Cellular Network Infrastructure » Radio Access Network » OsmoBTS

jfdionne wrote:

After call connection osmo-bts crashes with segmentation fault with AMR half rate codec. DTX was not used.

It has been tested with latest master branches of libosmo-abis, libosmocore, openbsc and osmo-bts. See attachement for stack trace.

The problem seems to have been introduced to osmo-bts in commit acfccb3f028c8417df42de9a6400896eb269a614.

jfdionne wrote:

The problem seems to have been introduced to osmo-bts in commit acfccb3f028c8417df42de9a6400896eb269a614.

jfdionne wrote:

The crash is caused by an access to a DTX downlink AMR FSM structure element when DTX is not in use. The FSM structure is not allocated if DTX is not in use since osmo-bts commit acfccb3f028c8417df42de9a6400896eb269a614.

The faulty access is done at the beginning of dtx_dl_amr_fsm_step function of src/common/msg_utils.c. I suggest the following patch:

diff --git a/src/common/msg_utils.c b/src/common/msg_utils.c
index b844eec..a2aaf71 100644
--- a/src/common/msg_utils.c
+++ b/src/common/msg_utils.c
@ -156,12 +156,15 @ int dtx_dl_amr_fsm_step(struct gsm_lchan *lchan, const uint8_t *rtp_pl,
int8_t sti, cmi;
int rc;

- if (lchan->type GSM_LCHAN_TCH_H && /* SID-FIRST P1 > P2 completion /
lchan->tch.dtx.dl_amr_fsm->state ST_SID_F2 && !rtp_pl) {
- *len = 3;
- memcpy(l1_payload, lchan->tch.dtx.cache, 2);
- dtx_dispatch(lchan, E_SID_U);
- return 0;
+ if (dtx_dl_amr_enabled(lchan))
+ {
+ if (lchan->type GSM_LCHAN_TCH_H && / SID-FIRST P1 > P2 completion */
+ lchan>tch.dtx.dl_amr_fsm->state ST_SID_F2 && !rtp_pl) {
+ *len = 3;
+ memcpy(l1_payload, lchan->tch.dtx.cache, 2);
+ dtx_dispatch(lchan, E_SID_U);
+ return 0;
+ }
}

if (!rtp_pl_len)

Strangely enough, I'm unable to reproduce the crash. Nevertheless, I've sent your fix to geerit # 1486. Btw, in future you can send it directly to gerrit to speedup the review process.

Fix committed in 304420ca42e17ee85d896d5c9e1f2f19a43b8f39.