Project

General

Profile

Actions
Copy link

Bug #2885

closed

OsmoMSC crashes on MNCC disconnect

Added by laforge over 6 years ago. Updated almost 5 years ago.

Status:
Resolved
Priority:
Urgent
Assignee:
stsp
Category:
MGCP towards MGW
Target version:
-
Start date:
01/27/2018
Due date:
% Done:

100%

Resolution:
Spec Reference:

Description

<0004> gsm_04_08.c:1359 transmit message MNCC_CALL_CONF_IND
<0007> msc_mgcp.c:280 MGW(MGW_0)[0xa9bb0c0]{ST_CRCX_CN}: CRCX/RAN: response yields error: 542 FORCED_FAIL
<0007> msc_mgcp.c:281 MGW(MGW_0)[0xa9bb0c0]{ST_CRCX_CN}: operation failed on MGW -- graceful shutdown...
<0007> msc_mgcp.c:730 MGW(MGW_0)[0xa9bb0c0]{ST_HALT}: DLCX: response yields error: 250 OK
<0007> msc_mgcp.c:731 MGW(MGW_0)[0xa9bb0c0]{ST_HALT}: operation failed on MGW -- graceful shutdown...
<0007> msc_mgcp.c:157 MGW(MGW_0)[0xa9bb0c0]{ST_HALT}: transition to state ST_CALL not permitted!
<0004> gsm_04_08.c:1359 transmit message MNCC_DISC_IND
<0012> input/ipa.c:67 connection closed with server
<0004> mncc_sock.c:85 MNCC Socket has LOST connection
<0001> gsm_04_08.c:191 Clearing all currently active transactions!!!
==17608== Invalid read of size 8
==17608==    at 0x128B6A: msc_mgcp_call_release (msc_mgcp.c:1052)
==17608==    by 0x11ED50: _gsm48_cc_trans_free (gsm_04_08.c:1419)
==17608==    by 0x12BF94: trans_free (transaction.c:123)
==17608==    by 0x11CFEA: gsm0408_clear_all_trans (gsm_04_08.c:196)
==17608==    by 0x125A07: mncc_sock_close (mncc_sock.c:95)
==17608==    by 0x125B1E: mncc_sock_read (mncc_sock.c:140)
==17608==    by 0x125B1E: mncc_sock_cb (mncc_sock.c:198)
==17608==    by 0x56D0950: osmo_fd_disp_fds (select.c:216)
==17608==    by 0x56D0950: osmo_select_main (select.c:256)
==17608==    by 0x11371B: main (msc_main.c:546)
==17608==  Address 0xaaa3810 is 96 bytes inside a block of size 200 free'd
==17608==    at 0x4C2DDBB: free (vg_replace_malloc.c:530)
==17608==    by 0x505BE82: _talloc_free (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.1.10)
==17608==    by 0x56D3C8E: _osmo_fsm_inst_dispatch (fsm.c:450)
==17608==    by 0x12830B: fsm_timeout_cb (msc_mgcp.c:204)
==17608==    by 0x56D4458: fsm_tmr_cb (fsm.c:185)
==17608==    by 0x56D0305: osmo_timers_update (timer.c:257)
==17608==    by 0x56D0904: osmo_select_main (select.c:253)
==17608==    by 0x11371B: main (msc_main.c:546)
==17608==  Block was alloc'd at
==17608==    at 0x4C2CB8F: malloc (vg_replace_malloc.c:299)
==17608==    by 0x505E150: _talloc_zero (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.1.10)
==17608==    by 0x128448: msc_mgcp_call_assignment (msc_mgcp.c:902)
==17608==    by 0x11C578: gsm48_cc_rx_call_conf (gsm_04_08.c:1847)
==17608==    by 0x11FE8C: gsm0408_rcv_cc (gsm_04_08.c:3269)
==17608==    by 0x11FE8C: gsm0408_dispatch (gsm_04_08.c:3380)
==17608==    by 0x12D05C: msc_dtap (osmo_msc.c:108)
==17608==    by 0x116BB2: rx_dtap (a_iface_bssap.c:683)
==17608==    by 0x116BB2: a_sccp_rx_dt (a_iface_bssap.c:710)
==17608==    by 0x114367: sccp_sap_up (a_iface.c:529)
==17608==    by 0x56D3C8E: _osmo_fsm_inst_dispatch (fsm.c:450)
==17608==    by 0x5D5D9D4: sccp_scoc_rx_from_scrc (sccp_scoc.c:1581)
==17608==    by 0x5D5B6CA: scrc_rx_mtp_xfer_ind_xua (sccp_scrc.c:449)
==17608==    by 0x5D5E5A4: mtp_user_prim_cb (sccp_user.c:176)
==17608==

So it seems that upon MNCC disconnect, it tries to free some MGCP state again, which was already free'd due to an earlier MGCP failure.

Files

20180127-osmomsc-mtcall-ran-crcx-disc-crash.pcap 20180127-osmomsc-mtcall-ran-crcx-disc-crash.pcap 5.25 KB pcap file showing the problem laforge, 01/27/2018 08:54 AM
osmo-msc-log-osmo-mgw-running.txt osmo-msc-log-osmo-mgw-running.txt 68 KB stsp, 09/28/2018 02:55 PM
osmo-msc-log-osmo-mgw-not-running.txt osmo-msc-log-osmo-mgw-not-running.txt 61.2 KB stsp, 09/28/2018 02:55 PM
Actions
Copy link

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)