Bug #1731
closedSIGABRT in proxy mode with AMR and octbts
100%
Description
Tested with octbts3500 running OCTSDR-2G-02.05.00-B780-DEBUG image (not sure if it's relevant).
OpenBSC in proxy mode (-P) configured for AMR codec (default-codec tch-f amr) dies with following logs:
DMSC <000a> bsc_api.c:402 Sending ChanModify for speech: SPEECH_AMR on channel TCH_F
msgb(0x81dbbf8): Not enough tailroom msgb_push (32 < 33)
backtrace() returned 8 addresses
/usr/lib/i386-linux-gnu/libosmocore.so.7(osmo_generate_backtrace+0x16) [0xb7f4b926]
/usr/lib/i386-linux-gnu/libosmocore.so.7(osmo_panic+0x54) [0xb7f4b754]
/home/msuraev/source/gsm/openbsc/openbsc/src/osmo-nitb/osmo-nitb() [0x80903e8]
/usr/lib/i386-linux-gnu/libosmocore.so.7(osmo_select_main+0x204) [0xb7f45a34]
/home/msuraev/source/gsm/openbsc/openbsc/src/osmo-nitb/osmo-nitb() [0x804ceb9]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3) [0xb7bc4af3]
/home/msuraev/source/gsm/openbsc/openbsc/src/osmo-nitb/osmo-nitb() [0x804d124]
Program received signal SIGABRT, Aborted.
0xb7fdd428 in __kernel_vsyscall ()
(gdb) bt
#0 0xb7fdd428 in __kernel_vsyscall ()
#1 0xb7bd9687 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#2 0xb7bdcab3 in __GI_abort () at abort.c:89
#3 0xb7f4b759 in osmo_panic_default (args=0xbfffee04 "\370\273\035\b ",
fmt=0x809e1e0 "msgb(%p): Not enough tailroom msgb_push (%u < %u)\n") at panic.c:50
#4 osmo_panic (fmt=fmt@entry=0x809e1e0 "msgb(%p): Not enough tailroom msgb_push (%u < %u)\n") at panic.c:85
#5 0x080903e8 in msgb_put (len=33, msgb=0x81dbbf8) at /usr/include/osmocom/core/msgb.h:188
#6 rtp_decode (msg=0x81e23c8, msg=0x81e23c8, data=<synthetic pointer>, callref=<optimized out>) at rtp_proxy.c:189
#7 rtp_socket_read (rss=0x81dc730, rs=0x81dc728) at rtp_proxy.c:455
#8 rtp_bfd_cb (bfd=0x81dc750, flags=1) at rtp_proxy.c:517
#9 0xb7f45a34 in osmo_fd_disp_fds (_eset=0xbfffefb0, _wset=0xbfffef30, _rset=0xbfffeeb0) at select.c:149
#10 osmo_select_main (polling=polling@entry=0) at select.c:191
#11 0x0804ceb9 in main (argc=8, argv=0xbffff134) at bsc_hack.c:375
The trivial fix is to increment MAX_RTP_PAYLOAD_LEN in rtp_proxy.c by 1 to accommodate for the AMR data is stored in RTP (first byte is length) but I'm puzzled why I'm unable to reproduce this with sysmobts.
Updated by zecke almost 8 years ago
Did you look at the payload with wireshark?
- NITB should not crash with too big payloads
- There must be a bogus byte in the message. In general with AMR there is octet-aligned and non-octet aligned. Also CRC... so I assume we generate the wrong kind of AMR?
Updated by msuraev almost 8 years ago
There are actually 2 separate issues in here:
- octbts do not support AMR so it should not send RTP at all in this configuration (see l1if_tch_rx() in l1_tch.c)
- nitb should not be crashed by unexpected RTP payloads
Updated by msuraev almost 8 years ago
- % Done changed from 0 to 20
Fix for NITB tested with symoBTS. Will re-test with octbts and submit to gerrit afterwards.
Updated by msuraev almost 8 years ago
- Status changed from In Progress to Resolved
- Assignee changed from msuraev to laforge
- % Done changed from 80 to 100
Fix has been merged to master. Octbts side will be fixed once amr support is implemented - I can open separate bug if necessary.
