The pseudotalloc layer doesn't yet support talloc_named() API
which will be used by the upcoming "context" change. Let's add
this function to pseudotalloc.c for our arm-non-eabi builds.
Change-Id: I4d91ebd73a3357a17ef9143a1b41b90186d4c128
when using gcc 8.3.0 on Debian unstable and doing an embedded build,
I'm getting the following error:
> fsm.c:621:40: error: format '%ld' expects argument of type
> 'long int', but argument 6 has type 'time_t {aka long long int}'
> [-Werror=format=]
Let's avoid that...
Change-Id: I92fb9b08def8475739f0dc6316de43b166f48ac3
After reading data from the socket, assigned to a given VTY, we
need to '\0'-terminate the received string. Otherwise, further
access to that string, stored in a heap buffer vty->buf, would
lead to a heap overrun.
== How to reproduce?
$ python -c "print 'A' * 512" | telnet $HOST $PORT
==21264==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6190000211e0 at pc 0x000000435d2f
bp 0x7ffc06c7add0 sp 0x7ffc06c7a578
READ of size 1025 at 0x6190000211e0 thread T0
#0 0x435d2e in __interceptor_strlen (/usr/local/bin/osmo-msc+0x435d2e)
#1 0x7fb95bfa5624 in talloc_strdup (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x6624)
#2 0x7fb95c1be2bc in vty_hist_add /opt/osmocom/libosmocore/src/vty/vty.c:578
#3 0x7fb95c1be2bc in vty_execute /opt/osmocom/libosmocore/src/vty/vty.c:703
#4 0x7fb95c1be2bc in vty_read /opt/osmocom/libosmocore/src/vty/vty.c:1425
#5 0x7fb95c1bfd78 in client_data /opt/osmocom/libosmocore/src/vty/telnet_interface.c:157
#6 0x7fb95b90bd33 in osmo_fd_disp_fds /opt/osmocom/libosmocore/src/select.c:223
#7 0x7fb95b90bd33 in osmo_select_main /opt/osmocom/libosmocore/src/select.c:263
#8 0x5006cc in main /opt/osmocom/osmo-msc/src/osmo-msc/msc_main.c:723:3
#9 0x7fb959935f44 in __libc_start_main /build/eglibc-xkFqqE/eglibc-2.19/csu/libc-start.c:287
#10 0x4226fb in _start (/usr/local/bin/osmo-msc+0x4226fb)
== Why exactly 512?
Because the initial size of the heap buffer is 512 (see VTY_BUFSIZ).
Later on it can be realloc()ated, so X > 512 should also work.
Found using AddressSanitizer and Radamsa [1] fuzzer.
[1] https://gitlab.com/akihe/radamsa
Change-Id: I82f774ad18d0e555eb8f3590a519946d9c583c78
Unfortunately, osmo_sock_get_name_buf() fails in telnet_close_client():
DLGLOBAL INFO telnet_interface.c:130 Closing telnet connection <error-in-getsockname>
because getsockname(), getpeername(), and even close() fail with:
"Bad file descriptor".
This looks like a bug of the existing code.
Change-Id: I77b31abfa159d2f269deaa5a08d94b7bbba7d23c
Unconditional initialization follows the structure definition,
so there is no need to do it twice. This prevents compiler
from warning about potential errors.
Change-Id: If9fd2826f132dfa203dda62940d93dbdfcfd92ac
ubsan will report undefined behavior due to the SUN_LEN macros interaction with a null pointer,
so let's tell ubsan to ignore this function. After carefully reviewing the final publically
availlable drafts of the C99,C11 and C18 standards I can confirm that dereferencing null pointers
is still undefined behavior, as such ubsan will always warn with absolutely every existing compiler
version. Since the sanitizers are periodically synced between llvm and gcc I'm also fairly confident
that rebuilding everything with compiler_rt to use the integrated sanitizers would result in the same message.
I sincerly hope that this explanation provides to be sufficient, If not I'd be willing to show up at
the next llvm dev meeting to provide quotes from actual sanitizer developers to back up these claims.
Change-Id: I0ff445072f1b46390c9f70b21d61c789e39358d5
Rather than having the encoder/decoder library print some log
messages in case of encoding/decoding errors, let's provide something
akin to 'errno', but with a string instead of a numeric error code.
The 'osmo_cbsp_errstr' global variable (if set) contains a
human-readable string describing the most recent encoding/decoding error.
It exists separately for each thread and hence can be used safely in
multi-threaded environments.
Change-Id: Id9a5a595a76ba278647aee9470ded213d8464103
This introduces definitions as well as a parser+encoder for the
Cell Broadcast Service Protocol (CBSP) as specified in 3GPP TS 48.049.
CBSP is used on the interface between CBC and BSC.
Related: OS#3537
Change-Id: I5b7ae08f67e415967b60ac4b824db9e22ca00935
When using `OSMO_ASSERT(exp);` clang will warn about
an empty expression because the semi colon was superflous.
Use do {} while (0) to enfore the need of a semi colon.
This might break other test.
Change-Id: I2272d29a81496164bebd1696a694383a28a86434
The timeout is calculated dynamically in t200_by_lchan() based on FN
advance value estimated by bts_get_avg_fn_advance(), so it's informative
to have the final value printed out.
Change-Id: Ib50a9c23de881c66c9218833703cc41101e06bfd
This reverts commit b3f94eb39e, that
unfortunately breaks some projects which call osmo_fsm_register()
on DSO load (i.e. using __attribute__((constructor))) before the
logging is initialized.
Change-Id: Idc6fcce7e946c23d48589b920e309d60aa7b6645
As suggested by Vadim while reviewing a related fix for ipa_keepalive.c
in libosmo-abis (see https://gerrit.osmocom.org/#/c/libosmo-abis/+/13540/),
it makes sense to print an error message if anyone registers a FSM
that specifies an allstate_action callback but at the same time no
events that would ever end up in that callback.
Change-Id: I9e73f7363ab15a00843e3f0d1e5776f4be7ebc46
For instance, take command "single0 [one]":
If user executes "single0 on", VTY func will receive argv[0]="one"
instead of argv[0]="on".
Related: OS#4045
Change-Id: I5f4e2d16c62a2d22717989c6acc77450957168cb
For instance, take command "multi0 (one|two|three)":
If user executes "multi0 tw", VTY func will receive argv[0]="two"
instead of argv[0]="tw".
Fixes: OS#4045
Change-Id: I91b6621ac3d87fda5412a9b415e7bfb4736c8a9a
Check against MAX argc is changed to == since it cannot be incremented
twice without passing the check.
Change-Id: Ia330e475989fda863bedcc3cbf94deaf8dd83037
It was noticed that multithreaded processes like osmo-trx can crash upon
using ctime().
Related: OS#4055
Change-Id: I19ebf29a2f1fc855bb7d56766b338c7c3432dfd1
Huge conditional block inside for loop is negated in this patch
together with a "continue" keyword, similar to what was already done
recently in 4742526645.
Change-Id: I803c4ed38e9ab09bf929528c75a60e6f65da3928
inner block defined variable "enum match_type ret" was being masking
outter block variable "int ret = 0". The ret variable was being given
non zero values only inside the inner block, so that change was done on
the inner variable and not the outer one, which is returned.
Fixes: 5314c513f2
Change-Id: Iec87d7db49a096d07e38ff8a060b923a52bfd6ba
Huge conditional block inside foor loop is negated in this patch
together with a "continue" keyword.
Change-Id: I9715734ed276f002fdc8c3b9742531ad36b2ef9e
Return ENOSPC if the decoding buffer is one byte too small, instead of
returning 0 and silently truncating the string. Add a new "truncated"
variable to detect if the loop breaks in the final iteration.
The string is not truncated if there is exactly one 0xf ('\0') higher
nibble remaining. This is covered by the existing test case "long
15-digit (maximum) MSISDN, limited buffer".
Related: OS#4049
Change-Id: Ie05900aca50cc7fe8a45d17844dbfcd905fd82fe
Instead of copy+pasting the same LOGPFSMSRC("State change to " ...)
with slightly different trailer depending on the FSM timer, let's first
snprintf() to a stack variable and then have a single log statement.
Change-Id: I49528c4ca1fa11aef09c2092615dccca450b847c
So far, the public API of osmo_fsm only allowed integral seconds as
timeout. Let's change that to milli-seconds in order to cover more
use cases.
This introduces
* osmo_fsm_inst_state_chg_ms()
* osmo_fsm_inst_state_chg_keep_or_start_timer_ms()
Which both work exactly like their previous counterparts without the _ms
suffix - the only difference being that the timeout parameter is
specified in milli-seconds, not in seconds.
The value range for an unsigned long in milli-seconds even on a 32bit
platform extends to about 48 days.
This patch also removes the documentation notice about limiting the
maximum value to 0x7fffffff due to time_t signed-ness. We don't use
time_t but unsigned long.
Change-Id: I35b330e460e80bb67376c77e997e464439ac5397
During testing with BTS_Tests_LAPDm.TC_t200_n200() it was discovered
that the existing LAPD[m] implementation always gave up at N200-1
retransmissions, rather than N200 retransmissions.
The first transmission doesn't count, and hence we must have N200
actual re-transmissions. The Error message is then described as
"T200 expired N200+1 times", i.e. we start T200 one more time after
the last re-transmission and only give up if it expires again (i.e.
no ACK received)
Change-Id: Ic33854ee61311f73b7db55eeef10280349151097
Related: OS4037
TS 04.06 specifies a N200 re-transmission counter that depends on the
channel type, which we didn't care about at all so far. Let's have the
caller tell us the channel type so we can internally look up the correct
N200 value for it.
At the same time, permit the user to specify T200 re-transmission timer
values for each SAPI on both DCCH and ACCH, which is required at least
in the BTS as per GSM TS 12.21. Also, extend the timer resolution of
the API from seconds to milli-seconds, which is more applicable as
particularly on the FACCH the recommended values are in the 200ms range.
Change-Id: I90fdc4dd4720d4e02213197c894eb0a55a39158c
Related: OS#3906
Related: OS#2294
Related: OS#4037
This function parses a single Cell ID list element into a
'union gsm0808_cell_id_u'. This function is going to be used
by the upcoming CBSP support.
Related: OS#3537
Change-Id: I08b33881667aa32f01e53ccb70d44d5b79c7c986
We have a number of library-internal static global buffers which are
mainly used for various stringification functions. This worked as
all of the related Osmocom programs were strictly single-threaded.
Let's make those buffers at least thread-local. This way every thread
gets their own set of buffers, and it's safe for multiple threads to
execute the same functions once. They're of course still not
re-entrant. If you need re-entrancy, you will need to use the _c()
or _buf() suffix version of those functions and work with your own
(stack or heap) buffers.
Change-Id: I50eb2436a7c1261d79a9d2955584dce92780ca07
3GPP TS 04.06 is quite clear that the [segmented] L3 payload can be as
long as 251 bytes. Our libosmocore lapdm implementation truncated
already at 200 bytes :(
Change-Id: I6769986f27dda1d429ed7b2e32c36d34663acba9
Closes: OS#4035
Harald Welte
Vadim Yanitskiy
Daniel Willmann
Eric Wild
Pau Espin
Kevin Redon
Oliver Smith