Project

General

Profile

Actions

Bug #4965

closed

osmo-gbproxy segfaults in ttcn3-gbproxy-test

Added by laforge about 3 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Immediate
Assignee:
Target version:
-
Start date:
01/21/2021
Due date:
% Done:

100%

Spec Reference:

Description

See https://jenkins.osmocom.org/jenkins/view/TTCN3/job/ttcn3-gbproxy-test/107/console

It happens really soon after start-up:

20210121111035629 DLGLOBAL <0013> telnet_interface.c:104 Available via telnet 0.0.0.0 4246
20210121111035630 DLCTRL <001a> control_if.c:915 CTRL at 127.0.0.1 4263
20210121111038666 DGPRS <0004> gb_proxy.c:1382 NS: Unknown NS-STATUS.ind cause=NSVC failure from NS
20210121111038667 DLNS <0026> gprs_ns2_sns.c:1359 GPRS-NS2-SNS-BSS(NSE00101-SNS)[0x55f9c0834300]{SIZE}: NSE 101: no remaining NSVC, resetting SNS FSM
20210121111038667 DGPRS <0004> gb_proxy.c:1382 NS: Unknown NS-STATUS.ind cause=NSVC failure from NS
20210121111038667 DLNS <0026> gprs_ns2_sns.c:1359 GPRS-NS2-SNS-BSS(NSE00102-SNS)[0x55f9c0835380]{SIZE}: NSE 102: no remaining NSVC, resetting SNS FSM
20210121111041692 DGPRS <0004> gb_proxy.c:1382 NS: Unknown NS-STATUS.ind cause=NSVC recovery from NS
20210121111041698 DLNS <0026> gprs_ns2_vc_fsm.c:823 GPRS-NS2-VC(UDP-NSE00102-remote-172_18_24_103:24000)[0x55f9c0834e70]{UNBLOCKED}: NSEI=102 Rx unknown NS PDU type NS-STATUS
20210121111041700 DGPRS <0004> gb_proxy.c:1382 NS: Unknown NS-STATUS.ind cause=NSVC recovery from NS
20210121111041707 DLNS <0026> gprs_ns2_vc_fsm.c:823 GPRS-NS2-VC(UDP-NSE00101-remote-172_18_24_103:23000)[0x55f9c0837790]{UNBLOCKED}: NSEI=101 Rx unknown NS PDU type NS-STATUS
20210121111042928 DGPRS <0004> gb_proxy.c:1344 NS-NSE 2001 became available
20210121111042928 DGPRS <0004> gb_proxy.c:1382 NS: Unknown NS-STATUS.ind cause=NSVC recovery from NS
Segmentation fault (core dumped)

a decoded core dump (no sources in the container):

#0  gprs_ns2_vc_rx (nsvc=nsvc@entry=0x55f9c0837070, msg=msg@entry=0x55f9c083d6d0, tp=tp@entry=0x0)
    at gprs_ns2_vc_fsm.c:766
766     gprs_ns2_vc_fsm.c: No such file or directory.
(gdb) bt
#0  gprs_ns2_vc_rx (nsvc=nsvc@entry=0x55f9c0837070, msg=msg@entry=0x55f9c083d6d0, tp=tp@entry=0x0)
    at gprs_ns2_vc_fsm.c:766
#1  0x00007f800f099d65 in ns2_recv_vc (nsvc=0x55f9c0837070, msg=msg@entry=0x55f9c083d6d0)
    at gprs_ns2.c:1102
#2  0x00007f800f09b456 in handle_nsip_read (bfd=0x55f9c0834120) at gprs_ns2_udp.c:251
#3  nsip_fd_cb (bfd=0x55f9c0834120, what=1) at gprs_ns2_udp.c:269
#4  0x00007f800ec2ca18 in poll_disp_fds (n_fd=<optimized out>) at select.c:350
#5  _osmo_select_main (polling=<optimized out>) at select.c:378
#6  0x00007f800ec2ca96 in osmo_select_main (polling=<optimized out>) at select.c:417
#7  0x000055f9c02a8491 in main (argc=3, argv=0x7ffc86df1308) at gb_proxy_main.c:332

Actions #1

Updated by laforge about 3 years ago

root@f3251babd029:/tmp/osmo-sgsn/src/gbproxy# osmo-gbproxy --version
OsmoGbProxy version 1.6.0.137-45bf9
ii  libosmocore                      1.4.0.394.9c1e                    amd64        Open Source MObile COMmunications CORE library (metapackage)

So the bug is likely that 'tp' is NULL at:

        if (TLVP_PRESENT(tp, NS_IE_NSEI)) {
                nsei = tlvp_val16be(tp, NS_IE_NSEI);
                if (nsei != nsvc->nse->nsei) {
                        /* 48.016 ยง 7.3.1 send, RESET_ACK to wrong NSVCI + ignore */
                        if (nsh->pdu_type == NS_PDUT_RESET)
                                ns2_tx_reset_ack(nsvc);

                        LOGNSVC(nsvc, LOGL_ERROR, "Rx %s with wrong NSEI=%05u. Ignoring PDU.\n",
                                get_value_string(gprs_ns_pdu_strings, nsh->pdu_type), nsei);
                        goto out;
                }
        }

Actions #2

Updated by laforge about 3 years ago

Likely why dexter submitted https://gerrit.osmocom.org/c/libosmocore/+/22349
which seems to fix change-id Ic8fc49d850490feb0ff69171a6b0881ae8696c0b

How can something like this end up in master? Segfault at the first message received. Did anyone run that version of the code before pusing it to gerrit?

I'm inclined to revert Ic8fc49d850490feb0ff69171a6b0881ae8696c0b

Actions #3

Updated by laforge about 3 years ago

  • % Done changed from 0 to 50
Reverting lyxis' latest changes now.

Then I have to trigegr new debian package buidls for network:osmocom:nightly, then wait until they are available, then re-start the jenkins jobs.

Actions #4

Updated by laforge about 3 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 50 to 100

segfault is gone after revert.

Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)