Actions
Bug #2853
closedOsmoMSC crashes in processing MNCC_CALL_PROC_REQ
Start date:
01/22/2018
Due date:
% Done:
100%
Resolution:
Spec Reference:
Description
In a MO call, I'm sending the following MNCC message in response to a MNCC_SETUP_IND:
01:05:46.387919 7 MNCC_Emulation.ttcn:286 Sent on MNCC to system @MNCC_CodecPort.MNCC_send_data : {
data := {
msg_type := MNCC_CALL_PROC_REQ (264),
u := {
signal := {
callref := -2147483647,
bearer_cap := {
transfer := 0,
mode := 0,
coding := 0,
radio := 3,
speech_ctm := 0,
speech_ver := {
0,
2,
4,
1,
5
},
data := omit
},
called := omit,
calling := omit,
redirecting := omit,
connected := omit,
cause := omit,
progress := omit,
useruser := omit,
facility := omit,
cccap := omit,
ssversion := omit,
clir_sup := 0,
clir_inv := 0,
signal := omit,
keypad := omit,
more := 0,
notify := 0,
emergency := omit,
imsi := "",
lchan_type := 0,
lchan_mode := 0
}
}
},
id := 0
}
And OsmoMSC crashes as follows (ran in valgrind):
<0006> gsm_04_08.c:1328 transmit message MNCC_SETUP_IND <0006> gsm_04_08.c:2897 receive message MNCC_CALL_PROC_REQ ==1158== Invalid read of size 4 ==1158== at 0x54893C3: gsm48_encode_bearer_cap (gsm48_ie.c:259) ==1158== Address 0x914249c is 0 bytes after a block of size 1,324 alloc'd ==1158== at 0x4C2CBEF: malloc (vg_replace_malloc.c:299) ==1158== by 0x505D150: _talloc_zero (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.1.10) ==1158== by 0x56CEA4E: msgb_alloc (msgb.c:84) ==1158== by 0x12404C: mncc_sock_read (mncc_sock.c:111) ==1158== by 0x12404C: mncc_sock_cb (mncc_sock.c:195) ==1158== by 0x56CE7C0: osmo_fd_disp_fds (select.c:216) ==1158== by 0x56CE7C0: osmo_select_main (select.c:256) ==1158== by 0x112929: main (msc_main.c:552) ==1158== ==1158== Jump to the invalid address stated on the next line ==1158== at 0x0: ??? ==1158== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==1158== ==1158== ==1158== Process terminating with default action of signal 11 (SIGSEGV) ==1158== Bad permissions for mapped region at address 0x0 ==1158== at 0x0: ???
Updated by laforge about 6 years ago
- Status changed from New to In Progress
- % Done changed from 0 to 20
Ok, it seems like the code
»·······switch (bcap->transfer) {
»·······case GSM_MNCC_BCAP_SPEECH:
»·······»·······for (s = 0; bcap->speech_ver[s] >= 0; s++) {
expectes the bcap->speech_ver[] array to be terminated with a '-1' entry, which I'm not providing. MNCC input validation should make sure that such an entry always exists, or reject any message without a -1 terminating entry.
Updated by laforge about 6 years ago
- % Done changed from 20 to 80
https://gerrit.osmocom.org/5965 introduces MNCC input validation to OsmoMSC
Updated by laforge about 6 years ago
- Checklist item create TTCN-3 test case added
Updated by laforge about 6 years ago
- Status changed from In Progress to Closed
- % Done changed from 80 to 100
Actions
