msc: add f_tc_invalid_mgcp_crash
Make sure that osmo-msc doesn't crash if a successful CRCX response contains an invalid IP address. Originally/recently, osmo-msc did not validate the IP addresses at all. In an intermediate patch I added error handling, releasing the call. That uncovered a use-after-free problem in libosmo-mgcp-client. This problem is fixed by osmo_fsm_set_dealloc_ctx() and an osmo-mgw fix (see I7df2e9202b04e7ca7366bb0a8ec53cf3bb14faf3 in osmo-mgw). Add this test to make sure the crash is not re-introduced. Change-Id: I0c76b0a7a33a96a39a242ecd387ba3769161cf7a
This commit is contained in:
parent
ba960a140d
commit
8df6962dec
|
@ -711,6 +711,7 @@ type record CallParameters {
|
|||
(f_mt_call and f_mt_call) */
|
||||
boolean stop_after_cc_setup, /* Special case: stop call establish after CC Setup */
|
||||
boolean ran_clear_when_alerting, /* Special case: send Clear upon CC Alerting */
|
||||
boolean expect_release, /* Special case: expect call establish to cause direct CC Rel */
|
||||
|
||||
MgcpCallId mgcp_call_id optional, /* MGCP Call ID; CallAgent allocated */
|
||||
MgcpEndpoint mgcp_ep optional /* MGCP Endpoint, CallAgent or MGW allocated */,
|
||||
|
@ -749,6 +750,7 @@ template (value) CallParameters t_CallParams(hexstring called := '12345'H, integ
|
|||
mgw_drop_dlcx := false,
|
||||
stop_after_cc_setup := false,
|
||||
ran_clear_when_alerting := false,
|
||||
expect_release := false,
|
||||
mgcp_call_id := omit,
|
||||
mgcp_ep := "rtpbridge/1@mgw",
|
||||
use_osmux := false,
|
||||
|
@ -1210,6 +1212,8 @@ runs on BSC_ConnHdlr {
|
|||
tr_BSSMAP_IE_AoIP_TLA4(f_inet_addr(cpars.mgw_conn_1.mgw_rtp_ip), ?);
|
||||
|
||||
var default mdcx := activate(as_optional_mgcp_mdcx(cpars.mgw_conn_2.mgw_rtp_ip, cpars.mgw_conn_2.mgw_rtp_port));
|
||||
var boolean got_mncc_setup_compl_ind := false;
|
||||
var boolean got_cc_connect := false;
|
||||
|
||||
interleave {
|
||||
[] MNCC.receive(tr_MNCC_SETUP_ind(?, tr_MNCC_number(hex2str(cpars.called_party)))) -> value mncc {
|
||||
|
@ -1347,15 +1351,27 @@ runs on BSC_ConnHdlr {
|
|||
|
||||
[] MNCC.receive(tr_MNCC_SETUP_COMPL_ind(?)) -> value mncc {
|
||||
log("f_mo_call_establish 8: rx MNCC SETUP COMPLETE ind");
|
||||
got_mncc_setup_compl_ind := true;
|
||||
if (not cpars.expect_release and got_cc_connect) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
[] BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_CC_CONNECT(cpars.transaction_id))) {
|
||||
log("f_mo_call_establish 10: rx CC CONNECT");
|
||||
BSSAP.send(ts_PDU_DTAP_MO(ts_ML3_MO_CC_CONNECT_ACK(cpars.transaction_id)));
|
||||
got_cc_connect := true;
|
||||
if (not cpars.expect_release and got_mncc_setup_compl_ind) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
[] BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_CC_RELEASE(cpars.transaction_id))) {
|
||||
log("f_mo_call_establish 11: rx CC RELEASE");
|
||||
if (not cpars.expect_release) {
|
||||
setverdict(fail, "Got unexpected CC Release");
|
||||
mtc.stop;
|
||||
}
|
||||
f_expect_clear();
|
||||
break;
|
||||
}
|
||||
|
|
|
@ -5662,6 +5662,29 @@ testcase TC_lu_imsi_auth_tmsi_check_imei_early_err() runs on MTC_CT {
|
|||
vc_conn.done;
|
||||
}
|
||||
|
||||
friend function f_tc_invalid_mgcp_crash(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
|
||||
f_init_handler(pars);
|
||||
var CallParameters cpars := valueof(t_CallParams('12345'H, 0));
|
||||
|
||||
/* Set invalid IP address so that osmo-msc discards the rtp_stream and MGCP endpoint FSM instances in the middle
|
||||
* of successful MGCP response dispatch. If things aren't safeguarded, the on_success() in osmo_mgcpc_ep_fsm
|
||||
* will cause a use-after-free after that event dispatch. */
|
||||
cpars.mgw_conn_1.mgw_rtp_ip := "0.0.0.0";
|
||||
cpars.mgw_conn_2.mgw_rtp_ip := "0.0.0.0";
|
||||
cpars.rtp_sdp_format := "FOO/8000";
|
||||
cpars.expect_release := true;
|
||||
|
||||
f_perform_lu();
|
||||
f_mo_call_establish(cpars);
|
||||
}
|
||||
testcase TC_invalid_mgcp_crash() runs on MTC_CT {
|
||||
var BSC_ConnHdlr vc_conn;
|
||||
f_init();
|
||||
|
||||
vc_conn := f_start_handler(refers(f_tc_invalid_mgcp_crash), 7);
|
||||
vc_conn.done;
|
||||
}
|
||||
|
||||
control {
|
||||
execute( TC_cr_before_reset() );
|
||||
execute( TC_lu_imsi_noauth_tmsi() );
|
||||
|
@ -5792,6 +5815,7 @@ control {
|
|||
if (mp_enable_osmux_test) {
|
||||
execute( TC_lu_and_mt_call_osmux() );
|
||||
}
|
||||
execute( TC_invalid_mgcp_crash() );
|
||||
}
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue