b427d3abb99e553e584897261a827ce6
This commit is contained in:
Pau Espin 2019-11-08 18:50:25 +01:00
parent 284314ab0a
commit de80976d94
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/sgsn/gprs_gmm.c
View File

@ -1615,9 +1615,9 @@ static int gsm48_rx_gmm_ra_upd_req(struct sgsn_mm_ctx *mmctx, struct msgb *msg,
osmo_rai_name(&mmctx->ra));
/* mmctx is set to NULL and gprs_llgmm_unassign(llme) will be
called below, let's make sure we don't keep dangling llme
pointers in mmctx (OS#3957). */
pointers in mmctx (OS#3957, OS#4245). */
if (mmctx->ran_type == MM_CTX_T_GERAN_Gb)
OSMO_ASSERT(mmctx->gb.llme == NULL);
mmctx->gb.llme = NULL;
mmctx = NULL;
}