Compiled with ubuntu 1204 (precise), where -Wformat-security is enabled by
-Wall.
Test yields ok, but the current implementation doesn't properly support
multi-character separators and end strings. So the test output is truncated.
Addresses:
utils.c: In function 'vty_cmd_string_from_valstr':
utils.c:84:2: warning: format not a string literal and no format arguments [-Wformat-security]
utils.c:84:2: warning: format not a string literal and no format arguments [-Wformat-security]
utils.c:108:2: warning: format not a string literal and no format arguments [-Wformat-security]
utils.c:108:2: warning: format not a string literal and no format arguments [-Wformat-security]
The code most likely wanted to check the result of argv_concat.
To do this we need to dereference the dptr.
Logically dead code (DEADCODE)
dead_error_line: Execution cannot reach this statement "return 1;
Fixes: Coverity CID 1040675
lapdm.c takes the re-establishment message and forwards it to lapd_core.c,
so we can assume that msgb is set at primitive. In case there is data in
the re-establishment msg, it is moved into send_buffer. In case of no
data (0 length), it must be freed.
Fixes an issue spotted by Coverity Scan.
This reverts commit f996b05dbd
and 2b0cac4ef8. A detailed
explanation can be found here:
http://lists.osmocom.org/pipermail/openbsc/2013-July/004737.html
The short description is that:
1.) The API should return (as out parameter) the number of
octets used.
2.) The handling for the <CR> encoding only applies to USSD
and it is incomplete. On top of that it broke the SMS test.
To avoid the situation where the receiving entity confuses 7 binary zero pad
bits as the @ character, the carriage return or <CR> character shall be used
for padding in this situation.
If the datalink fails or if handover or assignment to a new channel fails,
it is re-establised by sending SABM again. The length of establish message
is 0 in this case. The length is used to differentiate between
re-establishment and contention resolution, which has to be handled
differently.
See TS 04.06 Chapter 5.4.2.1
It is impossible that the snprintf will fill the entire namebuf
but just follow the idiom to make sure it is null terminated.
Related: Coverity CID 1040676
These routines were not freeing vectors used for the lookup. On
review it is fixing another path not detected by coverity.
The danger is a double free in tab completion now. It is difficult
to test this.
Fixes: Coverity CID 23037, CID 23038
The &buf[3] is unlikely to be aligned properly. Use memcpy instead
of an assignment. Add a small testcase that verifies that I didn't
mess up the conversion.
Alignment trap: osmo-nitb (3293) PC=0x492b7094 Instr=0xe5803003 Address=0xbeb259db FSR 0x801
This already came up during review but now that Coverity complains
about it as well, let us just remove it. The variable is unsigned
so it can never be < 0.
Fixes: Coverity CID 1040669.
If the BTS tells us to not send any data at all anymore (bucket leak
rate of 0 bits per second), then we should respect this and not run into
a divide-by-zero. However, as this indicates complete overload, we
print a log message to that regard.
When a SABM(E) frame arrives, we have to trim the L2 padding (0x2b for
gsm) before handing the data off to L3, just like we do with I frames.
Also, we should use mggb_trim() or even msgb_l3trim() instead of
manually fiddling with msgb->length and ->tail pointers.
After reception of SABM, the network responds with UA and enters the
establised multiframe state. If UA is not received by mobile, the SABM
is transmitted again, and the network must respond with UA again, unless
it is from a different mobile.
Add LAPDm collision test (contention resolution on network side).
Only the Gb library relies on having undefined references to a
symbol that needs to be provided by the host application. For
all other libraries we can link with -no-undefined.
Seems the script I used to parse those had a bug where range of
bits in the 'decreasing' direction ( like 6..0 ) were not processed
properly.
Thanks to Andreas for noticing this !
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
Commit cd6ed82d1f made "EVERYTHING"
map to LOGL_DEBUG but when writing out the configuration the following
would be written:
logging level all unknown 0x0
This happend because no string was found for the value 0. Address it
by adding a legacy check for 0 and write out the str from the index
0. Currently this is "EVERYTHING".
The log target can be used via log alarms and show alarms.
Why? This feature was proposed/requested at
http://openbsc.osmocom.org/trac/wiki/Tasks/ErrorLogTarget
All messages use the same amount of space, prioritizing simplicity.
The log target can be used via log alarms and show alarms.
Why? This feature was proposed/requested at
http://openbsc.osmocom.org/trac/wiki/Tasks/ErrorLogTarget
All messages use the same amount of space, prioritizing simplicity.
As Holger points out "logging level XXX everything" wasn't working, as
it sets category->loglevel to 0, which is checked in osmo_vlogp() and
will never get logged.
This hides HIDDEN or DEPRECATED commands from showing up when the
full list of commands is inquired with '?' at any given point in the
command tree. Only if the hidden/deprecated command is already typed
in partially, then it will still tab-complete.
this will avoid printing 'abis_nm.c' as the filename in the log, which
is pretty useless during debugging. We want to know where
abis_nm_debugp_foh() is being used from, not where it is implemented.
We used 1ULL at one place and not the other ... at the same time,
we now use (uintXX_t) so that the proper type is used each time.
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
getaddrinfo returns EAI_SERVICE (-8) if that combination is used.
More information available in here:
http://sourceware.org/bugzilla/show_bug.cgi?id=15015
Reported by Holger Hans Peter Freyther.
While at it, this patch also removes hints.ai_flags = 0 as memset
to zero already happened just a bit before that.
This is essentially http://patchwork.diac24.net/patch/271/ forward
ported to libosmovty
Original-by: Paul Jakma <paul@quagga.net>
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
The second loop in osmo_revbytebits_buf() in src/bits.c grabs
4 bytes each iteration, which can easily go past the supplied
input in some cases.
Compiled with -fstack-protector , I get a "stack smashing detected"
in the bits test.
From: Nils O. Selåsdal <noselasd@fiane.dyndns.org>
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
This was found while implementing handover on a sysmobts. When we
receive a channel release request for a channel that was never really
activated (set_lapdm_context() was not called) we segfault in
lapd_recv_dlsap().
We now return early with -EINVAL in rslms_rx_rll() if we receive a
message that assumes set_lapdm_context() was already called.
These are:
* RSL_MT_UNIT_DATA_REQ
* RSL_MT_DATA_REQ
* RSL_MT_SUSP_REQ
* RSL_MT_REL_REQ
A test case was added to trigger the issue.
Holger Hans Peter Freyther
Harald Welte
Sylvain Munaut