Project

General

Profile

Actions

Bug #5398

open

Null pointer access at "uectx" in ranap_iu_tx

Added by pespin about 2 years ago. Updated about 2 years ago.

Status:
New
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
01/10/2022
Due date:
% Done:

0%

Spec Reference:

Description

It seems the timer sending RAU accept is kept ongoing even after the Iu conn has been released. Then apparently due to that msg->dst is NULL.

20220110121956305 DMM <0000> /git/osmo-iuh/src/ranap_common_cn.c:240 Received unsupported RANAP unsuccessful outcome procedure Security Mode Control (CO) from RNC, ignoring
20220110121956305 DMM <0000> /git/osmo-iuh/src/ranap_common_cn.c:309 Not calling cn_ranap_handle_co() due to rc=-1
20220110121956305 DMM <0000> /git/osmo-iuh/src/ranap_common_cn.c:270 Not freeing unsupported RANAP unsuccessful outcome procedure (CO) from RNC
20220110121958657 DMM <0000> /git/osmo-sgsn/src/sgsn/gprs_gmm.c:1491 MM(901700000043320/ccec2b9d) <- GMM ROUTING AREA UPDATE ACCEPT
20220110121958657 DRANAP <000b> /git/osmo-iuh/src/iu_client.c:464 Transmitting L3 Message as RANAP DT (SCCP conn_id 5)
20220110121958657 DLSCCP <0020> /git/libosmo-sccp/src/sccp_scoc.c:1731 Received SCCP User Primitive (N-DATA.request)
20220110121958657 DLSCCP <0020> /git/libosmo-sccp/src/sccp_scoc.c:1772 SCCP-SCOC(5)[0x612000006220]{ACTIVE}: Received Event N-DATA.req
20220110121958657 DLSS7 <001f> /git/libosmo-sccp/src/sccp_scrc.c:401 sccp_scrc_rx_scoc_conn_msg: HDR=(CO:CODT,V=0,LEN=0), PART(T=Routing Context,L=4,D=00000000), PART(T=Destination Reference,L=4,D=000003f0), PART(T=Data,L=36,D=0014402000000200104014130809002a32f40728b6631805f4ccec2b9d1716003b400100)
20220110121958657 DLSS7 <001f> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:280 m3ua_hmdc_rx_from_l2(): dpc=189=0.23.5 not local, message is for routing
20220110121958658 DLSS7 <001f> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:227 Found route for dpc=189=0.23.5: pc=0=0.0.0 mask=0x0=0.0.0 via AS as-clnt-OsmoSGSN proto=m3ua
20220110121958658 DLSS7 <001f> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:235 rt->dest.as proto is M3UA for dpc=189=0.23.5
20220110121958658 DLSS7 <001f> /git/libosmo-sccp/src/m3ua.c:508 XUA_AS(as-clnt-OsmoSGSN)[0x612000003e20]{AS_ACTIVE}: Received Event AS-TRANSFER.req
20220110121958658 DLINP <0015> /git/libosmo-netif/src/stream.c:449 [CONNECTED] osmo_stream_cli_fd_cb(): connected write
20220110121958658 DLINP <0015> /git/libosmo-netif/src/stream.c:352 [CONNECTED] osmo_stream_cli_write(): sending 76 bytes of data
20220110121958658 DLINP <0015> /git/libosmo-netif/src/stream.c:449 [CONNECTED] osmo_stream_cli_fd_cb(): connected write
20220110122000787 DLGSUP <001d> /git/osmo-hlr/src/gsupclient/gsup_client.c:266 GSUP ping callback (connected, got PONG)
20220110122000788 DLGSUP <001d> /git/osmo-hlr/src/gsupclient/gsup_client.c:288 GSUP sending PING
20220110122000788 DLINP <0015> /git/libosmo-abis/src/input/ipa.c:139 127.0.0.1:4222 connected write
20220110122000788 DLINP <0015> /git/libosmo-abis/src/input/ipa.c:89 127.0.0.1:4222 sending data
20220110122000788 DLINP <0015> /git/libosmo-abis/src/input/ipa.c:139 127.0.0.1:4222 connected write
20220110122000788 DLINP <0015> /git/libosmo-abis/src/input/ipa.c:89 127.0.0.1:4222 sending data
20220110122000788 DLINP <0015> /git/libosmo-abis/src/input/ipa.c:135 127.0.0.1:4222 connected read
20220110122000788 DLINP <0015> /git/libosmo-abis/src/input/ipa.c:56 127.0.0.1:4222 message received
20220110122000788 DLMI <0017> /git/libosmocore/src/gsm/ipa.c:524 PONG!
20220110122000788 DLGSUP <001d> /git/osmo-hlr/src/gsupclient/gsup_client.c:225 GSUP receiving PONG
20220110122001489 DLINP <0015> /git/libosmo-netif/src/stream.c:445 [CONNECTED] osmo_stream_cli_fd_cb(): connected read
20220110122001489 DLINP <0015> /git/libosmo-netif/src/stream.c:324 [CONNECTED] osmo_stream_cli_read(): message received
20220110122001489 DLSS7 <001f> /git/libosmo-sccp/src/osmo_ss7.c:1906 0: asp-asp-clnt-OsmoSGSN: xua_cli_read_cb(): sctp_recvmsg() returned 52 (flags=0x80)
20220110122001489 DLM3UA <0022> /git/libosmo-sccp/src/m3ua.c:714 0: asp-asp-clnt-OsmoSGSN: Received M3UA Message (XFER:DATA)
20220110122001489 DLM3UA <0022> /git/libosmo-sccp/src/m3ua.c:543 0: asp-asp-clnt-OsmoSGSN: m3ua_rx_xfer
20220110122001489 DLM3UA <0022> /git/libosmo-sccp/src/m3ua.c:566 0: asp-asp-clnt-OsmoSGSN: m3ua_rx_xfer(): M3UA data header: opc=189=0.23.5 dpc=188=0.23.4
20220110122001489 DLSS7 <001f> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:276 m3ua_hmdc_rx_from_l2(): found dpc=188=0.23.4 as local
20220110122001489 DLSS7 <001f> /git/libosmo-sccp/src/sccp_scrc.c:472 scrc_rx_mtp_xfer_ind_xua: HDR=(CO:CODT,V=0,LEN=0), PART(T=Destination Reference,L=4,D=00000005), PART(T=Segmentation,L=4,D=00000000), PART(T=Data,L=13,D=000b40090000010004400209c0)
20220110122001489 DLSCCP <0020> /git/libosmo-sccp/src/sccp_scoc.c:1664 Received CO:CODT for local reference 5
20220110122001489 DLSCCP <0020> /git/libosmo-sccp/src/sccp_scoc.c:1698 SCCP-SCOC(5)[0x612000006220]{ACTIVE}: Received Event RCOC-DT1.ind
20220110122001489 DLSCCP <0020> /git/libosmo-sccp/src/sccp_user.c:175 Delivering N-DATA.indication to SCCP User 'OsmoSGSN-IuPS'
20220110122001490 DRANAP <000b> /git/osmo-iuh/src/iu_client.c:818 sccp_sap_up(N-DATA.indication)
20220110122001490 DRANAP <000b> /git/osmo-iuh/src/iu_client.c:869 N-DATA.ind(5, 00 0b 40 09 00 00 01 00 04 40 02 09 c0 )
20220110122001490 DMM <0000> /git/osmo-iuh/src/ranap_common_cn.c:42 Rx CO IM (Iu Release Request)
20220110122001490 DMM <0000> ranap_decoder.c:2422 Decoding message RANAP_Iu_ReleaseRequestIEs (ranap_decoder.c:2422)
20220110122001490 DRANAP <000b> /git/osmo-iuh/src/iu_client.c:577 handle_co(dir=1, proc=11)
20220110122001490 DRANAP <000b> /git/osmo-iuh/src/iu_client.c:519 Received Iu Release Request, Sending Release Command
20220110122001490 DLSCCP <0020> /git/libosmo-sccp/src/sccp_scoc.c:1731 Received SCCP User Primitive (N-DATA.request)
20220110122001490 DLSCCP <0020> /git/libosmo-sccp/src/sccp_scoc.c:1772 SCCP-SCOC(5)[0x612000006220]{ACTIVE}: Received Event N-DATA.req
20220110122001490 DLSS7 <001f> /git/libosmo-sccp/src/sccp_scrc.c:401 sccp_scrc_rx_scoc_conn_msg: HDR=(CO:CODT,V=0,LEN=0), PART(T=Routing Context,L=4,D=00000000), PART(T=Destination Reference,L=4,D=000003f0), PART(T=Data,L=13,D=000100090000010004400209c0)
20220110122001490 DLSS7 <001f> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:280 m3ua_hmdc_rx_from_l2(): dpc=189=0.23.5 not local, message is for routing
20220110122001490 DLSS7 <001f> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:227 Found route for dpc=189=0.23.5: pc=0=0.0.0 mask=0x0=0.0.0 via AS as-clnt-OsmoSGSN proto=m3ua
20220110122001490 DLSS7 <001f> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:235 rt->dest.as proto is M3UA for dpc=189=0.23.5
20220110122001490 DLSS7 <001f> /git/libosmo-sccp/src/m3ua.c:508 XUA_AS(as-clnt-OsmoSGSN)[0x612000003e20]{AS_ACTIVE}: Received Event AS-TRANSFER.req
20220110122001491 DLINP <0015> /git/libosmo-netif/src/stream.c:449 [CONNECTED] osmo_stream_cli_fd_cb(): connected write
20220110122001491 DLINP <0015> /git/libosmo-netif/src/stream.c:352 [CONNECTED] osmo_stream_cli_write(): sending 52 bytes of data
20220110122001491 DLINP <0015> /git/libosmo-netif/src/stream.c:449 [CONNECTED] osmo_stream_cli_fd_cb(): connected write
20220110122001497 DLINP <0015> /git/libosmo-netif/src/stream.c:445 [CONNECTED] osmo_stream_cli_fd_cb(): connected read
20220110122001497 DLINP <0015> /git/libosmo-netif/src/stream.c:324 [CONNECTED] osmo_stream_cli_read(): message received
20220110122001497 DLSS7 <001f> /git/libosmo-sccp/src/osmo_ss7.c:1906 0: asp-asp-clnt-OsmoSGSN: xua_cli_read_cb(): sctp_recvmsg() returned 52 (flags=0x80)
20220110122001497 DLM3UA <0022> /git/libosmo-sccp/src/m3ua.c:714 0: asp-asp-clnt-OsmoSGSN: Received M3UA Message (XFER:DATA)
20220110122001498 DLM3UA <0022> /git/libosmo-sccp/src/m3ua.c:543 0: asp-asp-clnt-OsmoSGSN: m3ua_rx_xfer
20220110122001498 DLM3UA <0022> /git/libosmo-sccp/src/m3ua.c:566 0: asp-asp-clnt-OsmoSGSN: m3ua_rx_xfer(): M3UA data header: opc=189=0.23.5 dpc=188=0.23.4
20220110122001498 DLSS7 <001f> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:276 m3ua_hmdc_rx_from_l2(): found dpc=188=0.23.4 as local
20220110122001498 DLSS7 <001f> /git/libosmo-sccp/src/sccp_scrc.c:472 scrc_rx_mtp_xfer_ind_xua: HDR=(CO:RELRE,V=0,LEN=0), PART(T=Destination Reference,L=4,D=00000005), PART(T=Source Reference,L=4,D=000003f0), PART(T=Cause,L=4,D=00000300), PART(T=Data,L=7,D=20010003000000)
20220110122001498 DLSCCP <0020> /git/libosmo-sccp/src/sccp_scoc.c:1664 Received CO:RELRE for local reference 5
20220110122001498 DLSCCP <0020> /git/libosmo-sccp/src/sccp_scoc.c:1698 SCCP-SCOC(5)[0x612000006220]{ACTIVE}: Received Event RCOC-RELEASED.ind
20220110122001498 DLSCCP <0020> /git/libosmo-sccp/src/sccp_user.c:175 Delivering N-DISCONNECT.indication to SCCP User 'OsmoSGSN-IuPS'
20220110122001498 DRANAP <000b> /git/osmo-iuh/src/iu_client.c:818 sccp_sap_up(N-DISCONNECT.indication)
20220110122001498 DRANAP <000b> /git/osmo-iuh/src/iu_client.c:843 N-DISCONNECT.ind(5)
20220110122001498 DMM <0000> /git/osmo-iuh/src/ranap_common_cn.c:136 Rx CO SO (Iu Release)
20220110122001498 DMM <0000> ranap_decoder.c:68 Decoding message RANAP_Iu_ReleaseCompleteIEs (ranap_decoder.c:68)
20220110122001498 DRANAP <000b> /git/osmo-iuh/src/iu_client.c:577 handle_co(dir=2, proc=1)
20220110122001498 DRANAP <000b> /git/osmo-iuh/src/iu_client.c:122 Submit Iu event to upper layer: RANAP_IU_EVENT_IU_RELEASE
20220110122001498 DMM <0000> /git/osmo-sgsn/src/sgsn/gprs_ranap.c:137 MM(901700000043320/ccec2b9d) IU release (cause=RANAP_IU_EVENT_IU_RELEASE)
20220110122001498 DMM <0000> /git/osmo-sgsn/src/sgsn/gprs_ranap.c:138 MM_STATE_Iu(3)[0x612000005920]{Idle}: Received Event E_PMM_PS_CONN_RELEASE
20220110122001498 DMM <0000> /git/osmo-sgsn/src/sgsn/gprs_ranap.c:138 MM_STATE_Iu(3)[0x612000005920]{Idle}: Event E_PMM_PS_CONN_RELEASE not permitted
20220110122001498 DLSCCP <0020> /git/libosmo-sccp/src/sccp_scoc.c:1731 Received SCCP User Primitive (N-DISCONNECT.request)
20220110122001498 DLSCCP <0020> /git/libosmo-sccp/src/sccp_scoc.c:1772 SCCP-SCOC(5)[0x612000006220]{ACTIVE}: Received Event N-DISCONNECT.req
20220110122001498 DLSS7 <001f> /git/libosmo-sccp/src/sccp_scrc.c:401 sccp_scrc_rx_scoc_conn_msg: HDR=(CO:RELRE,V=0,LEN=0), PART(T=Routing Context,L=4,D=00000000), PART(T=Destination Reference,L=4,D=000003f0), PART(T=Source Reference,L=4,D=00000005), PART(T=Cause,L=4,D=00000300)
20220110122001498 DLSS7 <001f> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:280 m3ua_hmdc_rx_from_l2(): dpc=189=0.23.5 not local, message is for routing
20220110122001499 DLSS7 <001f> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:227 Found route for dpc=189=0.23.5: pc=0=0.0.0 mask=0x0=0.0.0 via AS as-clnt-OsmoSGSN proto=m3ua
20220110122001499 DLSS7 <001f> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:235 rt->dest.as proto is M3UA for dpc=189=0.23.5
20220110122001499 DLSS7 <001f> /git/libosmo-sccp/src/m3ua.c:508 XUA_AS(as-clnt-OsmoSGSN)[0x612000003e20]{AS_ACTIVE}: Received Event AS-TRANSFER.req
20220110122001499 DLSCCP <0020> /git/libosmo-sccp/src/sccp_scoc.c:1057 SCCP-SCOC(5)[0x612000006220]{ACTIVE}: state_chg to DISCONN_PEND
20220110122001499 DLSS7 <001f> /git/libosmo-sccp/src/sccp_scrc.c:401 sccp_scrc_rx_scoc_conn_msg: HDR=(CO:RELCO,V=0,LEN=0), PART(T=Routing Context,L=4,D=00000000), PART(T=Destination Reference,L=4,D=000003f0), PART(T=Source Reference,L=4,D=00000005)
20220110122001499 DLSS7 <001f> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:280 m3ua_hmdc_rx_from_l2(): dpc=189=0.23.5 not local, message is for routing
20220110122001499 DLSS7 <001f> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:227 Found route for dpc=189=0.23.5: pc=0=0.0.0 mask=0x0=0.0.0 via AS as-clnt-OsmoSGSN proto=m3ua
20220110122001499 DLSS7 <001f> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:235 rt->dest.as proto is M3UA for dpc=189=0.23.5
20220110122001499 DLSS7 <001f> /git/libosmo-sccp/src/m3ua.c:508 XUA_AS(as-clnt-OsmoSGSN)[0x612000003e20]{AS_ACTIVE}: Received Event AS-TRANSFER.req
20220110122001499 DLSCCP <0020> /git/libosmo-sccp/src/sccp_scoc.c:1073 SCCP-SCOC(5)[0x612000006220]{DISCONN_PEND}: state_chg to IDLE
20220110122001499 DLSCCP <0020> /git/libosmo-sccp/src/sccp_scoc.c:520 SCCP-SCOC(5)[0x612000006220]{IDLE}: Terminating (cause = OSMO_FSM_TERM_REQUEST)
20220110122001499 DLSCCP <0020> /git/libosmo-sccp/src/sccp_scoc.c:520 SCCP-SCOC(5)[0x612000006220]{IDLE}: Freeing instance
20220110122001499 DLSCCP <0020> /git/libosmocore/src/fsm.c:568 SCCP-SCOC(5)[0x612000006220]{IDLE}: Deallocated
20220110122001499 DLINP <0015> /git/libosmo-netif/src/stream.c:449 [CONNECTED] osmo_stream_cli_fd_cb(): connected write
20220110122001500 DLINP <0015> /git/libosmo-netif/src/stream.c:352 [CONNECTED] osmo_stream_cli_write(): sending 44 bytes of data
20220110122001500 DLINP <0015> /git/libosmo-netif/src/stream.c:449 [CONNECTED] osmo_stream_cli_fd_cb(): connected write
20220110122001500 DLINP <0015> /git/libosmo-netif/src/stream.c:352 [CONNECTED] osmo_stream_cli_write(): sending 40 bytes of data
20220110122001500 DLINP <0015> /git/libosmo-netif/src/stream.c:449 [CONNECTED] osmo_stream_cli_fd_cb(): connected write
20220110122002291 DMM <0000> /git/osmo-sgsn/src/sgsn/gprs_gmm.c:1491 MM(901700000015259/f634a4dd) <- GMM ROUTING AREA UPDATE ACCEPT
20220110122002291 DRANAP <000b> /git/osmo-iuh/src/iu_client.c:464 Transmitting L3 Message as RANAP DT (SCCP conn_id 6)
20220110122002292 DLSCCP <0020> /git/libosmo-sccp/src/sccp_scoc.c:1731 Received SCCP User Primitive (N-DATA.request)
20220110122002292 DLSCCP <0020> /git/libosmo-sccp/src/sccp_scoc.c:1772 SCCP-SCOC(6)[0x6120000063a0]{ACTIVE}: Received Event N-DATA.req
20220110122002292 DLSS7 <001f> /git/libosmo-sccp/src/sccp_scrc.c:401 sccp_scrc_rx_scoc_conn_msg: HDR=(CO:CODT,V=0,LEN=0), PART(T=Routing Context,L=4,D=00000000), PART(T=Destination Reference,L=4,D=000003f1), PART(T=Data,L=36,D=0014402000000200104014130809002a32f40728b6631805f4f634a4dd1716003b400100)
20220110122002292 DLSS7 <001f> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:280 m3ua_hmdc_rx_from_l2(): dpc=189=0.23.5 not local, message is for routing
20220110122002292 DLSS7 <001f> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:227 Found route for dpc=189=0.23.5: pc=0=0.0.0 mask=0x0=0.0.0 via AS as-clnt-OsmoSGSN proto=m3ua
20220110122002292 DLSS7 <001f> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:235 rt->dest.as proto is M3UA for dpc=189=0.23.5
20220110122002292 DLSS7 <001f> /git/libosmo-sccp/src/m3ua.c:508 XUA_AS(as-clnt-OsmoSGSN)[0x612000003e20]{AS_ACTIVE}: Received Event AS-TRANSFER.req
20220110122002292 DLINP <0015> /git/libosmo-netif/src/stream.c:449 [CONNECTED] osmo_stream_cli_fd_cb(): connected write
20220110122002292 DLINP <0015> /git/libosmo-netif/src/stream.c:352 [CONNECTED] osmo_stream_cli_write(): sending 76 bytes of data
20220110122002292 DLINP <0015> /git/libosmo-netif/src/stream.c:449 [CONNECTED] osmo_stream_cli_fd_cb(): connected write
20220110122004659 DMM <0000> /git/osmo-sgsn/src/sgsn/gprs_gmm.c:1491 MM(901700000043320/ccec2b9d) <- GMM ROUTING AREA UPDATE ACCEPT
/git/osmo-iuh/src/iu_client.c:464:2: runtime error: member access within null pointer of type 'struct ranap_ue_conn_ctx'

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff679e94a in ranap_iu_tx (msg_nas=msg_nas@entry=0x61d00004b0e0, sapi=sapi@entry=1 '\001') at /git/osmo-iuh/src/iu_client.c:464
464            LOGPIU(LOGL_INFO, "Transmitting L3 Message as RANAP DT (SCCP conn_id %u)\n",
(gdb) bt
#0  0x00007ffff679e94a in ranap_iu_tx (msg_nas=msg_nas@entry=0x61d00004b0e0,
    sapi=sapi@entry=1 '\001')
    at /git/osmo-iuh/src/iu_client.c:464
#1  0x00005555556a1587 in gsm48_gmm_sendmsg (msg=msg@entry=0x61d00004b0e0,
    command=command@entry=0, mm=mm@entry=0x617000003560,
    encryptable=encryptable@entry=true)
    at /git/osmo-sgsn/src/sgsn/gprs_gmm.c:137
#2  0x00005555556a8190 in gsm48_tx_gmm_ra_upd_ack (mm=mm@entry=0x617000003560)
    at /git/osmo-sgsn/src/sgsn/gprs_gmm.c:1536
#3  0x00005555556b0ee6 in mmctx_timer_cb (_mm=0x617000003560)
    at /git/osmo-sgsn/src/sgsn/gprs_gmm.c:2181
#4  0x00007ffff51aad35 in osmo_timers_update ()
    at /git/libosmocore/src/timer.c:269
#5  0x00007ffff51ae70a in _osmo_select_main (polling=polling@entry=0)
    at /git/libosmocore/src/select.c:394
#6  0x00007ffff51ae778 in osmo_select_main (polling=polling@entry=0)
    at /git/libosmocore/src/select.c:438
#7  0x00005555556f7826 in main (argc=<optimized out>, argv=0x7fffffffe128)
    at /git/osmo-sgsn/src/sgsn/sgsn_main.c:542
(gdb) l
459    {
460            struct ranap_ue_conn_ctx *uectx = msg_nas->dst;
461            struct msgb *msg;
462            struct osmo_scu_prim *prim;
463
464            LOGPIU(LOGL_INFO, "Transmitting L3 Message as RANAP DT (SCCP conn_id %u)\n",
465                   uectx->conn_id);
466
467            msg = ranap_new_msg_dt(sapi, msg_nas->data, msgb_length(msg_nas));
468            msgb_free(msg_nas);
(gdb) print uectx
$1 = (struct ranap_ue_conn_ctx *) 0x0
Actions #1

Updated by pespin about 2 years ago

  • Description updated (diff)
Actions #2

Updated by pespin about 2 years ago

I submitted this patch in osmo-iuh to prevent crash in this kind of situation:
https://gerrit.osmocom.org/c/osmo-iuh/+/26824 iu_client: Prevent crash if msgb passed to ranap_iu_tx has no dst

However, the core issue in osmo-sgsn should be fixed too. lynxis do you want to have a look?

Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)