Project

General

Profile

Bug #2853

OsmoMSC crashes in processing MNCC_CALL_PROC_REQ

Added by laforge 7 months ago. Updated 7 months ago.

Status:
Closed
Priority:
High
Assignee:
Category:
MNCC Interface
Target version:
-
Start date:
01/22/2018
Due date:
% Done:

100%

Estimated time:
Resolution:

Description

In a MO call, I'm sending the following MNCC message in response to a MNCC_SETUP_IND:

01:05:46.387919 7 MNCC_Emulation.ttcn:286 Sent on MNCC to system @MNCC_CodecPort.MNCC_send_data : {
    data := {
        msg_type := MNCC_CALL_PROC_REQ (264),
        u := {
            signal := {
                callref := -2147483647,
                bearer_cap := {
                    transfer := 0,
                    mode := 0,
                    coding := 0,
                    radio := 3,
                    speech_ctm := 0,
                    speech_ver := {
                        0,
                        2,
                        4,
                        1,
                        5
                    },
                    data := omit
                },
                called := omit,
                calling := omit,
                redirecting := omit,
                connected := omit,
                cause := omit,
                progress := omit,
                useruser := omit,
                facility := omit,
                cccap := omit,
                ssversion := omit,
                clir_sup := 0,
                clir_inv := 0,
                signal := omit,
                keypad := omit,
                more := 0,
                notify := 0,
                emergency := omit,
                imsi := "",
                lchan_type := 0,
                lchan_mode := 0
            }
        }
    },
    id := 0
}

And OsmoMSC crashes as follows (ran in valgrind):

<0006> gsm_04_08.c:1328 transmit message MNCC_SETUP_IND
<0006> gsm_04_08.c:2897 receive message MNCC_CALL_PROC_REQ
==1158== Invalid read of size 4
==1158==    at 0x54893C3: gsm48_encode_bearer_cap (gsm48_ie.c:259)
==1158==  Address 0x914249c is 0 bytes after a block of size 1,324 alloc'd
==1158==    at 0x4C2CBEF: malloc (vg_replace_malloc.c:299)
==1158==    by 0x505D150: _talloc_zero (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.1.10)
==1158==    by 0x56CEA4E: msgb_alloc (msgb.c:84)
==1158==    by 0x12404C: mncc_sock_read (mncc_sock.c:111)
==1158==    by 0x12404C: mncc_sock_cb (mncc_sock.c:195)
==1158==    by 0x56CE7C0: osmo_fd_disp_fds (select.c:216)
==1158==    by 0x56CE7C0: osmo_select_main (select.c:256)
==1158==    by 0x112929: main (msc_main.c:552)
==1158== 
==1158== Jump to the invalid address stated on the next line
==1158==    at 0x0: ???
==1158==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==1158== 
==1158== 
==1158== Process terminating with default action of signal 11 (SIGSEGV)
==1158==  Bad permissions for mapped region at address 0x0
==1158==    at 0x0: ???

History

#1 Updated by laforge 7 months ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 20

Ok, it seems like the code

»·······switch (bcap->transfer) {
»·······case GSM_MNCC_BCAP_SPEECH:
»·······»·······for (s = 0; bcap->speech_ver[s] >= 0; s++) {

expectes the bcap->speech_ver[] array to be terminated with a '-1' entry, which I'm not providing. MNCC input validation should make sure that such an entry always exists, or reject any message without a -1 terminating entry.

#2 Updated by laforge 7 months ago

  • % Done changed from 20 to 80

https://gerrit.osmocom.org/5965 introduces MNCC input validation to OsmoMSC

#3 Updated by laforge 7 months ago

  • Checklist item create TTCN-3 test case added

#4 Updated by laforge 7 months ago

  • Status changed from In Progress to Closed
  • % Done changed from 80 to 100

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)