pespin has uploaded this change for review. (
https://gerrit.osmocom.org/c/osmo-hnbgw/+/39119?usp=email )
Change subject: map_sccp: Fix crash during ev MAP_SCCP_EV_RAN_DISC in st
MAP_SCCP_ST_WAIT_CC
......................................................................
map_sccp: Fix crash during ev MAP_SCCP_EV_RAN_DISC in st MAP_SCCP_ST_WAIT_CC
Recent commit changed event MAP_SCCP_EV_RAN_DISC to have a bool
parameter instead of a msgb pointer, however only code in state
MAP_SCCP_ST_CONNECTED was updated to account for the change; other
states were left checking the data ptr as if it was a msgb and crashed
while accessing mem address 0x1 (bool true) in msg_has_l2_data().
Fixes: 79589556244bf9cea6e8de8793a611f16e9052cd
Change-Id: If53dbd6b5a8abffcf94e6d666209954f17e9f9d7
---
M src/osmo-hnbgw/context_map_sccp.c
1 file changed, 29 insertions(+), 7 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-hnbgw refs/changes/19/39119/1
diff --git a/src/osmo-hnbgw/context_map_sccp.c
b/src/osmo-hnbgw/context_map_sccp.c
index b39768d..c933e8d 100644
--- a/src/osmo-hnbgw/context_map_sccp.c
+++ b/src/osmo-hnbgw/context_map_sccp.c
@@ -265,11 +265,12 @@
static void map_sccp_init_action(struct osmo_fsm_inst *fi, uint32_t event,
void *data)
{
struct hnbgw_context_map *map = fi->priv;
- struct msgb *ranap_msg = data;
+ struct msgb *ranap_msg = NULL;
switch (event) {
case MAP_SCCP_EV_TX_DATA_REQUEST:
+ ranap_msg = data;
/* In the INIT state, the first MAP_SCCP_EV_TX_DATA_REQUEST
will be the RANAP message received from the
* RUA Connect message. Send the SCCP CR and transition to
WAIT_CC. */
if (tx_sccp_cr(fi, ranap_msg) == 0)
@@ -277,15 +278,22 @@
return;
case MAP_SCCP_EV_RAN_LINK_LOST:
- case MAP_SCCP_EV_RAN_DISC:
case MAP_SCCP_EV_USER_ABORT:
case MAP_SCCP_EV_CN_LINK_LOST:
+ ranap_msg = data;
/* No CR has been sent yet, just go to disconnected state. */
if (msg_has_l2_data(ranap_msg))
LOG_MAP(map, DLSCCP, LOGL_ERROR, "SCCP not connected,
cannot dispatch RANAP message\n");
map_sccp_fsm_state_chg(MAP_SCCP_ST_DISCONNECTED);
return;
+ case MAP_SCCP_EV_RAN_DISC:
+ /* bool rua_disconnect_err_condition = !!data; */
+ /* 3GPP TS 25.468 9.1.5: RUA has disconnected.
+ * In this state we didn't send an SCCP CR yet, so nothing to
be torn down on CN side. */
+ map_sccp_fsm_state_chg(MAP_SCCP_ST_DISCONNECTED);
+ return;
+
case MAP_SCCP_EV_RX_RELEASED:
/* SCCP RLSD received from CN. This will never happen since we
haven't even asked for a connection, but
* for completeness: */
@@ -300,31 +308,41 @@
static void map_sccp_wait_cc_action(struct osmo_fsm_inst *fi, uint32_t event,
void *data)
{
struct hnbgw_context_map *map = fi->priv;
- struct msgb *ranap_msg = data;
+ struct msgb *ranap_msg = NULL;
switch (event) {
case MAP_SCCP_EV_RX_CONNECTION_CONFIRM:
+ ranap_msg = data;
map_sccp_fsm_state_chg(MAP_SCCP_ST_CONNECTED);
/* Usually doesn't but if the SCCP CC contained data, forward
it to RUA */
handle_rx_sccp(fi, ranap_msg);
return;
case MAP_SCCP_EV_TX_DATA_REQUEST:
+ /* ranap_msg = data; */
LOGPFSML(fi, LOGL_ERROR, "Connection not yet confirmed, cannot
forward RANAP to CN\n");
return;
case MAP_SCCP_EV_RAN_LINK_LOST:
- case MAP_SCCP_EV_RAN_DISC:
case MAP_SCCP_EV_USER_ABORT:
case MAP_SCCP_EV_CN_LINK_LOST:
+ ranap_msg = data;
/* RUA connection was terminated. First wait for the CC before
releasing the SCCP conn. */
if (msg_has_l2_data(ranap_msg))
LOGPFSML(fi, LOGL_ERROR, "Connection not yet confirmed,
cannot forward RANAP to CN\n");
map->please_disconnect = true;
return;
+ case MAP_SCCP_EV_RAN_DISC:
+ /* bool rua_disconnect_err_condition = !!data; */
+ /* 3GPP TS 25.468 9.1.5: RUA has disconnected.
+ * In this state we didn't send an SCCP CR yet, so nothing to
be torn down on CN side. */
+ map->please_disconnect = true;
+ return;
+
case MAP_SCCP_EV_RX_RELEASED:
+ ranap_msg = data;
/* SCCP RLSD received from CN. This will never happen since we
haven't even received a Connection
* Confirmed, but for completeness: */
handle_rx_sccp(fi, ranap_msg);
@@ -349,7 +367,7 @@
static void map_sccp_connected_action(struct osmo_fsm_inst *fi, uint32_t
event, void *data)
{
- struct msgb *ranap_msg;
+ struct msgb *ranap_msg = NULL;
bool rua_disconnect_err_condition;
switch (event) {
@@ -432,11 +450,12 @@
static void map_sccp_wait_rlsd_action(struct osmo_fsm_inst *fi, uint32_t
event, void *data)
{
- struct msgb *ranap_msg = data;
+ struct msgb *ranap_msg = NULL;
switch (event) {
case MAP_SCCP_EV_RX_RELEASED:
+ ranap_msg = data;
/* The CN sends the expected SCCP RLSD.
* Usually there is no data, but if there is just forward it.
* Usually RUA is already disconnected, but let the RUA FSM
decide about that. */
@@ -445,12 +464,13 @@
return;
case MAP_SCCP_EV_RX_DATA_INDICATION:
+ ranap_msg = data;
/* RUA is probably already disconnected, but let the RUA FSM
decide about that. */
handle_rx_sccp(fi, ranap_msg);
return;
case MAP_SCCP_EV_TX_DATA_REQUEST:
- case MAP_SCCP_EV_RAN_DISC:
+ ranap_msg = data;
/* Normally, RUA would already disconnected, but since SCCP is
officially still connected, we can still
* forward messages there. Already waiting for CN to send the
SCCP RLSD. If there is a message, forward
* it, and just continue to time out on the SCCP RLSD. */
@@ -458,6 +478,7 @@
return;
case MAP_SCCP_EV_RX_CONNECTION_CONFIRM:
+ ranap_msg = data;
/* Already connected. Unusual, but if there is data just
forward it. */
LOGPFSML(fi, LOGL_ERROR, "Already connected, but received SCCP
CC\n");
handle_rx_sccp(fi, ranap_msg);
@@ -466,6 +487,7 @@
case MAP_SCCP_EV_RAN_LINK_LOST:
case MAP_SCCP_EV_USER_ABORT:
case MAP_SCCP_EV_CN_LINK_LOST:
+ case MAP_SCCP_EV_RAN_DISC:
/* Stop waiting for RLSD, send RLSD now. */
tx_sccp_rlsd(fi);
map_sccp_fsm_state_chg(MAP_SCCP_ST_DISCONNECTED);
--
To view, visit https://gerrit.osmocom.org/c/osmo-hnbgw/+/39119?usp=email
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: osmo-hnbgw
Gerrit-Branch: master
Gerrit-Change-Id: If53dbd6b5a8abffcf94e6d666209954f17e9f9d7
Gerrit-Change-Number: 39119
Gerrit-PatchSet: 1
Gerrit-Owner: pespin <[email protected]>
