Project

General

Profile

Actions

Bug #3976

closed

osmo-bsc: heap-use-after-free upon MGW CRCX failure response

Added by pespin almost 5 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
RTP/Media
Target version:
-
Start date:
05/06/2019
Due date:
% Done:

0%

Spec Reference:

Description

While testing osmux related stuff (WIP), osmo-mgw sometimes sends a 400 FAIL message (because it's WIP, I know why but it's no related to this issue).
When that happens, osmo-bsc ends up in a heap-use-after-free catched by ASan.
That happens after last patches merged in osmo-mgw/osmo-bsc related to osmo-msc handover afaik.

20190506125305537 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/abis_rsl.c:1130 lchan(0-0-0-CCCH_SDCCH4-0)[0x612000004720]{ESTABLISHED}: (type=SDCCH) Rx MEAS_RES
20190506125305537 DRSL <0003> /git/osmo-bsc/src/osmo-bsc/abis_rsl.c:1060 (bts=0,trx=0,ts=0,ss=0): meas_rep_count++=2 meas_rep_last_seen_nr=1
20190506125305537 DMEAS <0006> /git/osmo-bsc/src/osmo-bsc/abis_rsl.c:931 [(bts=0,trx=0,ts=0,ss=0)] MEASUREMENT RESULT NR=1 RXL-FULL-ul=-54dBm RXL-SUB-ul=-54dBm RXQ-FULL-ul=0 RXQ-SUB-ul=0 BS_POWER=0 MS_TO=0 L1_MS_PWR= 16dBm L1_FPC=0 L1_TA=0 BA1 RXL-FULL-dl=-48dBm RXL-SUB-dl=-48dBm RXQ-FULL-dl=0 RXQ-SUB-dl=0 NUM_NEIGH=0
20190506125305712 DPAG <0005> /git/osmo-bsc/src/osmo-bsc/paging.c:90 (bts=0) Going to send paging commands: imsi: 901700000015254 tmsi: 0x225bbbe1 for ch. type 0 (attempt 0)
20190506125305712 DLMI <0017> /git/libosmo-abis/src/input/ipaccess.c:356 TX 2: 0c 15 01 90 0e 04 0c 05 f4 22 5b bb e1 28 00
20190506125305964 DLMI <0017> /git/libosmo-abis/src/input/ipaccess.c:251 RX 2: 02 06 01 09 02 00
20190506125305964 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/abis_rsl.c:1603 lchan(0-0-1-TCH_F-0)[0x612000004d20]{WAIT_RLL_RTP_ESTABLISH}: (type=TCH_F) SAPI=0 ESTABLISH INDICATION
20190506125305964 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/abis_rsl.c:1636 lchan(0-0-1-TCH_F-0)[0x612000004d20]{WAIT_RLL_RTP_ESTABLISH}: Received Event LCHAN_EV_RLL_ESTABLISH_IND
20190506125305964 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/lchan_fsm.c:803 lchan(0-0-1-TCH_F-0)[0x612000004d20]{WAIT_RLL_RTP_ESTABLISH}: state_chg to ESTABLISHED
20190506125305964 DAS <0012> /git/osmo-bsc/src/osmo-bsc/lchan_fsm.c:178 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_RR_ASS_COMPLETE}: Received Event ASSIGNMENT_EV_LCHAN_ESTABLISHED
20190506125305964 DAS <0012> /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:559 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_RR_ASS_COMPLETE}: (bts=0,trx=0,ts=1,ss=0) lchan established, still waiting for RR Assignment Complete
20190506125306141 DLMI <0017> /git/libosmo-abis/src/input/ipaccess.c:251 RX 2: 02 06 01 09 02 00
20190506125306141 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/abis_rsl.c:1603 lchan(0-0-1-TCH_F-0)[0x612000004d20]{ESTABLISHED}: (type=TCH_F) SAPI=0 ESTABLISH INDICATION
20190506125306141 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/abis_rsl.c:1636 lchan(0-0-1-TCH_F-0)[0x612000004d20]{ESTABLISHED}: Received Event LCHAN_EV_RLL_ESTABLISH_IND
20190506125306202 DLMI <0017> /git/libosmo-abis/src/input/ipaccess.c:251 RX 2: 03 02 01 09 02 00 0b 00 03 06 29 00
20190506125306202 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/abis_rsl.c:1594 lchan(0-0-1-TCH_F-0)[0x612000004d20]{ESTABLISHED}: (type=TCH_F) SAPI=0 DATA INDICATION
20190506125306202 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/gsm_04_08_rr.c:908 lchan(0-0-1-TCH_F-0)[0x612000004d20]{ESTABLISHED}: (type=TCH_F) Rx ASSIGNMENT COMPLETE
20190506125306202 DAS <0012> /git/osmo-bsc/src/osmo-bsc/gsm_04_08_rr.c:946 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_RR_ASS_COMPLETE}: Received Event ASSIGNMENT_EV_RR_ASSIGNMENT_COMPLETE
20190506125306202 DAS <0012> /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:555 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_RR_ASS_COMPLETE}: state_chg to WAIT_LCHAN_ESTABLISHED
20190506125306202 DAS <0012> /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:581 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_LCHAN_ESTABLISHED}: (bts=0,trx=0,ts=1,ss=0) lchan fully established, no need to wait
20190506125306202 DAS <0012> /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:603 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_LCHAN_ESTABLISHED}: state_chg to WAIT_MGW_ENDPOINT_TO_MSC
20190506125306202 DAS <0012> /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:617 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_MGW_ENDPOINT_TO_MSC}: (bts=0,trx=0,ts=1,ss=0) Connecting MGW endpoint to the MSC's RTP port: 192.168.30.1:4010
20190506125306202 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:576 mgw-endpoint(conn2)[0x6120000060a0]{IN_USE}: rtpbridge/2@mgw CI[1] to-MSC: CRCX: notify=assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]
20190506125306202 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:623 mgw-endpoint(conn2)[0x6120000060a0]{IN_USE}: rtpbridge/2@mgw CI[1] to-MSC: CRCX 192.168.30.1:4010: Scheduling
20190506125306202 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:626 mgw-endpoint(conn2)[0x6120000060a0]{IN_USE}: state_chg to WAIT_MGW_RESPONSE
20190506125306202 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:646 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: rtpbridge/2@mgw CI[1] to-MSC: CRCX 192.168.30.1:4010: Sending
20190506125306202 DRLL <0000> /git/libosmocore/src/fsm.c:423 MGCP_CONN(conn2)[0x6120000063a0]{ST_CRCX}: Allocated
20190506125306202 DRLL <0000> /git/libosmocore/src/fsm.c:453 MGCP_CONN(conn2)[0x6120000063a0]{ST_CRCX}: is child of mgw-endpoint(conn2)[0x6120000060a0]
20190506125306203 DRLL <0000> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c:627 MGCP_CONN(conn2)[0x6120000063a0]{ST_CRCX}: Received Event EV_CRCX
20190506125306203 DRLL <0000> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c:215 MGCP_CONN(conn2)[0x6120000063a0]{ST_CRCX}: MGW/CRCX: creating connection on MGW endpoint:rtpbridge/2@mgw...
20190506125306203 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client.c:960 Queued 172 bytes for MGCP GW
20190506125306203 DRLL <0000> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c:233 MGCP_CONN(conn2)[0x6120000063a0]{ST_CRCX}: state_chg to ST_CRCX_RESP
20190506125306203 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:798 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: rtpbridge/2@mgw Sent messages: 1
20190506125306203 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:724 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: rtpbridge/2@mgw CI[0] to-BTS CI=8894D491: MDCX 192.168.30.1:16384: done (rtpbridge/2@mgw:192.168.30.1:4014)
20190506125306203 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:722 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: rtpbridge/2@mgw CI[1] to-MSC: CRCX 192.168.30.1:4010: waiting for response
20190506125306203 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:742 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: rtpbridge/2@mgw CI in use: 2, waiting for response: 1
20190506125306203 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client.c:724 Tx MGCP: r=192.168.30.1:2427<->l=192.168.30.1:2727: len=172 'CRCX 3 rtpbridge/2@mgw MGCP 1.0\r\nC: 2\r\nM: '...
20190506125306204 DRLL <0000> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c:263 MGCP_CONN(to-MSC)[0x6120000063a0]{ST_CRCX_RESP}: MGW/CRCX: response yields error: 400 FAIL                               <---------- HERE!!!!!!
20190506125306204 DRLL <0000> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c:264 MGCP_CONN(to-MSC)[0x6120000063a0]{ST_CRCX_RESP}: Terminating (cause = OSMO_FSM_TERM_ERROR)
20190506125306204 DRLL <0000> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c:264 MGCP_CONN(to-MSC)[0x6120000063a0]{ST_CRCX_RESP}: Removing from parent mgw-endpoint(conn2)[0x6120000060a0]
20190506125306204 DRLL <0000> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c:264 MGCP_CONN(to-MSC)[0x6120000063a0]{ST_CRCX_RESP}: Freeing instance
20190506125306204 DRLL <0000> /git/libosmocore/src/fsm.c:535 MGCP_CONN(to-MSC)[0x6120000063a0]{ST_CRCX_RESP}: Deallocated
20190506125306204 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c:264 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: Received Event MGW Response for CI #1
20190506125306204 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:724 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: rtpbridge/2@mgw CI[0] to-BTS CI=8894D491: MDCX 192.168.30.1:16384: done (rtpbridge/2@mgw:192.168.30.1:4014)
20190506125306204 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:742 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: rtpbridge/2@mgw CI in use: 1, waiting for response: 0
20190506125306204 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:753 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: state_chg to IN_USE
20190506125306204 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:724 mgw-endpoint(conn2)[0x6120000060a0]{IN_USE}: rtpbridge/2@mgw CI[0] to-BTS CI=8894D491: MDCX 192.168.30.1:16384: done (rtpbridge/2@mgw:192.168.30.1:4014)
20190506125306204 DAS <0012> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:374 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_MGW_ENDPOINT_TO_MSC}: Received Event ASSIGNMENT_EV_MSC_MGW_FAIL
20190506125306204 DAS <0012> /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:658 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_MGW_ENDPOINT_TO_MSC}: (bts=0,trx=0,ts=1,ss=0) Assignment failed in state WAIT_MGW_ENDPOINT_TO_MSC, cause EQUIPMENT FAILURE: Unable to connect MGW endpoint to the MSC side
20190506125306204 DAS <0012> /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:658 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_MGW_ENDPOINT_TO_MSC}: (bts=0,trx=0,ts=1,ss=0) incrementing rate counter: assignment:error Assigment failed for other reason.
20190506125306204 DMSC <0007> /git/osmo-bsc/src/osmo-bsc/osmo_bsc_sigtran.c:386 Tx MSC: BSSMAP: ASSIGNMENT FAIL
20190506125306204 DMSC <0007> /git/osmo-bsc/src/osmo-bsc/osmo_bsc_sigtran.c:409 Sending connection (id=2) oriented data to MSC: RI=SSN_PC,PC=0.23.1,SSN=BSSAP (00 04 03 04 01 20 )
20190506125306204 DLSCCP <0020> /git/libosmo-sccp/src/sccp_scoc.c:1711 Received SCCP User Primitive (N-DATA.request)
20190506125306204 DLSCCP <0020> /git/libosmo-sccp/src/sccp_scoc.c:1751 SCCP-SCOC(2)[0x612000005c20]{ACTIVE}: Received Event N-DATA.req
20190506125306205 DLSS7 <001f> /git/libosmo-sccp/src/sccp_scrc.c:398 sccp_scrc_rx_scoc_conn_msg:  HDR=(CO:CODT,V=0,LEN=0),
        PART(T=Routing Context,L=4,D=00000000),
        PART(T=Destination Reference,L=4,D=00000004),
        PART(T=Data,L=6,D=000403040120)
20190506125306205 DLSS7 <001f> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:278 m3ua_hmdc_rx_from_l2(): dpc=185=0.23.1 not local, message is for routing
20190506125306205 DLSS7 <001f> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:227 Found route for dpc=185=0.23.1: pc=0=0.0.0 mask=0x0=0.0.0 via AS as-clnt-msc-0 proto=m3ua
20190506125306205 DLSS7 <001f> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:233 rt->dest.as proto is M3UA for dpc=185=0.23.1
20190506125306205 DLSS7 <001f> /git/libosmo-sccp/src/m3ua.c:507 XUA_AS(as-clnt-msc-0)[0x612000003e20]{AS_ACTIVE}: Received Event AS-TRANSFER.req
20190506125306205 DAS <0012> /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:126 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_MGW_ENDPOINT_TO_MSC}: (bts=0,trx=0,ts=1,ss=0) Assignment failed
20190506125306205 DAS <0012> /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:127 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_MGW_ENDPOINT_TO_MSC}: Terminating (cause = OSMO_FSM_TERM_ERROR)
20190506125306205 DAS <0012> /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:127 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_MGW_ENDPOINT_TO_MSC}: Removing from parent SUBSCR_CONN(conn2)[0x612000005920]
20190506125306205 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/lchan_fsm.c:1350 lchan_rtp(0-0-1-TCH_F-0)[0x612000005f20]{READY}: Received Event LCHAN_RTP_EV_ROLLBACK
20190506125306205 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/lchan_rtp_fsm.c:506 lchan_rtp(0-0-1-TCH_F-0)[0x612000005f20]{READY}: state_chg to ROLLBACK
20190506125306205 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/lchan_rtp_fsm.c:520 lchan_rtp(0-0-1-TCH_F-0)[0x612000005f20]{ROLLBACK}: Terminating (cause = OSMO_FSM_TERM_REQUEST)
20190506125306205 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/lchan_rtp_fsm.c:520 lchan_rtp(0-0-1-TCH_F-0)[0x612000005f20]{ROLLBACK}: Removing from parent lchan(0-0-1-TCH_F-0)[0x612000004d20]
20190506125306205 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:576 mgw-endpoint(conn2)[0x6120000060a0]{IN_USE}: rtpbridge/2@mgw CI[0] to-BTS CI=8894D491: DLCX: notify=NULL
20190506125306205 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:623 mgw-endpoint(conn2)[0x6120000060a0]{IN_USE}: rtpbridge/2@mgw CI[0] to-BTS CI=8894D491: DLCX: Scheduling
20190506125306205 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:626 mgw-endpoint(conn2)[0x6120000060a0]{IN_USE}: state_chg to WAIT_MGW_RESPONSE
20190506125306205 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:673 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: rtpbridge/2@mgw CI[0] to-BTS CI=8894D491: Sending MGCP: DLCX 8894D491
20190506125306205 DRLL <0000> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c:711 MGCP_CONN(to-BTS)[0x612000006220]{ST_READY}: Received Event EV_DLCX
20190506125306206 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client.c:960 Queued 52 bytes for MGCP GW
20190506125306207 DRLL <0000> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c:372 MGCP_CONN(to-BTS)[0x612000006220]{ST_READY}: state_chg to ST_DLCX_RESP
20190506125306207 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:798 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: rtpbridge/2@mgw Sent messages: 1
20190506125306207 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:742 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: rtpbridge/2@mgw CI in use: 0, waiting for response: 0
20190506125306207 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:747 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: Terminating (cause = OSMO_FSM_TERM_REGULAR)
20190506125306207 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:747 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: Removing from parent SUBSCR_CONN(conn2)[0x612000005920]
20190506125306207 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:747 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: Freeing instance
20190506125306207 DLMGCP <0023> /git/libosmocore/src/fsm.c:535 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: Deallocated
20190506125306207 DMSC <0007> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:747 SUBSCR_CONN(conn2)[0x612000005920]{ASSIGNMENT}: Received Event FORGET_MGW_ENDPOINT
20190506125306207 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/lchan_rtp_fsm.c:520 lchan_rtp(0-0-1-TCH_F-0)[0x612000005f20]{ROLLBACK}: Freeing instance
20190506125306207 DCHAN <0010> /git/libosmocore/src/fsm.c:535 lchan_rtp(0-0-1-TCH_F-0)[0x612000005f20]{ROLLBACK}: Deallocated
20190506125306207 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/lchan_rtp_fsm.c:520 lchan(0-0-1-TCH_F-0)[0x612000004d20]{ESTABLISHED}: Received Event LCHAN_EV_RTP_RELEASED
20190506125306207 DRSL <0003> /git/osmo-bsc/src/osmo-bsc/abis_rsl.c:633 (bts=0,trx=0,ts=1,ss=0) DEACTivate SACCH CMD
20190506125306207 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/lchan_fsm.c:1361 lchan(0-0-1-TCH_F-0)[0x612000004d20]{ESTABLISHED}: state_chg to WAIT_RF_RELEASE_ACK
20190506125306207 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/lchan_fsm.c:1406 lchan(0-0-1-TCH_F-0)[0x612000004d20]{WAIT_RF_RELEASE_ACK}: lchan detaches from conn SUBSCR_CONN(conn2)[0x612000005920]
20190506125306207 DMSC <0007> /git/osmo-bsc/src/osmo-bsc/lchan_fsm.c:1409 SUBSCR_CONN(conn2)[0x612000005920]{ASSIGNMENT}: lchan lchan(0-0-1-TCH_F-0)[0x612000004d20] detaches from conn
=================================================================
==24184==ERROR: AddressSanitizer: heap-use-after-free on address 0x62b000000a80 at pc 0x7ffff661b850 bp 0x7fffffffce40 sp 0x7fffffffce30
READ of size 8 at 0x62b000000a80 thread T0
    #0 0x7ffff661b84f in osmo_mgcpc_ep_check_ci /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:139
    #1 0x7ffff662264a in osmo_mgcpc_ep_ci_request /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:536
    #2 0x555555b33bdb in osmo_mgcpc_ep_ci_dlcx /build/new/out/include/osmocom/mgcp_client/mgcp_client_endpoint_fsm.h:37
    #3 0x555555b34484 in assignment_reset /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:107
    #4 0x555555b6dc42 in assignment_fsm_cleanup /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:761
    #5 0x7ffff62619cd in _osmo_fsm_inst_term /git/libosmocore/src/fsm.c:890
    #6 0x555555b35b44 in on_assignment_failure /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:127
    #7 0x555555b66838 in assignment_fsm_wait_mgw_endpoint_to_msc /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:657
    #8 0x7ffff625f2d2 in _osmo_fsm_inst_dispatch /git/libosmocore/src/fsm.c:818
    #9 0x7ffff661e85d in on_failure /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:374
    #10 0x7ffff663e5a1 in osmo_mgcpc_ep_fsm_handle_ci_events /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:813
    #11 0x7ffff625f2d2 in _osmo_fsm_inst_dispatch /git/libosmocore/src/fsm.c:818
    #12 0x7ffff626221c in _osmo_fsm_inst_term /git/libosmocore/src/fsm.c:905
    #13 0x7ffff6614545 in mgw_crcx_resp_cb /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c:264
    #14 0x7ffff66058e5 in mgcp_client_handle_response /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client.c:206
    #15 0x7ffff6608d74 in mgcp_client_rx /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client.c:680
    #16 0x7ffff66092e8 in mgcp_do_read /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client.c:714
    #17 0x7ffff6262b10 in osmo_wqueue_bfd_cb /git/libosmocore/src/write_queue.c:51
    #18 0x7ffff623b883 in osmo_fd_disp_fds /git/libosmocore/src/select.c:223
    #19 0x7ffff623bba9 in osmo_select_main /git/libosmocore/src/select.c:263
    #20 0x555555d4e622 in main /git/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932
    #21 0x7ffff546ace2 in __libc_start_main (/usr/lib/libc.so.6+0x23ce2)
    #22 0x555555ab590d in _start (/build/new/out/bin/osmo-bsc+0x56190d)

0x62b000000a80 is located 2176 bytes inside of 25216-byte region [0x62b000000200,0x62b000006480)
freed by thread T0 here:
    #0 0x7ffff72ebf89 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:66
    #1 0x7ffff6142323  (/usr/lib/libtalloc.so.2+0xb323)

previously allocated by thread T0 here:
    #0 0x7ffff72ec389 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:86
    #1 0x7ffff613fe11 in _talloc_zero (/usr/lib/libtalloc.so.2+0x8e11)

SUMMARY: AddressSanitizer: heap-use-after-free /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:139 in osmo_mgcpc_ep_check_ci
Shadow bytes around the buggy address:
  0x0c567fff8100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c567fff8110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c567fff8120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c567fff8130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c567fff8140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c567fff8150:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c567fff8160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c567fff8170: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c567fff8180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c567fff8190: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c567fff81a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24184==ABORTING

Program received signal SIGABRT, Aborted.
0x00007ffff547e82f in raise () from /usr/lib/libc.so.6
(gdb) bt full
#0  0x00007ffff547e82f in raise () from /usr/lib/libc.so.6
No symbol table info available.
#1  0x00007ffff5469672 in abort () from /usr/lib/libc.so.6
No symbol table info available.
#2  0x00007ffff730cd64 in __sanitizer::Abort () at /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_posix_libcdep.cc:145
No locals.
#3  0x00007ffff73159dd in __sanitizer::Die () at /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_termination.cc:57
No locals.
#4  0x00007ffff72f78fe in __asan::ScopedInErrorReport::~ScopedInErrorReport (this=<optimized out>, __in_chrg=<optimized out>) at /build/gcc/src/gcc/libsanitizer/asan/asan_report.cc:181
        buffer_copy = <optimized out>
#5  __asan::ReportGenericError (pc=<optimized out>, bp=bp@entry=140737488342592, sp=sp@entry=140737488342576, addr=108508053768832, is_write=is_write@entry=false, access_size=access_size@entry=8, exp=0,
    fatal=true) at /build/gcc/src/gcc/libsanitizer/asan/asan_report.cc:397
        in_report = {error_report_lock_ = {<No data fields>}, static current_error_ = {kind = __asan::kErrorKindGeneric, {Base = {scariness = {score = 51,
                  descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, DeadlySignal = {<__asan::ErrorBase> = {scariness = {score = 51,
                    descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, signal = {siginfo = 0x2, context = 0x62b000000a80, addr = 0, pc = 0, sp = 3098476548018143233, bp = 108508053768832, is_memory_access = 128,
                  write_flag = __sanitizer::SignalContext::UNKNOWN}}, DoubleFree = {<__asan::ErrorBase> = {scariness = {score = 51,
                    descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, second_free_stack = 0x2, addr_description = {addr = 108508053768832, alloc_tid = 0, free_tid = 0, alloc_stack_id = 92274689, free_stack_id = 721420289,
                  chunk_access = {bad_addr = 108508053768832, offset = 2176, chunk_begin = 108508053766656, chunk_size = 25216, access_type = 2, alloc_type = 1}}},
              NewDeleteSizeMismatch = {<__asan::ErrorBase> = {scariness = {score = 51,
                    descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, free_stack = 0x2, addr_description = {addr = 108508053768832, alloc_tid = 0, free_tid = 0, alloc_stack_id = 92274689, free_stack_id = 721420289,
                  chunk_access = {bad_addr = 108508053768832, offset = 2176, chunk_begin = 108508053766656, chunk_size = 25216, access_type = 2, alloc_type = 1}}, delete_size = 106790066870560},
              FreeNotMalloced = {<__asan::ErrorBase> = {scariness = {score = 51,
                    descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, free_stack = 0x2, addr_description = {data = {kind = 2688, {shadow = {addr = 0, kind = __asan::kShadowKindLow, shadow_byte = 0 '\000'}, heap = {addr = 0,
                        alloc_tid = 0, free_tid = 3098476548018143233, alloc_stack_id = 2688, free_stack_id = 25264, chunk_access = {bad_addr = 2176, offset = 108508053766656, chunk_begin = 25216,
                          chunk_size = 73014429286, access_type = 0, alloc_type = 0}}, stack = {addr = 0, tid = 0, offset = 3098476548018143233, frame_pc = 108508053768832, access_size = 2176,
                        frame_descr = 0x62b000000200 "\001"}, global = {addr = 0, static kMaxGlobals = 4, globals = {{beg = 0, size = 3098476548018143233, size_with_redzone = 108508053768832,
                            name = 0x880 <error: Cannot access memory at address 0x880>, module_name = 0x62b000000200 "\001", has_dynamic_init = 25216, location = 0x10ffffc666,
                            odr_indicator = 106790066870560}, {beg = 93825001346016, size = 107889578482016, size_with_redzone = 140737488340688,
                            name = 0x10000 <error: Cannot access memory at address 0x10000>, module_name = 0x555555e053e0 "ASSIGNMENT", has_dynamic_init = 1, location = 0x7fffffffc6d0,
                            odr_indicator = 140737323068233}, {beg = 140737327176224, size = 8927766694574236160, size_with_redzone = 68719477483, name = 0x7ffff630aee0 "\003",
                            module_name = 0x7ffff48f3978 "", has_dynamic_init = 140737327185120, location = 0x1, odr_indicator = 106446469593184}, {beg = 106446469588608, size = 140737339683169,
--Type <RET> for more, q to quit, c to continue without paging--
                            size_with_redzone = 106446469593184, name = 0x7ffff6683ae0 <osmo_mgcpc_ep_fsm> "\200\223\024\367\377\177", module_name = 0x7fffffffc750 "te-read-heap-use-after-free",
                            has_dynamic_init = 140737323082285, location = 0x2300000001, odr_indicator = 106790066847904}}, reg_sites = {4133788192, 32767, 0, 0}, access_size = 8589935339, size = 80 'P'},
                      addr = 0}}}}, AllocTypeMismatch = {<__asan::ErrorBase> = {scariness = {score = 51,
                    descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, dealloc_stack = 0x2, addr_description = {addr = 108508053768832, alloc_tid = 0, free_tid = 0, alloc_stack_id = 92274689, free_stack_id = 721420289,
                  chunk_access = {bad_addr = 108508053768832, offset = 2176, chunk_begin = 108508053766656, chunk_size = 25216, access_type = 2, alloc_type = 1}}, alloc_type = 22816, dealloc_type = 24864},
              MallocUsableSizeNotOwned = {<__asan::ErrorBase> = {scariness = {score = 51,
                    descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, stack = 0x2, addr_description = {data = {kind = 2688, {shadow = {addr = 0, kind = __asan::kShadowKindLow, shadow_byte = 0 '\000'}, heap = {addr = 0,
                        alloc_tid = 0, free_tid = 3098476548018143233, alloc_stack_id = 2688, free_stack_id = 25264, chunk_access = {bad_addr = 2176, offset = 108508053766656, chunk_begin = 25216,
                          chunk_size = 73014429286, access_type = 0, alloc_type = 0}}, stack = {addr = 0, tid = 0, offset = 3098476548018143233, frame_pc = 108508053768832, access_size = 2176,
                        frame_descr = 0x62b000000200 "\001"}, global = {addr = 0, static kMaxGlobals = 4, globals = {{beg = 0, size = 3098476548018143233, size_with_redzone = 108508053768832,
                            name = 0x880 <error: Cannot access memory at address 0x880>, module_name = 0x62b000000200 "\001", has_dynamic_init = 25216, location = 0x10ffffc666,
                            odr_indicator = 106790066870560}, {beg = 93825001346016, size = 107889578482016, size_with_redzone = 140737488340688,
                            name = 0x10000 <error: Cannot access memory at address 0x10000>, module_name = 0x555555e053e0 "ASSIGNMENT", has_dynamic_init = 1, location = 0x7fffffffc6d0,
                            odr_indicator = 140737323068233}, {beg = 140737327176224, size = 8927766694574236160, size_with_redzone = 68719477483, name = 0x7ffff630aee0 "\003",
                            module_name = 0x7ffff48f3978 "", has_dynamic_init = 140737327185120, location = 0x1, odr_indicator = 106446469593184}, {beg = 106446469588608, size = 140737339683169,
                            size_with_redzone = 106446469593184, name = 0x7ffff6683ae0 <osmo_mgcpc_ep_fsm> "\200\223\024\367\377\177", module_name = 0x7fffffffc750 "te-read-heap-use-after-free",
                            has_dynamic_init = 140737323082285, location = 0x2300000001, odr_indicator = 106790066847904}}, reg_sites = {4133788192, 32767, 0, 0}, access_size = 8589935339, size = 80 'P'},
                      addr = 0}}}}, SanitizerGetAllocatedSizeNotOwned = {<__asan::ErrorBase> = {scariness = {score = 51,
                    descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, stack = 0x2, addr_description = {data = {kind = 2688, {shadow = {addr = 0, kind = __asan::kShadowKindLow, shadow_byte = 0 '\000'}, heap = {addr = 0,
                        alloc_tid = 0, free_tid = 3098476548018143233, alloc_stack_id = 2688, free_stack_id = 25264, chunk_access = {bad_addr = 2176, offset = 108508053766656, chunk_begin = 25216,
                          chunk_size = 73014429286, access_type = 0, alloc_type = 0}}, stack = {addr = 0, tid = 0, offset = 3098476548018143233, frame_pc = 108508053768832, access_size = 2176,
                        frame_descr = 0x62b000000200 "\001"}, global = {addr = 0, static kMaxGlobals = 4, globals = {{beg = 0, size = 3098476548018143233, size_with_redzone = 108508053768832,
                            name = 0x880 <error: Cannot access memory at address 0x880>, module_name = 0x62b000000200 "\001", has_dynamic_init = 25216, location = 0x10ffffc666,
                            odr_indicator = 106790066870560}, {beg = 93825001346016, size = 107889578482016, size_with_redzone = 140737488340688,
                            name = 0x10000 <error: Cannot access memory at address 0x10000>, module_name = 0x555555e053e0 "ASSIGNMENT", has_dynamic_init = 1, location = 0x7fffffffc6d0,
                            odr_indicator = 140737323068233}, {beg = 140737327176224, size = 8927766694574236160, size_with_redzone = 68719477483, name = 0x7ffff630aee0 "\003",
                            module_name = 0x7ffff48f3978 "", has_dynamic_init = 140737327185120, location = 0x1, odr_indicator = 106446469593184}, {beg = 106446469588608, size = 140737339683169,
                            size_with_redzone = 106446469593184, name = 0x7ffff6683ae0 <osmo_mgcpc_ep_fsm> "\200\223\024\367\377\177", module_name = 0x7fffffffc750 "te-read-heap-use-after-free",
                            has_dynamic_init = 140737323082285, location = 0x2300000001, odr_indicator = 106790066847904}}, reg_sites = {4133788192, 32767, 0, 0}, access_size = 8589935339, size = 80 'P'},
                      addr = 0}}}}, StringFunctionMemoryRangesOverlap = {<__asan::ErrorBase> = {scariness = {score = 51,
                    descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, stack = 0x2, length1 = 108508053768832, length2 = 0, addr1_description = {data = {kind = __asan::kAddressKindWild, {shadow = {addr = 3098476548018143233,
                        kind = (unknown: -128), shadow_byte = 10 '\n'}, heap = {addr = 3098476548018143233, alloc_tid = 108508053768832, free_tid = 2176, alloc_stack_id = 512, free_stack_id = 25264,
                        chunk_access = {bad_addr = 25216, offset = 73014429286, chunk_begin = 106790066870560, chunk_size = 93825001346016, access_type = 0, alloc_type = 0}}, stack = {
                        addr = 3098476548018143233, tid = 108508053768832, offset = 2176, frame_pc = 108508053766656, access_size = 25216, frame_descr = 0x10ffffc666 ""}, global = {
--Type <RET> for more, q to quit, c to continue without paging--
                        addr = 3098476548018143233, static kMaxGlobals = 4, globals = {{beg = 108508053768832, size = 2176, size_with_redzone = 108508053766656,
                            name = 0x6280 <error: Cannot access memory at address 0x6280>, module_name = 0x10ffffc666 "", has_dynamic_init = 106790066870560, location = 0x555555e053e0,
                            odr_indicator = 107889578482016}, {beg = 140737488340688, size = 65536, size_with_redzone = 93825001346016, name = 0x1 <error: Cannot access memory at address 0x1>,
                            module_name = 0x7fffffffc6d0 "P\307\377\377\377\177", has_dynamic_init = 140737323068233, location = 0x7ffff6649a20, odr_indicator = 8927766694574236160}, {beg = 68719477483,
                            size = 140737323773664, size_with_redzone = 140737296415096, name = 0x7ffff664bce0 "WAIT_MGW_RESPONSE", module_name = 0x1 <error: Cannot access memory at address 0x1>,
                            has_dynamic_init = 106446469593184, location = 0x60d00001e680, odr_indicator = 140737339683169}, {beg = 106446469593184, size = 140737327413984,
                            size_with_redzone = 140737488340816, name = 0x7ffff626222d <_osmo_fsm_inst_term+12102> "\213@\b\205\300t8fH\215=\244\214\n", module_name = 0x2300000001 "",
                            has_dynamic_init = 106790066847904, location = 0x7ffff6649a20, odr_indicator = 0}}, reg_sites = {747, 2, 4133599312, 32767}, access_size = 140737488342592, size = 48 '0'},
                      addr = 3098476548018143233}}}, addr2_description = {data = {kind = 8, {shadow = {addr = 140737340699588, kind = __asan::kShadowKindLow, shadow_byte = 253 '\375'}, heap = {
                        addr = 140737340699588, alloc_tid = 140737488354560, free_tid = 0, alloc_stack_id = 0, free_stack_id = 0, chunk_access = {bad_addr = 0, offset = 0, chunk_begin = 0, chunk_size = 0,
                          access_type = 0, alloc_type = 0}}, stack = {addr = 140737340699588, tid = 140737488354560, offset = 0, frame_pc = 0, access_size = 0, frame_descr = 0x0}, global = {
                        addr = 140737340699588, static kMaxGlobals = 4, globals = {{beg = 140737488354560, size = 0, size_with_redzone = 0, name = 0x0, module_name = 0x0, has_dynamic_init = 0,
                            location = 0x0, odr_indicator = 0}, {beg = 0, size = 0, size_with_redzone = 0, name = 0x0, module_name = 0x0, has_dynamic_init = 0, location = 0x0, odr_indicator = 0}, {
                            beg = 140737340571560, size = 3621364556, size_with_redzone = 140737350584160, name = 0x7fffffffce90 "\340d\002", module_name = 0x0, has_dynamic_init = 0, location = 0x0,
                            odr_indicator = 0}, {beg = 1384, size = 1256, size_with_redzone = 1256, name = 0x568 <error: Cannot access memory at address 0x568>,
                            module_name = 0x1a <error: Cannot access memory at address 0x1a>, has_dynamic_init = 1256, location = 0x4e8, odr_indicator = 140737340922304}}, reg_sites = {4146210054, 32767,
                          156800, 24992}, access_size = 107339822818416, size = 128 '\200'}, addr = 140737340699588}}}, function = 0x7 <error: Cannot access memory at address 0x7>},
              StringFunctionSizeOverflow = {<__asan::ErrorBase> = {scariness = {score = 51,
                    descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, stack = 0x2, addr_description = {data = {kind = 2688, {shadow = {addr = 0, kind = __asan::kShadowKindLow, shadow_byte = 0 '\000'}, heap = {addr = 0,
                        alloc_tid = 0, free_tid = 3098476548018143233, alloc_stack_id = 2688, free_stack_id = 25264, chunk_access = {bad_addr = 2176, offset = 108508053766656, chunk_begin = 25216,
                          chunk_size = 73014429286, access_type = 0, alloc_type = 0}}, stack = {addr = 0, tid = 0, offset = 3098476548018143233, frame_pc = 108508053768832, access_size = 2176,
                        frame_descr = 0x62b000000200 "\001"}, global = {addr = 0, static kMaxGlobals = 4, globals = {{beg = 0, size = 3098476548018143233, size_with_redzone = 108508053768832,
                            name = 0x880 <error: Cannot access memory at address 0x880>, module_name = 0x62b000000200 "\001", has_dynamic_init = 25216, location = 0x10ffffc666,
                            odr_indicator = 106790066870560}, {beg = 93825001346016, size = 107889578482016, size_with_redzone = 140737488340688,
                            name = 0x10000 <error: Cannot access memory at address 0x10000>, module_name = 0x555555e053e0 "ASSIGNMENT", has_dynamic_init = 1, location = 0x7fffffffc6d0,
                            odr_indicator = 140737323068233}, {beg = 140737327176224, size = 8927766694574236160, size_with_redzone = 68719477483, name = 0x7ffff630aee0 "\003",
                            module_name = 0x7ffff48f3978 "", has_dynamic_init = 140737327185120, location = 0x1, odr_indicator = 106446469593184}, {beg = 106446469588608, size = 140737339683169,
                            size_with_redzone = 106446469593184, name = 0x7ffff6683ae0 <osmo_mgcpc_ep_fsm> "\200\223\024\367\377\177", module_name = 0x7fffffffc750 "te-read-heap-use-after-free",
                            has_dynamic_init = 140737323082285, location = 0x2300000001, odr_indicator = 106790066847904}}, reg_sites = {4133788192, 32767, 0, 0}, access_size = 8589935339, size = 80 'P'},
                      addr = 0}}}, size = 140737488342592}, BadParamsToAnnotateContiguousContainer = {<__asan::ErrorBase> = {scariness = {score = 51,
                    descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, stack = 0x2, beg = 108508053768832, end = 0, old_mid = 0, new_mid = 3098476548018143233}, ODRViolation = {<__asan::ErrorBase> = {scariness = {score = 51,
                    descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, global1 = {beg = 2, size = 108508053768832, size_with_redzone = 0, name = 0x0,
                  module_name = 0x2b00000105800001 <error: Cannot access memory at address 0x2b00000105800001>, has_dynamic_init = 108508053768832, location = 0x880, odr_indicator = 108508053766656},
                global2 = {beg = 25216, size = 73014429286, size_with_redzone = 106790066870560, name = 0x555555e053e0 "ASSIGNMENT", module_name = 0x622000001960 "\360\001",
                  has_dynamic_init = 140737488340688, location = 0x10000, odr_indicator = 93825001346016}, stack_id1 = 1, stack_id2 = 0}, InvalidPointerPair = {<__asan::ErrorBase> = {scariness = {
                    score = 51,
                    descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005--Type <RET> for more, q to quit, c to continue without paging--
\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, pc = 2, bp = 108508053768832, sp = 0, addr1_description = {data = {kind = __asan::kAddressKindWild, {shadow = {addr = 3098476548018143233,
                        kind = (unknown: -128), shadow_byte = 10 '\n'}, heap = {addr = 3098476548018143233, alloc_tid = 108508053768832, free_tid = 2176, alloc_stack_id = 512, free_stack_id = 25264,
                        chunk_access = {bad_addr = 25216, offset = 73014429286, chunk_begin = 106790066870560, chunk_size = 93825001346016, access_type = 0, alloc_type = 0}}, stack = {
                        addr = 3098476548018143233, tid = 108508053768832, offset = 2176, frame_pc = 108508053766656, access_size = 25216, frame_descr = 0x10ffffc666 ""}, global = {
                        addr = 3098476548018143233, static kMaxGlobals = 4, globals = {{beg = 108508053768832, size = 2176, size_with_redzone = 108508053766656,
                            name = 0x6280 <error: Cannot access memory at address 0x6280>, module_name = 0x10ffffc666 "", has_dynamic_init = 106790066870560, location = 0x555555e053e0,
                            odr_indicator = 107889578482016}, {beg = 140737488340688, size = 65536, size_with_redzone = 93825001346016, name = 0x1 <error: Cannot access memory at address 0x1>,
                            module_name = 0x7fffffffc6d0 "P\307\377\377\377\177", has_dynamic_init = 140737323068233, location = 0x7ffff6649a20, odr_indicator = 8927766694574236160}, {beg = 68719477483,
                            size = 140737323773664, size_with_redzone = 140737296415096, name = 0x7ffff664bce0 "WAIT_MGW_RESPONSE", module_name = 0x1 <error: Cannot access memory at address 0x1>,
                            has_dynamic_init = 106446469593184, location = 0x60d00001e680, odr_indicator = 140737339683169}, {beg = 106446469593184, size = 140737327413984,
                            size_with_redzone = 140737488340816, name = 0x7ffff626222d <_osmo_fsm_inst_term+12102> "\213@\b\205\300t8fH\215=\244\214\n", module_name = 0x2300000001 "",
                            has_dynamic_init = 106790066847904, location = 0x7ffff6649a20, odr_indicator = 0}}, reg_sites = {747, 2, 4133599312, 32767}, access_size = 140737488342592, size = 48 '0'},
                      addr = 3098476548018143233}}}, addr2_description = {data = {kind = 8, {shadow = {addr = 140737340699588, kind = __asan::kShadowKindLow, shadow_byte = 253 '\375'}, heap = {
                        addr = 140737340699588, alloc_tid = 140737488354560, free_tid = 0, alloc_stack_id = 0, free_stack_id = 0, chunk_access = {bad_addr = 0, offset = 0, chunk_begin = 0, chunk_size = 0,
                          access_type = 0, alloc_type = 0}}, stack = {addr = 140737340699588, tid = 140737488354560, offset = 0, frame_pc = 0, access_size = 0, frame_descr = 0x0}, global = {
                        addr = 140737340699588, static kMaxGlobals = 4, globals = {{beg = 140737488354560, size = 0, size_with_redzone = 0, name = 0x0, module_name = 0x0, has_dynamic_init = 0,
                            location = 0x0, odr_indicator = 0}, {beg = 0, size = 0, size_with_redzone = 0, name = 0x0, module_name = 0x0, has_dynamic_init = 0, location = 0x0, odr_indicator = 0}, {
                            beg = 140737340571560, size = 3621364556, size_with_redzone = 140737350584160, name = 0x7fffffffce90 "\340d\002", module_name = 0x0, has_dynamic_init = 0, location = 0x0,
                            odr_indicator = 0}, {beg = 1384, size = 1256, size_with_redzone = 1256, name = 0x568 <error: Cannot access memory at address 0x568>,
                            module_name = 0x1a <error: Cannot access memory at address 0x1a>, has_dynamic_init = 1256, location = 0x4e8, odr_indicator = 140737340922304}}, reg_sites = {4146210054, 32767,
                          156800, 24992}, access_size = 107339822818416, size = 128 '\200'}, addr = 140737340699588}}}}, Generic = {<__asan::ErrorBase> = {scariness = {score = 51,
                    descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, addr_description = {data = {kind = __asan::kAddressKindHeap, {shadow = {addr = 108508053768832, kind = __asan::kShadowKindLow, shadow_byte = 0 '\000'},
                      heap = {addr = 108508053768832, alloc_tid = 0, free_tid = 0, alloc_stack_id = 92274689, free_stack_id = 721420289, chunk_access = {bad_addr = 108508053768832, offset = 2176,
                          chunk_begin = 108508053766656, chunk_size = 25216, access_type = 2, alloc_type = 1}}, stack = {addr = 108508053768832, tid = 0, offset = 0, frame_pc = 3098476548018143233,
                        access_size = 108508053768832, frame_descr = 0x880 <error: Cannot access memory at address 0x880>}, global = {addr = 108508053768832, static kMaxGlobals = 4, globals = {{beg = 0,
                            size = 0, size_with_redzone = 3098476548018143233, name = 0x62b000000a80 "`\002", module_name = 0x880 <error: Cannot access memory at address 0x880>,
                            has_dynamic_init = 108508053766656, location = 0x6280, odr_indicator = 73014429286}, {beg = 106790066870560, size = 93825001346016, size_with_redzone = 107889578482016,
                            name = 0x7fffffffc6d0 "P\307\377\377\377\177", module_name = 0x10000 <error: Cannot access memory at address 0x10000>, has_dynamic_init = 93825001346016, location = 0x1,
                            odr_indicator = 140737488340688}, {beg = 140737323068233, size = 140737327176224, size_with_redzone = 8927766694574236160, name = 0x10000002eb "",
                            module_name = 0x7ffff630aee0 "\003", has_dynamic_init = 140737296415096, location = 0x7ffff664bce0, odr_indicator = 1}, {beg = 106446469593184, size = 106446469588608,
                            size_with_redzone = 140737339683169, name = 0x60d00001f860 "mgw-endpoint(conn2)[0x6120000060a0]", module_name = 0x7ffff6683ae0 <osmo_mgcpc_ep_fsm> "\200\223\024\367\377\177",
                            has_dynamic_init = 140737488340816, location = 0x7ffff626222d <_osmo_fsm_inst_term+12102>, odr_indicator = 150323855361}}, reg_sites = {160, 24864, 4133788192, 32767},
                        access_size = 0, size = 235 '\353'}, addr = 108508053768832}}}, pc = 140737326987344, bp = 140737488342592, sp = 140737488342576, access_size = 8,
                bug_descr = 0x7ffff732f3c4 "heap-use-after-free", is_write = false, shadow_val = 253 '\375'}}}, halt_on_error_ = true}
        error = {<__asan::ErrorBase> = {scariness = {score = 51,
              descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, addr_description = {data = {kind = __asan::kAddressKindHeap, {shadow = {addr = 108508053768832, kind = __asan::kShadowKindLow, shadow_byte = 0 '\000'}, heap = {
                  addr = 108508053768832, alloc_tid = 0, free_tid = 0, alloc_stack_id = 92274689, free_stack_id = 721420289, chunk_access = {bad_addr = 108508053768832, offset = 2176,
                    chunk_begin = 108508053766656, chunk_size = 25216, access_type = 2, alloc_type = 1}}, stack = {addr = 108508053768832, tid = 0, offset = 0, frame_pc = 3098476548018143233,
--Type <RET> for more, q to quit, c to continue without paging--
                  access_size = 108508053768832, frame_descr = 0x880 <error: Cannot access memory at address 0x880>}, global = {addr = 108508053768832, static kMaxGlobals = 4, globals = {{beg = 0,
                      size = 0, size_with_redzone = 3098476548018143233, name = 0x62b000000a80 "`\002", module_name = 0x880 <error: Cannot access memory at address 0x880>,
                      has_dynamic_init = 108508053766656, location = 0x6280, odr_indicator = 73014429286}, {beg = 106790066870560, size = 93825001346016, size_with_redzone = 107889578482016,
                      name = 0x7fffffffc6d0 "P\307\377\377\377\177", module_name = 0x10000 <error: Cannot access memory at address 0x10000>, has_dynamic_init = 93825001346016, location = 0x1,
                      odr_indicator = 140737488340688}, {beg = 140737323068233, size = 140737327176224, size_with_redzone = 8927766694574236160, name = 0x10000002eb "", module_name = 0x7ffff630aee0 "\003",
                      has_dynamic_init = 140737296415096, location = 0x7ffff664bce0, odr_indicator = 1}, {beg = 106446469593184, size = 106446469588608, size_with_redzone = 140737339683169,
                      name = 0x60d00001f860 "mgw-endpoint(conn2)[0x6120000060a0]", module_name = 0x7ffff6683ae0 <osmo_mgcpc_ep_fsm> "\200\223\024\367\377\177", has_dynamic_init = 140737488340816,
                      location = 0x7ffff626222d <_osmo_fsm_inst_term+12102>, odr_indicator = 150323855361}}, reg_sites = {160, 24864, 4133788192, 32767}, access_size = 0, size = 235 '\353'},
                addr = 108508053768832}}}, pc = 140737326987344, bp = 140737488342592, sp = 140737488342576, access_size = 8, bug_descr = 0x7ffff732f3c4 "heap-use-after-free", is_write = false,
          shadow_val = 253 '\375'}
#6  0x00007ffff72f841c in __asan::__asan_report_load8 (addr=<optimized out>) at /build/gcc/src/gcc/libsanitizer/asan/asan_rtl.cc:112
        bp = 140737488342592
        pc = <optimized out>
        local_stack = 140737488345168
        sp = 140737488342576
#7  0x00007ffff661b850 in osmo_mgcpc_ep_check_ci (ci=0x62b000000a80) at /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:139
No locals.
#8  0x00007ffff662264b in osmo_mgcpc_ep_ci_request (ci=0x62b000000a80, verb=MGCP_VERB_DLCX, verb_info=0x0, notify=0x0, event_success=0, event_failure=0, notify_data=0x0)
    at /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:536
        ep = 0x0
        fi = 0x0
        cleared_ci = {ep = 0x7fffffffd300, occupied = 84,
          label = "\372\377\377\377\017\000\000\240\322\377\377\377\177\000\000 \360\352UUU\000\000 \323\377\377\377\177\000\000\240\000\000\000 a\000\000 \323\377\377\377\177\000\000_-'\366\377\177\000\000\320\322\377\377\377\177\000\000\200", mgcp_client_fi = 0x7ffff62df2e0, pending = false, sent = false, verb = 520, verb_info = {addr = " \036\354UUU\000\000\001\000\000\000\020\000\000", port = 0,
            endpoint = "\000\000\000\000\000\000\300\373\066\366\377\177\000\000\240\000\000\000 a\000\000\300\373\066\366\377\177\000\000\263\212\265A\000\000\000\000\200t.\366\377\177\000\000:)'\366\377\177\000\000\300\373\066\366\377\177\000\000\060\000\000\000\060\000\000\000\270\324\377\377\377\177\000\000\300\323\377\377\377\177\000\000\200t.\366\377\177\000\000:)'\366\377\177\000\000\000\000\000\000\b\002\000\000\060\000\000\000\060\000\000\000\000\"\251\343\201\314\345{`\323\377\377\377\177\000\000l\372\377\377\377\017\000\000`\323\377\377\377\177\000\000\000\"\251\343\201\314\345{\220\324\377\377\377\177\000\000\300\323\377\377\377\177\000\000 \324\377\377\377\177\000\000x\372\377\377\377\017\000\000\300\323\377\377\377\177\000\000\340\365"..., call_id = 32767, ptime = 3819512320, codecs = {2078657665,
              4129763189, 32767, 1, CODEC_PCMU_8000_1, 128, 24704, 32, 24704, CODEC_PCMU_8000_1}, codecs_len = 0, ptmap = {{codec = 787758704, pt = 0}, {codec = 1256, pt = 0}, {codec = 4128504658,
                pt = 32767}, {codec = 1160, pt = 0}, {codec = 3819512320, pt = 2078657665}, {codec = 4294956336, pt = 32767}, {codec = 1160, pt = 0}, {codec = CODEC_PCMU_8000_1, pt = 0}, {codec = 1,
                pt = 0}, {codec = CODEC_PCMU_8000_1, pt = 0}}, ptmap_len = 194016, x_osmo_ign = 24784, x_osmo_osmux_use = 96, x_osmo_osmux_cid = 32767, conn_mode = 281992, param_present = 224, param = {
              amr_octet_aligned_present = 96, amr_octet_aligned = false}}, notify = 0x61a0000264e0, notify_success = 158432, notify_failure = 24992, notify_data = 0x7fffffffd550, got_port_info = 38,
          rtp_info = {addr = "\377\177\000\000\210M\004\000\340`\000\000\000\"\251", <incomplete sequence \343>, port = 52353,
            endpoint = "\345{\000\000\000\000\000\000\000\000@\001\000\000\000\000\000\000\001\000\000\000\000\000\000\000\020\327\377\377\377\177\000\000\300\325\377\377\377\177\000\000\364x\t\367\377\177\000\000\320\325\377\377\377\177\000\000\340j\002\000\240a\000\000\002\000\000\000\000\000\000\000`M\004\000\340`\000\000\200\312\000\000\340b\000\000\340\357\024\367\377\177\000\000\340\325\377\377\377\177\000\000`M\004\000\340`\000\000\340\325\377\377\377\177\000\000\027y\t\367\377\177\000\000@\001\000\000\000\000\000\000\340j\002\000\240a\000\000 \326\377\377\377\177\000\000G\341\257UUU\000\000\263\212\265A\000\000\000\000x\236\t\362\377\177\000\000\340j\002\000\240a\000\000\350k\002\000\240a\000\000\001\000\000\000\000\000\000\000"..., call_id = 4294956960, ptime = 32767, codecs = {4130024341, 32767,
              CODEC_PCMU_8000_1, CODEC_PCMU_8000_1, 3819512320, 2078657665, 1, CODEC_PCMU_8000_1, CODEC_PCMU_8000_1, CODEC_PCMU_8000_1}, codecs_len = 1440616128, ptmap = {{codec = 21845, pt = 1}, {
                codec = CODEC_PCMU_8000_1, pt = 129952}, {codec = 24784, pt = 124544}, {codec = 24784, pt = 4294957040}, {codec = 32767, pt = 4129676564}, {codec = 32767, pt = 1361}, {
                codec = CODEC_PCMU_8000_1, pt = 5}, {codec = CODEC_PCMU_8000_1, pt = 0}, {codec = 3111, pt = 1447134624}, {codec = 1361, pt = 1441445856}}, ptmap_len = 21845, x_osmo_ign = 2,
            x_osmo_osmux_use = false, x_osmo_osmux_cid = 3111, conn_mode = 8, param_present = 32, param = {amr_octet_aligned_present = 77, amr_octet_aligned = false}},
          mgcp_ci_str = " a\000\000P\330\377\377\377\177\000\000}7+\366\377\177\000\000\340\267\352UUU\000\000\005\000\000\000"}
#9  0x0000555555b33bdc in osmo_mgcpc_ep_ci_dlcx (ci=0x62b000000a80) at /build/new/out/include/osmocom/mgcp_client/mgcp_client_endpoint_fsm.h:37
No locals.
#10 0x0000555555b34485 in assignment_reset (conn=0x622000001960) at /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:107
No locals.
--Type <RET> for more, q to quit, c to continue without paging--
#11 0x0000555555b6dc43 in assignment_fsm_cleanup (fi=0x612000005da0, cause=OSMO_FSM_TERM_ERROR) at /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:761
        conn = 0x622000001960
#12 0x00007ffff62619ce in _osmo_fsm_inst_term (fi=0x612000005da0, cause=OSMO_FSM_TERM_ERROR, data=0x0, file=0x555555ddeba0 "/git/osmo-bsc/src/osmo-bsc/assignment_fsm.c", line=127)
    at /git/libosmocore/src/fsm.c:890
        parent = 0x612000005920
        parent_term_event = 6
#13 0x0000555555b35b45 in on_assignment_failure (conn=0x622000001960) at /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:127
        resp = 0x61a000025ee0
#14 0x0000555555b66839 in assignment_fsm_wait_mgw_endpoint_to_msc (fi=0x612000005da0, event=4, data=0x0) at /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:657
        _conn = 0x622000001960
        conn = 0x622000001960
#15 0x00007ffff625f2d3 in _osmo_fsm_inst_dispatch (fi=0x612000005da0, event=4, data=0x0, file=0x7ffff6649a20 "/git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c",
    line=374) at /git/libosmocore/src/fsm.c:818
        fsm = 0x555556059460 <assignment_fsm>
        fs = 0x555555f4fe98 <assignment_fsm_states+120>
#16 0x00007ffff661e85e in on_failure (ci=0x62b000000a80) at /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:374
        notify = 0x612000005da0
        notify_failure = 4
        notify_data = 0x0
#17 0x00007ffff663e5a2 in osmo_mgcpc_ep_fsm_handle_ci_events (fi=0x6120000060a0, event=3, data=0x0) at /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:813
        ci = 0x62b000000a80
        ep = 0x62b000000260
#18 0x00007ffff625f2d3 in _osmo_fsm_inst_dispatch (fi=0x6120000060a0, event=3, data=0x0, file=0x7ffff66462c0 "/git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c", line=264)
    at /git/libosmocore/src/fsm.c:818
        fsm = 0x7ffff6683ae0 <osmo_mgcpc_ep_fsm>
        fs = 0x7ffff6657ce8 <osmo_mgcpc_ep_fsm_states+40>
#19 0x00007ffff626221d in _osmo_fsm_inst_term (fi=0x6120000063a0, cause=OSMO_FSM_TERM_ERROR, data=0x0,
    file=0x7ffff66462c0 "/git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c", line=264) at /git/libosmocore/src/fsm.c:905
        parent = 0x6120000060a0
        parent_term_event = 3
#20 0x00007ffff6614546 in mgw_crcx_resp_cb (r=0x619000006ee0, priv=0x6120000063a0) at /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c:264
        fi = 0x6120000063a0
        mgcp_ctx = 0x61b00005b0e0
        rc = 24960
#21 0x00007ffff66058e6 in mgcp_client_handle_response (mgcp=0x618000002ce0, pending=0x60d00001fe10, response=0x619000006ee0)
    at /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client.c:206
No locals.
#22 0x00007ffff6608d75 in mgcp_client_rx (mgcp=0x618000002ce0, msg=0x62100000a160) at /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client.c:680
        r = 0x619000006ee0
        pending = 0x60d00001fe10
        rc = 0
#23 0x00007ffff66092e9 in mgcp_do_read (fd=0x618000002f08) at /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client.c:714
        mgcp = 0x618000002ce0
        msg = 0x62100000a160
        ret = 12
#24 0x00007ffff6262b11 in osmo_wqueue_bfd_cb (fd=0x618000002f08, what=1) at /git/libosmocore/src/write_queue.c:51
--Type <RET> for more, q to quit, c to continue without paging--
        queue = 0x618000002f08
        rc = 0
#25 0x00007ffff623b884 in osmo_fd_disp_fds (_rset=0x7fffffffdf50, _wset=0x7fffffffdff0, _eset=0x7fffffffe090) at /git/libosmocore/src/select.c:223
        flags = 1
        ufd = 0x618000002f08
        tmp = 0x613000008060
        work = 1
        readset = 0x7fffffffdf50
        writeset = 0x7fffffffdff0
        exceptset = 0x7fffffffe090
#26 0x00007ffff623bbaa in osmo_select_main (polling=0) at /git/libosmocore/src/select.c:263
        readset = {__fds_bits = {0 <repeats 16 times>}}
        writeset = {__fds_bits = {0 <repeats 16 times>}}
        exceptset = {__fds_bits = {0 <repeats 16 times>}}
        rc = 1
        no_time = {tv_sec = 0, tv_usec = 0}
#27 0x0000555555d4e623 in main (argc=4, argv=0x7fffffffe2c8) at /git/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932
        msc = 0x60f000000198
        data = 0x60f000000190
        rc = 0
(gdb)
Actions #1

Updated by neels over 3 years ago

  • Status changed from New to Feedback

pespin sorry for never looking into this, do you have an easy way to tell whether this problem is fixed now?

Actions #2

Updated by pespin over 3 years ago

No idea sorry, I don't even remember what I was doing exactly at that time after 1 year. The issue may be solved as of now. Feel free to give a quick look at the code around the stack trace in case you find something suspicious, and close otherwise.

Actions #3

Updated by neels over 3 years ago

  • Status changed from Feedback to Resolved

we solved some use after free in the mgcp client: https://gerrit.osmocom.org/c/osmo-mgw/+/15839 (and more)
lacking reproducability I am closing this issue.

Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)