Actions
Bug #2853
closedOsmoMSC crashes in processing MNCC_CALL_PROC_REQ
Start date:
01/22/2018
Due date:
% Done:
100%
Resolution:
Spec Reference:
Description
In a MO call, I'm sending the following MNCC message in response to a MNCC_SETUP_IND:
01:05:46.387919 7 MNCC_Emulation.ttcn:286 Sent on MNCC to system @MNCC_CodecPort.MNCC_send_data : { data := { msg_type := MNCC_CALL_PROC_REQ (264), u := { signal := { callref := -2147483647, bearer_cap := { transfer := 0, mode := 0, coding := 0, radio := 3, speech_ctm := 0, speech_ver := { 0, 2, 4, 1, 5 }, data := omit }, called := omit, calling := omit, redirecting := omit, connected := omit, cause := omit, progress := omit, useruser := omit, facility := omit, cccap := omit, ssversion := omit, clir_sup := 0, clir_inv := 0, signal := omit, keypad := omit, more := 0, notify := 0, emergency := omit, imsi := "", lchan_type := 0, lchan_mode := 0 } } }, id := 0 }
And OsmoMSC crashes as follows (ran in valgrind):
<0006> gsm_04_08.c:1328 transmit message MNCC_SETUP_IND <0006> gsm_04_08.c:2897 receive message MNCC_CALL_PROC_REQ ==1158== Invalid read of size 4 ==1158== at 0x54893C3: gsm48_encode_bearer_cap (gsm48_ie.c:259) ==1158== Address 0x914249c is 0 bytes after a block of size 1,324 alloc'd ==1158== at 0x4C2CBEF: malloc (vg_replace_malloc.c:299) ==1158== by 0x505D150: _talloc_zero (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.1.10) ==1158== by 0x56CEA4E: msgb_alloc (msgb.c:84) ==1158== by 0x12404C: mncc_sock_read (mncc_sock.c:111) ==1158== by 0x12404C: mncc_sock_cb (mncc_sock.c:195) ==1158== by 0x56CE7C0: osmo_fd_disp_fds (select.c:216) ==1158== by 0x56CE7C0: osmo_select_main (select.c:256) ==1158== by 0x112929: main (msc_main.c:552) ==1158== ==1158== Jump to the invalid address stated on the next line ==1158== at 0x0: ??? ==1158== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==1158== ==1158== ==1158== Process terminating with default action of signal 11 (SIGSEGV) ==1158== Bad permissions for mapped region at address 0x0 ==1158== at 0x0: ???
Updated by laforge about 6 years ago
- Status changed from New to In Progress
- % Done changed from 0 to 20
Ok, it seems like the code
»·······switch (bcap->transfer) { »·······case GSM_MNCC_BCAP_SPEECH: »·······»·······for (s = 0; bcap->speech_ver[s] >= 0; s++) {
expectes the bcap->speech_ver[] array to be terminated with a '-1' entry, which I'm not providing. MNCC input validation should make sure that such an entry always exists, or reject any message without a -1 terminating entry.
Updated by laforge about 6 years ago
- % Done changed from 20 to 80
https://gerrit.osmocom.org/5965 introduces MNCC input validation to OsmoMSC
Updated by laforge about 6 years ago
- Checklist item create TTCN-3 test case added
Updated by laforge about 6 years ago
- Status changed from In Progress to Closed
- % Done changed from 80 to 100
Actions