When debugging an issue that involves SAPI=0 and SAPI=3 the
log file does not have enough context. Add the SAPI to this
message so we at least understand which SAPI we are talking
about.
Currently it takes 3s to establish a SAPI 3 SACCH connection with
osmo-bts. This is due to the fact, that a broken SABME request is
sent first and and is ignored by the MS. Then, after a T200 timeout
(2s) the SABME command is sent again (this time correctly) and
answered by the MS.
The first SABME message is broken (it has a length field of 3 and
ends with 3 bytes from the tail of the original RSL message),
because of it is expected throughout lapdm.c that msg buffers
containing RSL have msg->l2h == msg->data. Some abis input drivers
fulfill this but IPA doesn't, thus the 3 bytes of the IPA header
are still part of the msg and confuse length computation.
Since internal fields of the msg are modified directly, this is
difficult to see.
This patch adds a new function msgb_pull_to_l3() that explicitely
skips over all headers prepending L3 and therefore resets l1h and
l2h. This function is then used instead of msgb_pull_l2h() which
only worked correctly when msg->l2h == msg->data. In addition,
code manipulating msg->tail and msg->len directly has been replaced
by calls to msgb_trim().
Note that this patch does not fix all issues of this case in the LADP
related code.
Ticket: SYS#192
Sponsored-by: On-Waves ehf
This function works like osmo_hexdump() and returns a static buffer
containing hex bytes along with markers for the layers.
Note that it uses osmo_hexdump() internally, thus a call to
msgb_hexdump() invalidates the buffer that has been returned by an
earlier call to osmo_hexdump(). In short: don't mix them in a single
call printf().
Sponsored-by: On-Waves ehf
Currently w[14]/w[15] and w[18]/w[19] are swapped in range 256 format
decoding in gsm48_decode_freq_list().
This patch fixes this.
Sponsored-by: On-Waves ehf
The legacy 7bit conversion functions (those without the '_n_' in the
name) gave wrong return values on 64 bit platforms due to unproper
signed/unsigned conversions and the usage of SIZE_MAX.
This patch fixes this by using a smaller max size (see
GSM_7BIT_LEGACY_MAX_BUFFER_SIZE, currently set to 64k) for the legacy
wrappers and by using unsigned int for max_septets.
In addition, there are tests now that check the return values of
legacy encoding and decoding.
Sponsored-by: On-Waves ehf
abis_nm_pchan4chcomb will return a pchan for a given channel
combination but returned a value of the channel combination.
Fix it to return the physical channel combination.
Fixes: Coverity CID 1040767
In the osmo-bts and libosmo-abis code the hexdump routine is used
for every incoming/outgoing packet (including voice frames) and the
usage of snprintf showed up inside profiles.
There is a semantic change when more than 4096 characters are used.
The code will now truncate at byte boundaries (and not nibbles).
Code:
static const int lengths[] = { 23, 1000, 52 };
char buf[4096];
int i;
for (i = 0; i < 30000; ++i)
char *res = osmo_hexdump(buf, lengths[i & 3]);
Results:
before: after:
real 0m3.233s real 0m0.085s
user 0m3.212s user 0m0.084s
sys 0m0.000s sys 0m0.000s
The filter_fn has not been copied into the new structure breaking
the imsi and other filters in OpenBSC. Looking at the code we should
also introduce a callback for the reset of the context so we could
use subscr_get/subscr_put on the subscriber structure.
Okay. this comment thing has not worked (I totally forgot about it).
I think either we try to find ABI breakages with tools or we use
#error macros and check for a version...
Currently the field nsvci_is_valid is set to 0 in the NSVC object
returned by gprs_nsvc_create(). This was a semantic change probably
introduced by commit 5e6d679d. As a result, NSVC created via the VTY
have this flag set to 0 causing RESET_ACK messages to be rejected.
This patch changes the default behaviour of gprs_nsvc_create() to
always set this flag. So it must be set to 0 explicitely if needed
which is more intuitive and thus less error prone.
It fixes breaking connections from the Gbproxy to the SGSN.
Ticket: OW#874
Sponsored-by: On-Waves ehf
Currently those messages are answered by a NS_STATUS message when
received on an uninitialised (no NS_RESET hat been seen yet) NS_VC
which violates GPP TS 08.16 7.3.1 and 7.4.1.
This patch adds checks to gprs_ns_vc_create() and eventually returns
before the error NS_STATUS message is generated.
Sponsored-by: On-Waves ehf
When a RESET is received on the same link with a different NSVCI from
a BSS on a dynamically created NS connection do not patch the nsvc
object but create a new one instead. Thus the NSVCI is never modified
at a nsvc object after the NS-VC has been established.
Sponsored-by: On-Waves ehf
This modifies the NS stack's behavior to accept RESET and RESET_ACK
NSEI changes for NS-VC dynamically created by RESET messages from
BSSes. This feature is not used for NS-VC configured via VTY or NS-VC
to a SGSN.
Sponsored-by: On-Waves ehf
This changes the implementations for the reception of RESET and
RESET_ACK to be compatible with 3GPP TS 08.16, 7.3.1:
- Just send a RESET_ACK with correct values back to the SGSN when a
RESET with an invalid NSVCI or NSEI has been received.
- Check RESET_ACK for matching NSEI and NSVCI.
- Ignore unexpected RESET_ACKs.
In addition, use RESET_ACK from a BSS to update the BSS source
address based on the NSVCI to be tolerant with changing UDP source
addresses/ports.
Sponsored-by: On-Waves ehf
This fixes a SEGV error that happens the next time the statistics
are updated.
Addresses:
Program terminated with signal 11, Segmentation fault.
#0 0xb7711fa5 in rate_ctr_group_intv (grp=<optimized out>) at
rate_ctr.c:107
107 for (i = 0; i < grp->desc->num_ctr; i++) {
#0 0xb7711fa5 in rate_ctr_group_intv (grp=<optimized out>) at
rate_ctr.c:107
#1 rate_ctr_timer_cb (data=0x0) at rate_ctr.c:129
#2 0xb770ec59 in osmo_timers_update () at timer.c:243
#3 0xb770ef7a in osmo_select_main (polling=0) at select.c:133
#4 0x08049987 in main (argc=3, argv=0xbfba8084) at
gb_proxy_main.c:306
Sponsored-by: On-Waves ehf
This adds a 'nsvc nsvci <0-65535> (block|unblock|reset)' vty
command. It selects the NS-VC based on the nsvci instead of using the
first with a matching NSEI, like it is done when the 'nsei' keyword
is used instead.
Sponsored-by: On-Waves ehf
Under special circumstances (see below) receiving a NS-RESET leads to
duplicated NS-VC entries.
This happens when the source port of a NS-VC changes to a new one
that has already been used by another NS-VC.
This patch changes gprs_ns_rx_reset() to check for this case and to
use the existing NS-VC object. The NS-VC object that was associated
with the source address before is detached from this source but kept
in the NS-VC list so that it can be reattached when a correspondent
NS-RESET is received later on. Meanwhile it will have a cleared link
layer address which will not match a real link info.
A new counter NS_CTR_REPLACED is incremented each time when the NS-VC
object is replacing another one. A new signal S_NS_REPLACED is added
which gets dispatched in this case, too.
Another new counter NS_CTR_NSEI_CHG is incremented each time when the
NSEI of a NS-VC object (with fixed NSVCI) changes.
Ticket: OW#874
Sponsored-by: On-Waves ehf
Adds the functions gprs_ns_ll_copy() and gprs_ns_ll_clear(). Renames
gprs_ns_format_peer() to gprs_ns_ll_str(). All of these functions
uniformly access the link layer part within the NS-VC objects.
Sponsored-by: On-Waves ehf
Currently this first NS-VC with a matching NSEI is always used to
send a UNITDATA message via gprs_ns_sendmsg(). If the NS-VC found is
either dead or blocked, an error is returned.
This patch changes to code to skip blocked or dead NS-VCs while
searching and return the error if no usable NS-VC is found. This
makes it possible to have several NS-VCs per connection group.
Sponsored-by: On-Waves ehf
Register an osmo signal handler to print a short notice about every
SS_L_NS signal that is generated while processing the tests.
Sponsored-by: On-Waves ehf
The testcase didn't work on Ubuntu 12.04 because vty_create will
directly call vty_event (e.g. not through the plt). This means
that the approach to override vty_event in the testcase failed.
Use the signal interface of libosmocore and make the testcase
use it. The signals can be generally useful as well.
Currently when a NS-RESET is recevied over a link that has not yet
been associated with a NS-VC, the NSEI is used to find an existing
NS-VC. If one is found, the reset procedure is initiated.
This behaviour is not conformant with 3GPP TS 08.16 (see chapter
4.2.3) which allows to use several NS-VC between two endpoints in
parallel.
The patch changes the implementation to use the NSVCI instead
of the NSEI to search for an existing NS-VC object.
Ticket: OW#874
Sponsored-by: On-Waves ehf
According to 3GPP TS 08.16, 7.3 "Reset procedure" the entity
receiving a NS-RESET PDU responds with a NS-RESET-ACK and 'then'
starts the test procedure which essentially means, that a NS-ALIVE
gets sent and a timer is started.
Currently the NS-ALIVE is sent before the NS-RESET-ACK.
This patch fixes the implementation by reversing the order in which
these messages are sent.
Sponsored-by: On-Waves ehf
This patch refactors gprs_ns_rcvmsg() by moving the parts relevant to
the NS messages into the new functions gprs_ns_vc_create() (nsvc
object creation) and gprs_ns_process_msg() (main NS automaton). These
do not contain code that directly depends on the link layer (they
call other functions that still do). This reduces the gprs_ns_rcvmsg()
function to calling these two functions and optionally setting up the
link layer specific fields of the nsvc.
Sponsored-by: On-Waves ehf
This information element has been added to the MM Information
message in GSM24.008. This patch adds it to the tlv_definition
to keep the TLV parser from breaking.
Ticket: OW#978
This patch removes an assertion of node > CONFIG_NODE and changes
the function to handle all nodes properly.
For the sake of completeness, the generic 'exit' command
implementation is extended to work properly with all nodes, too.
This adds the vty_install_default() function that is basically the
install_default() function plus the registration of the commands
'exit' and 'end'. The latter is only provided in subnodes of
ENABLED_NODE and CONFIG_NONE.
The VTY test program is extended to check these commands.
Ticket: OW#952
The number of digits is the number of used octets times two (two
digits per octet). The result has been successfully dissected by
wireshark. It has not been tested with real phones.
The 7bit<->8bit encoding/decoding functions didn't check whether
there is still enough space in the destination buffer. Therefore a
buffer size parameter has been added to each of the functions which
is used to truncate the output if the buffer is too small.
In addition, the return value of the decoding functions has been
changed to number of characters written (excluding \0), so this
value is always equal to strlen(decoded).
The old functions are still available as wrapper functions.
if (ptr)
msgb_free(ptr)
extends to:
if (ptr)
talloc_free(ptr)
And according to the talloc documentation a talloc_free(NULL)
will not crash: "... Likewise, if "ptr" is NULL, then the function
will make no modifications and returns -1."
Handling 7-bit coding is a little different for USSD, as TS 03.38
states:
To avoid the situation where the receiving entity confuses 7 binary
zero pad bits as the @ character, the carriage return or <CR>
character shall be used for padding in this situation [...].
If <CR> is intended to be the last character and the message
(including the wanted <CR>) ends on an octet boundary, then another
<CR> must be added together with a padding bit 0. The receiving entity
will perform the carriage return function twice, but this will not
result in misoperation as the definition of <CR> [...] is identical to
the definition of <CR><CR>.
The receiving entity shall remove the final <CR> character where the
message ends on an octet boundary with <CR> as the last character.
Jacob has verified the fix with fakeBTS and the wireshark dissector.
Fixes: OW#947
Reviewed-by: Jacob Erlbeck <jerlbeck@sysmocom.de>
Compiled with ubuntu 1204 (precise), where -Wformat-security is enabled by
-Wall.
Test yields ok, but the current implementation doesn't properly support
multi-character separators and end strings. So the test output is truncated.
Addresses:
utils.c: In function 'vty_cmd_string_from_valstr':
utils.c:84:2: warning: format not a string literal and no format arguments [-Wformat-security]
utils.c:84:2: warning: format not a string literal and no format arguments [-Wformat-security]
utils.c:108:2: warning: format not a string literal and no format arguments [-Wformat-security]
utils.c:108:2: warning: format not a string literal and no format arguments [-Wformat-security]
The code most likely wanted to check the result of argv_concat.
To do this we need to dereference the dptr.
Logically dead code (DEADCODE)
dead_error_line: Execution cannot reach this statement "return 1;
Fixes: Coverity CID 1040675
lapdm.c takes the re-establishment message and forwards it to lapd_core.c,
so we can assume that msgb is set at primitive. In case there is data in
the re-establishment msg, it is moved into send_buffer. In case of no
data (0 length), it must be freed.
Fixes an issue spotted by Coverity Scan.
This reverts commit f996b05dbd
and 2b0cac4ef8. A detailed
explanation can be found here:
http://lists.osmocom.org/pipermail/openbsc/2013-July/004737.html
The short description is that:
1.) The API should return (as out parameter) the number of
octets used.
2.) The handling for the <CR> encoding only applies to USSD
and it is incomplete. On top of that it broke the SMS test.
To avoid the situation where the receiving entity confuses 7 binary zero pad
bits as the @ character, the carriage return or <CR> character shall be used
for padding in this situation.
If the datalink fails or if handover or assignment to a new channel fails,
it is re-establised by sending SABM again. The length of establish message
is 0 in this case. The length is used to differentiate between
re-establishment and contention resolution, which has to be handled
differently.
See TS 04.06 Chapter 5.4.2.1
It is impossible that the snprintf will fill the entire namebuf
but just follow the idiom to make sure it is null terminated.
Related: Coverity CID 1040676
These routines were not freeing vectors used for the lookup. On
review it is fixing another path not detected by coverity.
The danger is a double free in tab completion now. It is difficult
to test this.
Fixes: Coverity CID 23037, CID 23038
The &buf[3] is unlikely to be aligned properly. Use memcpy instead
of an assignment. Add a small testcase that verifies that I didn't
mess up the conversion.
Alignment trap: osmo-nitb (3293) PC=0x492b7094 Instr=0xe5803003 Address=0xbeb259db FSR 0x801
This already came up during review but now that Coverity complains
about it as well, let us just remove it. The variable is unsigned
so it can never be < 0.
Fixes: Coverity CID 1040669.
If the BTS tells us to not send any data at all anymore (bucket leak
rate of 0 bits per second), then we should respect this and not run into
a divide-by-zero. However, as this indicates complete overload, we
print a log message to that regard.
When a SABM(E) frame arrives, we have to trim the L2 padding (0x2b for
gsm) before handing the data off to L3, just like we do with I frames.
Also, we should use mggb_trim() or even msgb_l3trim() instead of
manually fiddling with msgb->length and ->tail pointers.
After reception of SABM, the network responds with UA and enters the
establised multiframe state. If UA is not received by mobile, the SABM
is transmitted again, and the network must respond with UA again, unless
it is from a different mobile.
Add LAPDm collision test (contention resolution on network side).
Only the Gb library relies on having undefined references to a
symbol that needs to be provided by the host application. For
all other libraries we can link with -no-undefined.
Seems the script I used to parse those had a bug where range of
bits in the 'decreasing' direction ( like 6..0 ) were not processed
properly.
Thanks to Andreas for noticing this !
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
Commit cd6ed82d1f made "EVERYTHING"
map to LOGL_DEBUG but when writing out the configuration the following
would be written:
logging level all unknown 0x0
This happend because no string was found for the value 0. Address it
by adding a legacy check for 0 and write out the str from the index
0. Currently this is "EVERYTHING".
The log target can be used via log alarms and show alarms.
Why? This feature was proposed/requested at
http://openbsc.osmocom.org/trac/wiki/Tasks/ErrorLogTarget
All messages use the same amount of space, prioritizing simplicity.
The log target can be used via log alarms and show alarms.
Why? This feature was proposed/requested at
http://openbsc.osmocom.org/trac/wiki/Tasks/ErrorLogTarget
All messages use the same amount of space, prioritizing simplicity.
As Holger points out "logging level XXX everything" wasn't working, as
it sets category->loglevel to 0, which is checked in osmo_vlogp() and
will never get logged.
This hides HIDDEN or DEPRECATED commands from showing up when the
full list of commands is inquired with '?' at any given point in the
command tree. Only if the hidden/deprecated command is already typed
in partially, then it will still tab-complete.
this will avoid printing 'abis_nm.c' as the filename in the log, which
is pretty useless during debugging. We want to know where
abis_nm_debugp_foh() is being used from, not where it is implemented.
We used 1ULL at one place and not the other ... at the same time,
we now use (uintXX_t) so that the proper type is used each time.
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
getaddrinfo returns EAI_SERVICE (-8) if that combination is used.
More information available in here:
http://sourceware.org/bugzilla/show_bug.cgi?id=15015
Reported by Holger Hans Peter Freyther.
While at it, this patch also removes hints.ai_flags = 0 as memset
to zero already happened just a bit before that.
This is essentially http://patchwork.diac24.net/patch/271/ forward
ported to libosmovty
Original-by: Paul Jakma <paul@quagga.net>
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
The second loop in osmo_revbytebits_buf() in src/bits.c grabs
4 bytes each iteration, which can easily go past the supplied
input in some cases.
Compiled with -fstack-protector , I get a "stack smashing detected"
in the bits test.
From: Nils O. Selåsdal <noselasd@fiane.dyndns.org>
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
This was found while implementing handover on a sysmobts. When we
receive a channel release request for a channel that was never really
activated (set_lapdm_context() was not called) we segfault in
lapd_recv_dlsap().
We now return early with -EINVAL in rslms_rx_rll() if we receive a
message that assumes set_lapdm_context() was already called.
These are:
* RSL_MT_UNIT_DATA_REQ
* RSL_MT_DATA_REQ
* RSL_MT_SUSP_REQ
* RSL_MT_REL_REQ
A test case was added to trigger the issue.
Daniel Willmann
Holger Hans Peter Freyther
Alexander Huemer
Harald Welte
Sylvain Munaut