Project

General

Profile

Bug #1761

LAPD: segfault when bootstrapping Nokia InSite

Added by laforge about 2 years ago. Updated 10 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
07/03/2016
Due date:
% Done:

20%

Estimated time:
Spec Reference:

Description

When bootstrapping a Nokia InSite BTS, current OsmoNITB segfaults.

The reason for this is as follows:

  • ABM is established.
  • LAPD code hands an I frame to the application using send_dl_l3()
  • user application decides to call lapd_sap_stop() resulting in a local RELEASE request to LAPD
  • LAPD clears the transmit history and changes to IDLE state
  • application returns from processing the I frame
  • code proceeds in lapd_rx_i() and tries to transmit an I frame, as it didn't realize the state has meanwhile changed
  • lapd_send_i() tries to use dl->tx_hist -> boom.

As this is the second bug related to accessing a free'd tx_hist, the code seems to require a more thorough audit.


Related issues

Related to libosmocore - Bug #1760: LAPD: segfault in T200 call-backClosed2016-07-03

Related to libosmocore - Bug #1762: Review LAPD code for race conditions regarding state, particularly in RELEASENew2016-07-03

History

#1 Updated by laforge about 2 years ago

  • Related to Bug #1760: LAPD: segfault in T200 call-back added

#2 Updated by laforge about 2 years ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 20

The quick fix for this specific bug is to check for LAPD_STATE_MF_EST in the first lines of labd_send_i(), and return if not. Not sure how many other similar bugs are still hidden :/

#3 Updated by laforge about 2 years ago

  • Related to Bug #1762: Review LAPD code for race conditions regarding state, particularly in RELEASE added

#4 Updated by laforge over 1 year ago

  • Assignee deleted (laforge)

#5 Updated by laforge 10 months ago

  • Status changed from In Progress to New

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)