Jumping to label 'error' before allocating memory and storing an
address to pointer 'rim_cont_buf' would result in passing garbage
to talloc_free(). Found with clang 14.
Change-Id: I9420615b64d3755fd9131e8561c516c39f83a15b
The testcase in gsm0408_test is still failing because the encoder
produces a different result (with octet 3a present). There is no
way to tell the encoder to use the implicit coding, and in general
this is not that critical, so we can live with that.
Change-Id: I722c168f01bffa915cb155eac234a796549d3762
The new testcase contains a Bearer capability IE from Siemens S11E,
which does not use octet 3a (no extension bit set in octet 3).
gsm48_decode_bearer_cap() currently fails to parse it.
Change-Id: Ia19f3f6d80bc09ca3f8d39d35b148a0c0245141f
Currently, if one of the testcases fails, test_bearer_cap() would
abort and skip the remaining testcases. Also, a msgb would not
be free()ed making the LeakSanitizer unhappy.
Instead of returning early, jump to the end of loop to ensure that:
* the verdict ('passed' or 'failed') is always printed,
* all remaining testcases are still executed,
* the msgb is free()ed.
Change-Id: I39ac801e59ba56dfe3bcd4603b48f6fbf7cfb21c
That code path should not happen since this function is only called for
data frames coming with IUUP_FSM_EVT_IUUP_DATA_IND.
Control frames should come with specific events like
IUUP_FSM_EVT_IUUP_CONFIG_REQ.
Hence, let's add an assert to make sure we early exit if that ever
happens (it shouldn't), instead of carrying on reading uninitialized var
"dt".
Fixes: Coverity CID#272996
Change-Id: Iaeba59bc9ebfe817dbb7528572dc669c010ef14d
osmo_bssap_le_dec() dereferences value of the given pointer and
checks it against NULL. The caller must always initialize it.
Change-Id: Id91dc73da1ca71827183564eb68b12c03ba332b3
a program being developed right now crashed at this point, without
providing any meaningful information on where did it crash.
Change-Id: Ia14f43142e7409f72eb9efd5c9131bea5eed6e82
This patch addes support for GlobalPlatform command. Android is using
STORE DATA commands on a logical channel.
simtrace2-cardem-pcsc is failing otherwise e.g. on an Pixel 4 with Android 12.
Change-Id: Ib734fc852e7b63b9efdc414adccbd796a572eb55
Once the IuUP FSM moved away from Init state, it stopped handling
Initialization messages received from peers and simply ignored them
starting from that point. As a result, if the first IuUP Init ACK it
sent to the peer was lost, the peer would keep retrying with more IuUP
Init and getting no answer.
In any case, it seems possible and desirable that a peer may send an
IuUP Init at a later point, as pointed out vaguely in 3GPP TS 25.415.
sec 6.5.2.1:
"""
Upon reception of a frame indicating that an Initialisation procedure is
active in the peer Iu UP entity, the Iu UP protocol layer forwards the whole
protocol information contained in the INITIALISATION control frame to the
upper layers. It also stores the RAB sub-Flow Combination set (and thus
replaces a possible previous set) in order to control during the transfer of
user data, that the Iu UP payload is correctly formatted (e.g. RFCI matches
the expected Iu UP frame payload total length). The peer Iu UP entity
receiving the INITIALISATION control frame shall choose a version that it
supports among the proposed versions indicated by the sender for which it
has enough initialisation information.
"""
sec B.2.2 "Initialisation State":
"""
After sending a positive acknowledgement of the last INITIALISATION control
frame, the Iu UP instance enters SMpSDU data transfer ready state. Note that
CN does not know if the initialisation ACK was correctly received by the RNC
(and Initialisation procedure successfully completed) until it receives RAB
assignment response, or use data from the RNC. The CN must therefore be able
to continue receiving INITIALISATION control frames by re-entering the
Initialisation state (from Support Mode Data Transfer Ready State), if the CN
has started to send user data before receiving the indication that
Initialisation was successfully completed
"""
sec B.2.3 "Support Mode Data Transfer Ready State":
"""
In case of handover or relocation, Initialisation procedures may have to be
performed and Iu UP instance may have to enter the initialisation state.
"""
Related: SYS#5995
Change-Id: I5cb740702805693cc7f0a550e2e093f9bfdd507c
This test shows a bug in IuUP stack which makes it only handle the first
Initialization IuUP message. After it moves to SMpSDU, it stops handling
Initialization messages.
A fix is provided in a follow up patch.
Related: SYS#5995
Change-Id: I72c2c2d88f158f3ef35724fcb73854a1827aaab4
Those events are not realy used there and they are not even present in
the FSM definition. Let's drop them.
Change-Id: I4beec96ac4bdf047ebf144a8b009b297b47cacdc
The event is expected since the user of the IuUP stack can send a
CONFIGURE.req to transition to state null. The handling was already
there in the function, but the bit was missing in the FSM definition.
Change-Id: I830835a5b8b98f8b91b866f5280f508098c9ae7e
These functions can be re-used for parsing in-band data from DTX
specific frames like SID_FIRST, SID_UPDATE, SID_ONSET, etc.
Change-Id: I0106de7a7f87517006e323299b2dc08457d1c6cf
Related: OS#5570
The new functions accept an additional mode_id poiner, which is
currently set for the following frames: AFS_ONSET, AHS_ONSET,
AHS_SID_FIRST_P2 with N * 16 - M bit pattern.
Also, the new API accepts soft-bits instead of hard-bits.
Converting bits from soft to hard is now performed internally.
Change-Id: Ibcac395f800bb64150c97fcdaca3523ecfc5fcee
Related: OS#5570
The initially merged IuUP API and implementation assumed that RFCI with
ID was always in the position of its ID inside the list of RFCIs. This
was the case for messages sent by ip.access nano3g as well as our own
osmocom implementation. However it was noticed that other nodes from
other vendors actually use other order, as allowed by the IuUP message
format.
Hence, we need to break the assumption and provide explicit ID
information in the list.
NOTICE: This commit breaks API and ABI compatibility with older versions
of libosmogsm, but not with any previous release of libosmocore since
the API is only available in master so far (it was added in
9fe1f9fb0b).
Similary, it's only user (osmo-mgw) only uses the API in master, so
there's no API breakage with older releases.
Related: SYS#5969
Change-Id: Ib21cee2e30bf83dff4e167f79541796007af9845
Parsing of CMI/CMC/CMR from AMR's special DTX frames is currently
not implemented. It's better to keep the old stored value rather
than resetting it to 0 every time we receive such a frame.
Add TODO comments for each DTX frame type.
Change-Id: Ic4edbb8ab873fe0bdd69a8710803628bc4f447d0
Related: OS#5570
As was demonstrated in [1], there is a TCH/AHS specific problem in
libosmocoding causing unexpected BER ~50% in decoded AHS_SID_UPDATE
frames. The reason is that A[H]S_SID_UPDATE employs quite tricky
interleaving algorithm, which is different from the algorithm used
by normal TCH/AHS speech frames or A[F]S_SID_UPDATE frames.
An AHS_SID_UPDATE frame consists of two halves (228 bits each):
+---------+--------------------|---------+--------------------+
| in-band | SID marker | in-band | coded data |
+---------+--------------------|---------+--------------------+
| 16 bits | 212 bits | 16 bits | 212 bits |
The first half contains coded in-band signalling data (16 bits) and
the identification marker (212 bits), which allows to detect that
it's an AHS_SID_UPDATE. This half is carried by even bits of the
first two bursts and odd bits of the last two bursts.
The other half also contains the in-band data (16 bits), while the
remaining 212 bits contain encoded SID_UPDATE (212 bits). This
half is carried by even bits of the last two bursts and odd bits
of the first two bursts.
Current implementation does not use odd bits of the first two
bursts at all, so buffer cB[] in gsm0503_tch_ahs_decode_dtx()
contains only 114 out of 228 bits.
This patch changes the logic, so that gsm0503_tch_ahs_decode_dtx()
would not split AHS_SID_UPDATE onto two frames anymore like its
TCH/AFS equivalent does, but attempt to deinterleave the second
half and attempt to decode the payload immediately.
Change-Id: I8686d895e96fa0e606c1898b6574cc80a8f46983
Related: [1] I434157e2091a306c039123cea08d84bd8533c937
Related: SYS#5853
At the moment msgb_apdu_de(resp) is used to check if the msgb that is
handed over to get_sw is properly populated with data.
However, since msgb_apdu_de() is just adding an offset, which cannot be
0 to ->l2h the returned value also can never be NULL. This means that we
cannot use msgb_apdu_de() to detect if resp contains a nullpointer.
Lets check if ->l2h is not NULL instead. This will make sure that ->l2h
is populated.
Change-Id: I32bc56c9264c01911a4f4b4f911b09e955205010
Related: OS#5560
This patch adds a new test confirming that [1] actually fixes the bug.
Change-Id: I3d295a15d4446b3e440fbf4c90a1688d6c7275ae
Related: [1] I2e6f4b748c6445725211e264ab5f3f5a2712087a
Related: SYS#5853
This patch extends the existing unit test coverage for AMR's special
DTX frames. The new tests confirm that the problem with unexpected
BER in decoded AFS_SID_UPDATE frames has been actually fixed [1].
Additionally this patch demonstrates another TCH/AHS specific problem,
which negatively affects RxQual-SUB measurements in osmo-bts-trx: the
actual content of AHS_SID_UPDATE_CN is decoded with ~50% BER, because
the burst buffer contains only half of the burst bits.
Change-Id: I434157e2091a306c039123cea08d84bd8533c937
Related: [1] I813081a4c0865958eee2496fe251ae17235ac842
Related: SYS#5853
Both gsm0503_tch_a[fh]s_decode_dtx() functions accept an optional
'dtx' pointer, which is used to indicate type of a received AMR
block to the caller in DTX mode of operation. If not NULL, it's
expected to be updated by gsm0503_detect_a[fh]s_dtx_frame() every
time one of the mentioned functions is called.
However, in case of FACCH both functions return early, so the value
of dtx remains unchanged and thus FACCH frames may be misinterpreted
as AMR's special DTX frames. This is rather critical during the DTX
silence periods, when all special DTX frames (e.g. SID_UPDATE) are
being treated as SUB frames. Each unsuccessful FACCH decoding
attempt will 'poison' SUB measurements, causing unexpected RxQual-
SUB values in the Uplink measurement reports.
Fix this by resetting *dtx to AMR_OTHER in the FACCH specific path.
Change-Id: I2e6f4b748c6445725211e264ab5f3f5a2712087a
Related: SYS#5853
There are two similar values in enum gsm0503_amr_dtx_frames:
* AFS_SID_UPDATE - precursor of SID UPDATE,
* AFS_SID_UPDATE_CN - the actual SID UPDATE.
The former is internally used by libosmocoding to mark the current
frame as a precursor of the actual SID UPDATE frame - the later.
+---+---+---+---+---+---+---+---+
| _ | _ | _ | _ | a | b | c | d | AFS_SID_UPDATE
+---+---+---+---+---+---+---+---+
| a | b | c | d | _ | _ | _ | _ | AFS_SID_UPDATE_CN
+---+---+---+---+---+---+---+---+
This is required because function gsm0503_tch_afs_decode_dtx() is
invoked by TDMA scheduler on every 4th received burst, while the
burst buffer is 8 bursts wide.
Currently, whenever gsm0503_detect_afs_dtx_frame() detects an
AFS_SID_UPDATE frame, we still attempt to decode it as a speech
or data below in gsm0503_tch_afs_decode_dtx(). This is indeed
a bug, which results in unexpected BER values:
* expected BER 0/212,
* actual BER 252/448.
We should return immediately once we have detected an AFS_SID_UPDATE.
This patch fixes unexpected BER-SUB values during DTXu silence periods.
Change-Id: I813081a4c0865958eee2496fe251ae17235ac842
Related: SYS#5853
The pointer is initialized in all its uses, however newer gcc warns
about it:
"""
inlined from ‘main’ at /libosmocore/utils/osmo-arfcn.c:144:16:
/usr/include/bits/stdlib-float.h:27:10: error: ‘param’ may be used uninitialized [-Werror=maybe-uninitialized]
"""
Change-Id: If3eff4ab14a7b2a950386244c9b5f2b9adb32f99
"""
/libosmocore/src/coding/gsm0503_coding.c: In function 'osmo_conv_decode_ber_punctured':
/libosmocore/src/coding/gsm0503_coding.c:563:31: error: 'coded_len' may be used uninitialized [-Werror=maybe-uninitialized]
563 | *n_bits_total = coded_len;
| ~~~~~~~~~~~~~~^~~~~~~~~~~
/libosmocore/src/coding/gsm0503_coding.c:541:21: note: 'coded_len' was declared here
541 | int res, i, coded_len;
| ^~~~~~~~~
"""
This error is really a false positive. However, it is true that the code
used to be a bit more complex than required, since the 2 later conditions
could be inside the first one.
Let's simply do early termination to simplify the function, and get rid
of the gcc warning.
Change-Id: I31ebf0c4be61daf6395d9a9fac05c7fdceb8bcb9
The point of having a public API to register further stats reporters
is to enable applications or other libraries to do so. As we in
libosmocore don't know anything about the parameters of such a stats
reporter, don't try to do a partial save of them when saving the config
file.
Change-Id: I2986313375daec1c4959a6a914e3fb2980a5d7ca
We should either handle talloc returning NULL, or we should
OSMO_ASSERT(). Doing neither of the two is a bad idea.
Change-Id: I5e8d1cc22cf597f7f50c0f92bf86cb1f1413434c
In many cases, a lot of the counters are zero, and we're likely
not interested in those, but only the non-zero counters. Add a version
of the 'show stats' command which dumps only those items with a non-zero
total value.
Change-Id: Ie4df1c139e3c82deca1dd3cdab5d3909e0513684
It was recently found that several IEs which were added in the header
file were not actually added to the tlv_definition, and hence the tlv
parser failed to decode them. Let's make sure we don't foget to add new
IEs in the future.
Related: SYS#5915
Change-Id: Id8a679ca43eb0fcc4882780e9a95ec21c7f51972
There are cases where we want to be notified of a successful BVC reset,
e.g. for a signalling because we can then start resetting the PtP-BVCs.
With this hook it's now possible to do that.
Change-Id: If240dd13f0f674693018c93390386b2c8afb97af
Related: SYS#5908
Vadim Yanitskiy
Mychaela Falconia
Pau Espin
Harald Welte
Neels Hofmeyr
Philipp Maier
Sylvain Munaut
Daniel Willmann