Bug #4208
closedcrash: libosmocore/src/gsm/gsm48.c:788:18: runtime error: load of null pointer of type 'const uint8_t'
0%
Description
address sanitizer finds a NULL dereference in osmo-sgsn.
Reproduce: try to register via IuPS.
20190916185253653 DMM INFO MM(---/ffffffff) -> GMM RA UPDATE REQUEST type="RA updating" (gprs_gmm.c:1531)
20190916185253653 DMM INFO MM(901700000014705/f343f6c1) Looked up by matching TLLI and P_TMSI. BSSGP TLLI: 00000000, P-TMSI: f343f6c1 (00000000), TLLI: f343f6c1 (f343f6c1), RA: 262-42-23-0 (gprs_gmm.c:1606)
20190916185253653 DMM DEBUG GMM(gmm_fsm)[0x612000004420]{Registered.NORMAL}: Received Event E_GMM_COMMON_PROC_INIT_REQ (gprs_gmm.c:1607)
20190916185253653 DMM DEBUG GMM(gmm_fsm)[0x612000004420]{Registered.NORMAL}: state_chg to CommonProcedureInitiated (gprs_gmm_fsm.c:53)
../../../../src/libosmocore/src/gsm/gsm48.c:788:18: runtime error: load of null pointer of type 'const uint8_t'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2471==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ff328fadc80 bp 0x7ffc1e26f1a0 sp 0x7ffc1e26f180 T0)
==2471==The signal is caused by a READ memory access.
==2471==Hint: address points to the zero page.
#0 0x7ff328fadc7f in gsm48_parse_ra ../../../../src/libosmocore/src/gsm/gsm48.c:788
#1 0x7ff328d471b7 in bssgp_parse_cell_id ../../../../src/libosmocore/src/gb/gprs_bssgp.c:243
#2 0x55757f7ead4c in gsm48_rx_gmm_ra_upd_req ../../../../src/osmo-sgsn/src/sgsn/gprs_gmm.c:1646
#3 0x55757f7ee340 in gsm0408_rcv_gmm ../../../../src/osmo-sgsn/src/sgsn/gprs_gmm.c:1952
#4 0x55757f7f511b in gsm0408_gprs_rcvmsg_iu ../../../../src/osmo-sgsn/src/sgsn/gprs_ranap.c:205
#5 0x7ff3278ebac4 in ranap_handle_co_initial_ue ../../../src/osmo-iuh/src/iu_client.c:401
More complete traces follow.
Files
Updated by neels over 4 years ago
- File sgsn_crash.tgz sgsn_crash.tgz added
- Assignee set to lynxis
Hmm, seems not so easy to reproduce. Anyway, attaching the complete logs and traces.
Note that above backtrace isn't contained in it, the osmo-sgsn log just ends where the crash happened.
The source file locations of the crash:
iu_client.c:401: global_iu_recv_cb(msg, &ra_id, &sai);
gprs_ranap.c:205: rc = gsm0408_rcv_gmm(mmctx, msg, NULL, false);
gprs_gmm.c:1646: bssgp_parse_cell_id(&mmctx->ra, msgb_bcid(msg));
Updated by lynxis over 4 years ago
- Status changed from New to Rejected
neels this is already known. the 2g to 3g ran switches are still not fixes. It was fixed in the camp2019 branch, but those fixes take longer to upstream.
Duplicate of https://osmocom.org/issues/3727
