The state check in lapd_dl_reset causes some buffers
never to be released. Using talloc report LAPD UA
message buffers are never released after each call
and cause a memory leak.
Change-Id: I2799b70623f2ec4dbc725eb213e332e98da02a3e
We don't really use state numbers without bounds check into string
tables since March 2010, when value_string became part of libosmocore.
It's time to catch up, 7 years later...
Change-Id: I1dac7b4cb441a1119cc167112521e8b8aae62e63
in lapd_t200_cb() The RELEASE INDICATION is transmitted before
the MDL ERROR INIDCATION, this prevents the MDL ERROR INDICATION
from being sent because the RELASE INDICATION close to connection
eraly. This commit puts the messages into the correct order.
Change-Id: Iae74777138fc27828f511e3aa321d1981861f4a5
when the lapd core is in state LAPD_STATE_SABM_SENT, and the
retransmission counter exceeds (link down) lapd_t200_cb() will
send an RELASE_INDICATION and an MDL_ERROR_INDICATION to L3.
This action is done before the state is processed. This seems
to be no problem with standard retransmission counts (n200),
but may cause timing problems that lead to deadlock states when
custom timer configurations are in use. (Ericsson RBS).
This commit moves the functions calls for sending the indications
mentioned above to the very end of the if branch to relax the
timing again. (See lapd_t200_cb())
Change-Id: I1c1beb3701b19744a3ce9946abca7767d20a0b6a
The debug output of lapd core has no references to the dl objects,
since we have multiple links, seeing which action is for which
object is impossible. This commit adds pointer references (dl=%p)
to each log line.
Change-Id: I3024d1cbd58631e2abac4ce5822528e2e6e15fda
When lapd_dl_flush_hist() was called before we actually had started a
transmit history from lapd_dl_init(), we woul segfault before this
patch.
Change-Id: Ifa677c9b335dd2884b4f3e44699d901957a0500b
If lapd_dl_flush_hist() is called after lapd_dl_exit(), dl->tx_hist has
already been free'd and set to NULL. Check for this before attempting
to de-reference a NULL pointer.
This bug breaks OpenBSC with any E1 based BTSs using DAHDI.
Change-Id: I117ba3445fa5e8097e21c11c5a6337de6ba46c7d
Related: OS#1760
If LAPDm receives an I-Frame while there already is an I-Frame in the
tx_queue the code generates an additional RR (to acknowledge the
received I-Frame). Instead, N(R) of the I-Frame in the tx_queue should
be updated to ACK the data.
When debugging an issue that involves SAPI=0 and SAPI=3 the
log file does not have enough context. Add the SAPI to this
message so we at least understand which SAPI we are talking
about.
if (ptr)
msgb_free(ptr)
extends to:
if (ptr)
talloc_free(ptr)
And according to the talloc documentation a talloc_free(NULL)
will not crash: "... Likewise, if "ptr" is NULL, then the function
will make no modifications and returns -1."
lapdm.c takes the re-establishment message and forwards it to lapd_core.c,
so we can assume that msgb is set at primitive. In case there is data in
the re-establishment msg, it is moved into send_buffer. In case of no
data (0 length), it must be freed.
Fixes an issue spotted by Coverity Scan.
If the datalink fails or if handover or assignment to a new channel fails,
it is re-establised by sending SABM again. The length of establish message
is 0 in this case. The length is used to differentiate between
re-establishment and contention resolution, which has to be handled
differently.
See TS 04.06 Chapter 5.4.2.1
When a SABM(E) frame arrives, we have to trim the L2 padding (0x2b for
gsm) before handing the data off to L3, just like we do with I frames.
Also, we should use mggb_trim() or even msgb_l3trim() instead of
manually fiddling with msgb->length and ->tail pointers.
After reception of SABM, the network responds with UA and enters the
establised multiframe state. If UA is not received by mobile, the SABM
is transmitted again, and the network must respond with UA again, unless
it is from a different mobile.
Add LAPDm collision test (contention resolution on network side).
DATA REQ with a msgb_l3len(msg) == 0 message does not make any
sense, log an error and return immediately before attempting to
send an empty I frame in lapd_send_i.
If a sequence error is received, the N(R) variable must still be used to
acknowledge previously transmitted frames.
If there are two subsequent sequence errors received, ignore it. (Ignore
every second subsequent error.) This happens if our reply with the REJ is
too slow, so the remote gets a T200 timeout and sends another frame with
a sequence error. Test showed that replying with two subsequent REJ
messages could the remote L2 process to abort. Replying too slow shouldn't
happen, but may happen over serial link between BB and LAPD.
Written-by: Andreas.Eversberg <jolly@eversberg.eu>
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
Instead of mixing together the GSM layer 1 interface and RSL interface
with the implementation of LAPD, the core function of LAPD is now
extracted from LAPDm. The core implementation is now in lapd_core.c
and lapd_core.h respectively.
The lapd_core.c implements exactly one datalink instance for one SAP.
The surrounding implementation "lapdm.c" codes/decodes the layer 2
headers and handles multiplexing and datalink instances, as well as
translates primitives from/to RSL layer.
lapd_core.c can now be used for other LAPD implementations. (ISDN/ABIS)
Thorsten Alteholz
Harald Welte
Philipp Maier
Neels Hofmeyr
Daniel Willmann
Sylvain Munaut