msc: add f_tc_invalid_mgcp_crash

Make sure that osmo-msc doesn't crash if a successful CRCX response contains an
invalid IP address.

Originally/recently, osmo-msc did not validate the IP addresses at all. In an
intermediate patch I added error handling, releasing the call. That uncovered a
use-after-free problem in libosmo-mgcp-client. This problem is fixed by
osmo_fsm_set_dealloc_ctx() and an osmo-mgw fix (see
I7df2e9202b04e7ca7366bb0a8ec53cf3bb14faf3 in osmo-mgw).

Add this test to make sure the crash is not re-introduced.

Change-Id: I0c76b0a7a33a96a39a242ecd387ba3769161cf7a

msc/BSC_ConnectionHandler.ttcn

@@ -711,6 +711,7 @@ type record CallParameters {
 							   (f_mt_call and f_mt_call) */
 	boolean stop_after_cc_setup,			/* Special case: stop call establish after CC Setup */
 	boolean ran_clear_when_alerting,		/* Special case: send Clear upon CC Alerting */
+	boolean expect_release,				/* Special case: expect call establish to cause direct CC Rel */
 
 	MgcpCallId mgcp_call_id optional,		/* MGCP Call ID; CallAgent allocated */
 	MgcpEndpoint mgcp_ep optional			/* MGCP Endpoint, CallAgent or MGW allocated */,
@@ -749,6 +750,7 @@ template (value) CallParameters t_CallParams(hexstring called := '12345'H, integ
 	mgw_drop_dlcx := false,
 	stop_after_cc_setup := false,
 	ran_clear_when_alerting := false,
+	expect_release := false,
 	mgcp_call_id := omit,
 	mgcp_ep := "rtpbridge/1@mgw",
 	use_osmux := false,
@@ -1210,6 +1212,8 @@ runs on BSC_ConnHdlr {
 		tr_BSSMAP_IE_AoIP_TLA4(f_inet_addr(cpars.mgw_conn_1.mgw_rtp_ip), ?);
 
 	var default mdcx := activate(as_optional_mgcp_mdcx(cpars.mgw_conn_2.mgw_rtp_ip, cpars.mgw_conn_2.mgw_rtp_port));
+	var boolean got_mncc_setup_compl_ind := false;
+	var boolean got_cc_connect := false;
 
 	interleave {
 	[] MNCC.receive(tr_MNCC_SETUP_ind(?, tr_MNCC_number(hex2str(cpars.called_party)))) -> value mncc {
@@ -1347,15 +1351,27 @@ runs on BSC_ConnHdlr {
 
 	[] MNCC.receive(tr_MNCC_SETUP_COMPL_ind(?)) -> value mncc {
 		log("f_mo_call_establish 8: rx MNCC SETUP COMPLETE ind");
+		got_mncc_setup_compl_ind := true;
+		if (not cpars.expect_release and got_cc_connect) {
+			break;
+		}
 		}
 
 	[] BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_CC_CONNECT(cpars.transaction_id))) {
 		log("f_mo_call_establish 10: rx CC CONNECT");
 		BSSAP.send(ts_PDU_DTAP_MO(ts_ML3_MO_CC_CONNECT_ACK(cpars.transaction_id)));
+		got_cc_connect := true;
+		if (not cpars.expect_release and got_mncc_setup_compl_ind) {
+			break;
+		}
 		}
 
 	[] BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_CC_RELEASE(cpars.transaction_id))) {
 		log("f_mo_call_establish 11: rx CC RELEASE");
+		if (not cpars.expect_release) {
+			setverdict(fail, "Got unexpected CC Release");
+			mtc.stop;
+		}
 		f_expect_clear();
 		break;
 		}

msc/MSC_Tests.ttcn

@@ -5662,6 +5662,29 @@ testcase TC_lu_imsi_auth_tmsi_check_imei_early_err() runs on MTC_CT {
 	vc_conn.done;
 }
 
+friend function f_tc_invalid_mgcp_crash(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
+	f_init_handler(pars);
+	var CallParameters cpars := valueof(t_CallParams('12345'H, 0));
+
+	/* Set invalid IP address so that osmo-msc discards the rtp_stream and MGCP endpoint FSM instances in the middle
+	 * of successful MGCP response dispatch. If things aren't safeguarded, the on_success() in osmo_mgcpc_ep_fsm
+	 * will cause a use-after-free after that event dispatch. */
+	cpars.mgw_conn_1.mgw_rtp_ip := "0.0.0.0";
+	cpars.mgw_conn_2.mgw_rtp_ip := "0.0.0.0";
+	cpars.rtp_sdp_format := "FOO/8000";
+	cpars.expect_release := true;
+
+	f_perform_lu();
+	f_mo_call_establish(cpars);
+}
+testcase TC_invalid_mgcp_crash() runs on MTC_CT {
+	var BSC_ConnHdlr vc_conn;
+	f_init();
+
+	vc_conn := f_start_handler(refers(f_tc_invalid_mgcp_crash), 7);
+	vc_conn.done;
+}
+
 control {
 	execute( TC_cr_before_reset() );
 	execute( TC_lu_imsi_noauth_tmsi() );
@@ -5792,6 +5815,7 @@ control {
 	if (mp_enable_osmux_test) {
 		execute( TC_lu_and_mt_call_osmux() );
 	}
+	execute( TC_invalid_mgcp_crash() );
 }