| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Refuse state changes and event dispatch for FSM instances that are already
terminating.
It is assumed that refusing state changes and events after FSM termination is
seen as the sane expected behavior, hence this change in behavior is merged
without being configurable.
There is no fallout in current Osmocom code trees. fsm_dealloc_test needs a
changed expected output, since it is explicitly creating complex FSM structures
that terminate. Currently no other C test in Osmocom code needs adjusting.
Rationale:
Where multiple FSM instances are collaborating (like in osmo-bsc or osmo-msc),
a terminating FSM instance often causes events to be dispatched back to itself,
or causes state changes in FSM instances that are already terminating. That is
hard to avoid, since each FSM instance could be a cause of failure, and wants
to notify all the others of that, which in turn often choose to terminate.
Another use case: any function that dispatches events or state changes to more
than one FSM instance must be sure that after the first event dispatch, the
second FSM instance is in fact still allocated. Furthermore, if the second FSM
instance *has* terminated from the first dispatch, this often means that no
more actions should be taken. That could be done by an explicit check for
fsm->proc.terminating, but a more general solution is to do this check
internally in fsm.c.
In practice, I need this to avoid a crash in libosmo-mgcp-client, when an
on_success() event dispatch causes the MGCP endpoint FSM to deallocate. The
earlier dealloc-in-main-loop patch fixed part of it, but not all.
Change-Id: Ia81a0892f710db86bd977462730b69f0dcc78f8c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a simpler and more general solution to the problem so far solved by
osmo_fsm_term_safely(true). This extends use-after-free fixes to arbitrary
functions, not only FSM instances during termination.
The aim is to defer talloc_free() until back in the main loop.
Rationale: I discovered an osmo-msc use-after-free crash from an invalid
message, caused by this pattern:
void event_action()
{
osmo_fsm_inst_dispatch(foo, FOO_EVENT, NULL);
osmo_fsm_inst_dispatch(bar, BAR_EVENT, NULL);
}
Usually, FOO_EVENT takes successful action, and afterwards we also notify bar.
However, in this particular case, FOO_EVENT caused failure, and the immediate
error handling directly terminated and deallocated bar. In such a case,
dispatching BAR_EVENT causes a use-after-free; this constituted a DoS vector
just from sending messages that cause *any* failure during the first event
dispatch.
Instead, when this is enabled, we do not deallocate 'foo' until event_action()
has returned back to the main loop.
Test: duplicate fsm_dealloc_test.c using this, and print the number of items
deallocated in each test loop, to ensure the feature works. We also verify that
the deallocation safety works simply by fsm_dealloc_test.c not crashing.
We should probably follow up by refusing event dispatch and state transitions
for FSM instances that are terminating or already terminated:
see I0adc13a1a998e953b6c850efa2761350dd07e03a.
Change-Id: Ief4dba9ea587c9b4aea69993e965fbb20fb80e78
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not return a warning and therefore fail parsing the config when the
"encapsulation framerelay-gre local-ip" command is used and FR/GRE is
disabled. Having this in the config does no harm and allows keeping the
same config if it is enabled later.
This fixes the currently failing vty tests for osmo-sgsn.
Fixes: a0c8195ad37292ab800a6c777fc28383995b4b64 ("vty: Return error if cmd returns CMD_WARNING while reading cfg file")
Change-Id: Ic225232fbfca49ba868427eaf898e1f6e34e1ca8
|
|
|
|
|
|
|
|
|
|
|
| |
The calculation of the beginning of a block for TCH/F, TCH/H and FACCH
can be challenging since those channels are affected by the diagonal
interleaving of the TCH channels. However, GSM 05.02 Section 7 Table 1
of 5 specifies how the blocks are distributed over the TDMA frame
interval. Lets add a mapping function that is based on that table
Related: OS#3803
Change-Id: I3d71c66f8c401f5afbad9b1c86c24580dab9e0ce
|
|
|
|
|
|
|
| |
Otherwise bad configurations can easily sneak in and produce unexpected
behavior.
Change-Id: Ic9c1b566ec4a459f03e6319cf369691903cf9d00
|
|
|
|
|
|
|
|
|
| |
Those two functions are only used by osmo_sock_init2_multiaddr(), which
is only built if HAVE_LIBSCTP is defined. Avoid compiler warning about
unusued function helpers if osmo_sock_init2_multiaddr() is not being
built.
Change-Id: I52769d6b8f70af1a8bda23d60b3230a932e71fab
|
|
|
|
|
|
|
|
|
| |
Since we return error at the start of the function if proto !=
IPPROTO_SCTP, it makes no sense to check for proto != IPPROTO_UDP later
on.
Fixes: CID#205088
Change-Id: Ibba7eacaa9debb77d536d47dc85170c5ee79e479
|
|
|
|
|
|
|
|
|
| |
This API will be used by libosmo-netif's osmo_stream for SCTP sockets,
which in turn will be used by libosmo-sccp to support multi-homed
connections.
Related: OS#3608
Change-Id: Ic8681d9e093216c99c6bca4be81c31ef83688ed1
|
|
|
|
|
|
|
|
|
|
| |
len provides extra information in the case the buffer was too small,
because it tells the caller "the number of characters (excluding the
terminating null byte) which would have been written to the final
string if enough space had been available" (man
snprintf).
Change-Id: Icafe559e19a92e2ae72fdd0dd2d9a394b1eda878
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without this patch, for instance in this cfg file below, go_parent_cb is
not called for nodes such as "listen" and "cs7":
"""
line vty
no login
cs7 instance 0
xua rkm routing-key-allocation dynamic-permitted
listen m3ua 2905
accept-asp-connections dynamic-permitted
local-ip 127.0.0.1
"""
Related: OS#3608
Change-Id: Ia6d88c0e63d94ba99e950da6efbc4c1871070012
|
|
|
|
| |
Change-Id: Ifc3a30881f865f88bcfc1307a3c89c1ab79eecd4
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
log_enable_multithread() enables use of locks inside the
implementation. Lock use is disabled by default, this way only
multi-thread processes need to enable it and suffer related
complexity/performance penalties.
Locks are required around osmo_log_target_list and items inside it,
since targets can be used, modified and deleted by different threads
concurrently (for instance, user writing "logging disable" in VTY while
another thread is willing to write into that target).
Multithread apps and libraries aiming at being used in multithread apps
should update their code to use the locks introduced here when
containing code iterating over osmo_log_target_list explictly or
implicitly by obtaining a log_target (eg. osmo_log_vty2tgt()).
Related: OS#4088
Change-Id: Id7711893b34263baacac6caf4d489467053131bb
|
|
|
|
|
|
|
|
|
|
|
| |
This way if the process is started with no file associated (eg. no -c
param and default cfg path doesn't exist), config can be later saved
into a file by passing the parameter. Otherwise, until now this message
was displayed:
Can't save to configuration file, using vtysh.
Related: OS#4024
Change-Id: I38edcf902a08b6bd0ebb9aa6fc1a7041421af525
|
|
|
|
|
|
|
|
|
|
|
| |
This is useful for timers expected to have a range of valid or expected
values.
Validation is done at runtime when timer values are set by the app or by
the user through the VTY.
Related: OS#4190
Change-Id: I4661ac41c29a009a1d5fc57d87aaee6041c7d1b2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OSMO_GSUP_SUPPORTED_RAT_TYPES_IE corresponds to the Supported RAT Types
Indicator from 3GPP TS 29.002. See 8.1.2 MAP_UPDATE_LOCATION service,
which indicates the capabilities of the MSC/VLR to the HLR.
So far, have room for eight RAT types in the gsup_msg. That is an arbitrary
random choice without any rationale.
OSMO_GSUP_CURRENT_RAT_TYPE_IE is useful to communicate the currently
used RAN / RAT type of the current subscriber during Location Updating Request.
Change-Id: I93850710ab55a605bf61b95063a69682a2899bb1
|
|
|
|
|
|
|
| |
We first set the ISTRIP bit only to remove it in the next line.
Let's try to avoid confusing the reader.
Change-Id: Icba43dd4b6dc4f9c7f8fcf91d24b3baac4e0c74a
|
|
|
|
| |
Change-Id: I837c8303a7bb47b690cc8841cf5cafba8ac338af
|
|
|
|
|
|
|
|
|
|
|
|
| |
I missed code review, so here are my comments in form of a follow-up patch
for Id56a1226d724a374f04231df85fe5b49ffd2c43c.
- Fix 'as_unit' arg name to 'val_unit' as in the C file and API doc.
- Explain rounding-up behavior of value conversion in API doc.
- Use osmo_tdef_get_entry() instead of a loop.
Related: OS#4190
Change-Id: Ia91c2f17e40fb9e79ffa5a7f28ce9c3605664402
|
|
|
|
|
|
|
|
|
| |
This API is already useful for users willing to set a given timer to a
given value. It will also contain code later that checks for value being
inside valid range for that timer.
Related: OS#4190
Change-Id: Id56a1226d724a374f04231df85fe5b49ffd2c43c
|
|
|
|
|
|
|
|
|
|
| |
As 3GPP doesn't specify how the BSC shall communicate ETWS Primary
Notifications over Abis/RSL, we have to use a vendor-specific RSL
message for this. And in order to know if the peer supports this
feature, we introduces BTS_FEAT_ETWS_PN.
Change-Id: I89c24a81ada6627694a9632e87485a61cbd3e680
Related: OS#4046, OS#4047
|
|
|
|
|
| |
Change-Id: I36fc2ffc22728887d1cb8768c7fcd9739a8ec0fc
Related: OS#4046, OS#4047
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We don't want to expose the details of a given ECU implementation to
the user (e.g. osmo-bts), but have a generic abstraction layer where
an ECU implementation can simply register a few call-back functions
with the generic core.
As the developer and copyright holder of the related code, I hereby
state that any ECU implementation using 'struct osmo_ecu_ops' and
registering with the 'osmo_ecu_register()' function shall not be
considered as a derivative work under any applicable copyright law;
the copyleft terms of GPLv2 shall hence not apply to any such ECU
implementation.
The intent of the above exception is to allow anyone to combine
third party Error Concealment Unit implementations with libosmocore,
including but not limited to such published by ETSI.
Change-Id: I4d33c9c7c2d4c7462ff38a49c178b65accae1915
|
|
|
|
| |
Change-Id: I1dce8ace228814b5a7246a00b31309ab9461d266
|
|
|
|
|
|
|
| |
The user length is the first IE *in* the fixed-length TV, make sure
cbsp_dec_write_repl() respects that.
Change-Id: I864cafac2466a89a4bd9644bc73363fff2babd03
|
|
|
|
| |
Change-Id: I6916e2330e004f20a22f273147fa6288d18b5d0d
|
|
|
|
|
|
|
|
| |
The CBSP code assumed that gsm0808_decode_cell_id_u() would return
the number of bytes it has consumed/parsed. But it actually always
returns '0', whcih makes us run in an endless loop :(
Change-Id: I5758af4ec11a827d4b888a3a16c4ec22de90a7d6
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a VTY closes, dispatch the VTY_CLOSED signal before tearing down the VTY
buffer and fd.
In particular this fixes:
- a crash during telnet_close_client(), invoked by the VTY_CLOSED event, which
logs to DLGLOBAL and uses vty->obuf that, so far, vty_close() had already
unallocated earlier (OS#4164).
- the logging about closing a telnet session so far logged:
DLGLOBAL INFO Closing telnet connection r=NULL<->l=NULL
By dispatching the VTY_CLOSED event while the fd is still valid, we instead
get the actual connection IP address and port being closed:
DLGLOBAL INFO Closing telnet connection r=127.0.0.1:36708<->l=127.0.0.1:4258
Related: OS#4164
Change-Id: I1d235cbfbfb9aaf411316642c7bcfac12106df44
|
|
|
|
|
|
|
|
|
|
| |
Rather than having applications maintain their own talloc cotexts,
let's offer some root talloc contexts in libosmocore. Let's also
make them per thread right from the beginning. This will help
some multi-threaded applications to use talloc in a thread-safe
way.
Change-Id: Iae39cd57274bf6753ecaf186f229e582b42662e3
|
|
|
|
|
|
|
|
| |
This way it's easier by osmo_verify_transcript_vty.py to skip and avoid
breaking existent test in osmo-hlr.
Fixes: d0b3b9edac978c91bf84aa2537aa24426685b1fb
Change-Id: Iab9423661e4f4eefca2e3d02b60a43f913ed92a3
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The intention of osmo_tdef_get()'s val_if_not_present argument was to return a
default timeout, or to optionally abort the program for missing timer
definitions if the default timeout is < 0. This was the case in the original
implementation of this API in osmo-bsc, but in the migration to libosmocore,
the argument was by accident changed to an unsigned type. In consequence, the
assertion in the implementation that was intended to abort the program seemed
bogus to coverity, and was fixed by removal in
I7a544d2d43b83135def296674f777e48fe5fd80a -- the wrong direction, as is obvious
from the API doc for osmo_tdef_get().
Note that osmo-bsc master passes -1 in various places and expects the
program-abort behavior that was missing from the libosmocore implementation.
Change the val_if_not_present argument to a signed type, and revert removal of
the assertion, so that passing -1 has the effect described in the API doc:
program abort on missing timer definition.
This bug was not detected because it is hard to write tests that expect a
program abort to happen, hence no tests for this API feature exist.
Related: OS#4152
Change-Id: Ie61c3c85069916336e6dbd91a2c16f7634816417
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When reading SUT logs resulting from TTCN3 runs, it can be hard to figure out
which log section corresponds to which test code. Add a 'logp' command on VIEW
and ENABLE nodes that simply echos an arbitrary message on log output, useful
to set markers / explanations from the TTCN3 code, which then appear in all log
outputs and can make it trivial to figure out which log section is interesting.
logging_vty_test# logp lglobal notice This is the log message
DLGLOBAL NOTICE This is the log message
From TTCN3, could be used like this, e.g. in BSC_Tests.ttcn:
private function f_logp(charstring log_msg) runs on MSC_ConnHdlr
{
// log on TTCN3 log output
log(log_msg);
// log in stderr log
f_vty_transceive(BSCVTY, "logp lglobal notice " & log_msg);
}
...
f_logp("f_probe_for_handover(" & log_label & "): Ending the test: Handover Failure stops the procedure.");
Change-Id: Ife5dc8999174c74e0d133729284fe526d6eaf8d9
|
|
|
|
| |
Change-Id: I64c6d3dc08ff87b673ba6225f98546e86f91bcfd
|
|
|
|
| |
Change-Id: I05dd1f2725e05f856f1d27c9201a0005de101b8f
|
|
|
|
|
|
|
|
|
|
| |
As a result whitespace ended up in some variables and then command
"expr" was not happy about it.
It was spotted because src/coding/Makefile.am had some whitespacing.
Since it's the only one, let's drop the whitespace there too to have
similar line in all Makefile.am files.
Change-Id: I33afef5e4ef9eb36de81274533f46598ba9a0edb
|
|
|
|
|
|
|
|
|
|
|
| |
There's no real good reason for using that function (static buffer)
instead of osmo_str_tolower_buf(local buffer), so let's use the later.
In any case, we get rid of TLS variables in those places, which is a
performance improvement.
It will also allow later shrinking of those buffers if we decide to
define maximum logging category and level name length.
Change-Id: I2e99de1142020e4d80ef0a094e4e751f7903f5f9
|
|
|
|
|
|
|
|
|
|
|
| |
This way we get rid of extra 128 bytes in memory per thread created.
It makes sense to share the buffer since it's same size and it doesn't
make much sense to be using both osmo_str_tolower and osmo_strtoupper at
the same time (usually you either want to move everything to uppercase
or everything to lowerase). In required scenarios, one can still use the
_buf versions.
Change-Id: I032803faa0e27c2efdff1ff276acabab95a8319a
|
|
|
|
|
|
|
|
| |
The pseudotalloc layer doesn't yet support talloc_named() API
which will be used by the upcoming "context" change. Let's add
this function to pseudotalloc.c for our arm-non-eabi builds.
Change-Id: I4d91ebd73a3357a17ef9143a1b41b90186d4c128
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
when using gcc 8.3.0 on Debian unstable and doing an embedded build,
I'm getting the following error:
> fsm.c:621:40: error: format '%ld' expects argument of type
> 'long int', but argument 6 has type 'time_t {aka long long int}'
> [-Werror=format=]
Let's avoid that...
Change-Id: I92fb9b08def8475739f0dc6316de43b166f48ac3
|
|
|
|
| |
Change-Id: Ic6d7d68e9a559a6fb5bd6eaf6eccceae51e7ed39
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After reading data from the socket, assigned to a given VTY, we
need to '\0'-terminate the received string. Otherwise, further
access to that string, stored in a heap buffer vty->buf, would
lead to a heap overrun.
== How to reproduce?
$ python -c "print 'A' * 512" | telnet $HOST $PORT
==21264==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6190000211e0 at pc 0x000000435d2f
bp 0x7ffc06c7add0 sp 0x7ffc06c7a578
READ of size 1025 at 0x6190000211e0 thread T0
#0 0x435d2e in __interceptor_strlen (/usr/local/bin/osmo-msc+0x435d2e)
#1 0x7fb95bfa5624 in talloc_strdup (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x6624)
#2 0x7fb95c1be2bc in vty_hist_add /opt/osmocom/libosmocore/src/vty/vty.c:578
#3 0x7fb95c1be2bc in vty_execute /opt/osmocom/libosmocore/src/vty/vty.c:703
#4 0x7fb95c1be2bc in vty_read /opt/osmocom/libosmocore/src/vty/vty.c:1425
#5 0x7fb95c1bfd78 in client_data /opt/osmocom/libosmocore/src/vty/telnet_interface.c:157
#6 0x7fb95b90bd33 in osmo_fd_disp_fds /opt/osmocom/libosmocore/src/select.c:223
#7 0x7fb95b90bd33 in osmo_select_main /opt/osmocom/libosmocore/src/select.c:263
#8 0x5006cc in main /opt/osmocom/osmo-msc/src/osmo-msc/msc_main.c:723:3
#9 0x7fb959935f44 in __libc_start_main /build/eglibc-xkFqqE/eglibc-2.19/csu/libc-start.c:287
#10 0x4226fb in _start (/usr/local/bin/osmo-msc+0x4226fb)
== Why exactly 512?
Because the initial size of the heap buffer is 512 (see VTY_BUFSIZ).
Later on it can be realloc()ated, so X > 512 should also work.
Found using AddressSanitizer and Radamsa [1] fuzzer.
[1] https://gitlab.com/akihe/radamsa
Change-Id: I82f774ad18d0e555eb8f3590a519946d9c583c78
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unfortunately, osmo_sock_get_name_buf() fails in telnet_close_client():
DLGLOBAL INFO telnet_interface.c:130 Closing telnet connection <error-in-getsockname>
because getsockname(), getpeername(), and even close() fail with:
"Bad file descriptor".
This looks like a bug of the existing code.
Change-Id: I77b31abfa159d2f269deaa5a08d94b7bbba7d23c
|
|
|
|
| |
Change-Id: I33837f0fac1afe83596fa600916abc05ecb8c356
|
|
|
|
|
|
|
|
| |
Unconditional initialization follows the structure definition,
so there is no need to do it twice. This prevents compiler
from warning about potential errors.
Change-Id: If9fd2826f132dfa203dda62940d93dbdfcfd92ac
|
|
|
|
| |
Change-Id: I1564f4714a33d36792e4982deb8f19d1b740dc0c
|
|
|
|
| |
Change-Id: I5eb17edadf89ac47b4ca86c9e822037f7c0e518e
|
|
|
|
| |
Change-Id: Ib444383d2074ddb89b3fe5bbf198bcbfabd7057f
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ubsan will report undefined behavior due to the SUN_LEN macros interaction with a null pointer,
so let's tell ubsan to ignore this function. After carefully reviewing the final publically
availlable drafts of the C99,C11 and C18 standards I can confirm that dereferencing null pointers
is still undefined behavior, as such ubsan will always warn with absolutely every existing compiler
version. Since the sanitizers are periodically synced between llvm and gcc I'm also fairly confident
that rebuilding everything with compiler_rt to use the integrated sanitizers would result in the same message.
I sincerly hope that this explanation provides to be sufficient, If not I'd be willing to show up at
the next llvm dev meeting to provide quotes from actual sanitizer developers to back up these claims.
Change-Id: I0ff445072f1b46390c9f70b21d61c789e39358d5
|
|
|
|
| |
Change-Id: Id38272ff93fae6d2fdf39df4ffc74856d6c9a898
|
|
|
|
| |
Change-Id: Ie18c291d0cfe3b246d09ac6cfd9591951a2984c8
|