Project

General

Profile

Actions
Copy link

Bug #55

closed

GPRS/SGSN crash due inconsistent msgb* handling across layers

Added by about 8 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Urgent
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Spec Reference:

Description

1.) gprs_ns_sendmsg frees the message on error
2.) GB data_ind calls into sndcp_send_ud_frag...

rc = gprs_llc_tx_ui(fmsg, lle->sapi, 0, fs->mmcontext);
        if (rc < 0) {
                /* abort in case of error, do not advance frag_nr / next_byte */
                msgb_free(fmsg);
        }

if this reaches down to gprs_ns_sendmsg it will delete the msgb and we will have a double free, it not we will leak memory... we need to establish a clear ownership and responsibilities..

Actions
Copy link
 #1

Updated by laforge almost 8 years ago

  • Project changed from OpenBSC to OsmoSGSN
  • Category deleted (234)
Actions
Copy link
 #2

Updated by laforge almost 8 years ago

  • Priority changed from High to Urgent
Actions
Copy link
 #3

Updated by laforge over 6 years ago

  • Assignee set to 4368
Actions
Copy link
 #4

Updated by zecke over 6 years ago

Weird. I can't remember to have seen this in my assigned ticket overview (but maybe zecke2 is someone else...). I think this: f9ffd1fa1811914ce6b19f1d17e7a908e550d358 was fixing it. And the PCU has a mini program/documentation to provoke this situation.

Actions
Copy link
 #5

Updated by laforge over 6 years ago

  • Status changed from New to Closed

then let's close it.

Actions
Copy link

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)