Actions
Bug #5401
closednull pointer access on type 'struct rtp_stream' in call_leg_ensure_ci()
Start date:
01/13/2022
Due date:
% Done:
100%
Resolution:
Spec Reference:
Description
Got this while giving a quick test on a 2g<->3g call, with current osmo-msc master.
20220113120029107 DLINP <0016> /git/libosmo-netif/src/stream.c:445 [CONNECTED] osmo_stream_cli_fd_cb(): connected read
20220113120029107 DLINP <0016> /git/libosmo-netif/src/stream.c:324 [CONNECTED] osmo_stream_cli_read(): message received
20220113120029107 DLSS7 <0020> /git/libosmo-sccp/src/osmo_ss7.c:1906 0: asp-asp-clnt-OsmoMSC-A-Iu: xua_cli_read_cb(): sctp_recvmsg() returned 44 (flags=0x80)
20220113120029107 DLM3UA <0023> /git/libosmo-sccp/src/m3ua.c:714 0: asp-asp-clnt-OsmoMSC-A-Iu: Received M3UA Message (XFER:DATA)
20220113120029107 DLM3UA <0023> /git/libosmo-sccp/src/m3ua.c:543 0: asp-asp-clnt-OsmoMSC-A-Iu: m3ua_rx_xfer
20220113120029107 DLM3UA <0023> /git/libosmo-sccp/src/m3ua.c:566 0: asp-asp-clnt-OsmoMSC-A-Iu: m3ua_rx_xfer(): M3UA data header: opc=2=0.0.2 dpc=185=0.23.1
20220113120029107 DLSS7 <0020> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:276 m3ua_hmdc_rx_from_l2(): found dpc=185=0.23.1 as local
20220113120029107 DLSS7 <0020> /git/libosmo-sccp/src/sccp_scrc.c:472 scrc_rx_mtp_xfer_ind_xua: HDR=(CO:CODT,V=0,LEN=0), PART(T=Destination Reference,L=4,D=00000017), PART(T=Segmentation,L=4,D=00000000), PART(T=Data,L=5,D=0180028387)
20220113120029107 DLSCCP <0021> /git/libosmo-sccp/src/sccp_scoc.c:1664 Received CO:CODT for local reference 23
20220113120029107 DLSCCP <0021> /git/libosmo-sccp/src/sccp_scoc.c:1698 SCCP-SCOC(23)[0x612000022120]{ACTIVE}: Received Event RCOC-DT1.ind
20220113120029108 DLSCCP <0021> /git/libosmo-sccp/src/sccp_user.c:175 Delivering N-DATA.indication to SCCP User 'OsmoMSC-A'
20220113120029108 DBSSAP <0011> /git/osmo-msc/src/libmsc/sccp_ran.c:108 (GERAN-A-23) sccp_ran_sap_up(N-DATA.indication)
20220113120029108 DRR <0003> /git/osmo-msc/src/libmsc/ran_peer.c:591 ran_peer(GERAN-A:RI-SSN_PC:PC-0-0-2:SSN-BSSAP)[0x6120000078a0]{READY}: Received Event RAN_PEER_EV_MSG_UP_CO
20220113120029108 DMSC <0007> /git/osmo-msc/src/libmsc/ran_peer.c:407 msc_i(IMSI-901700000015256:MSISDN-4599:TMSI-0x892BB4A5:GERAN-A-23:PAGING_RESP)[0x612000022420]{READY}: Received Event MSC_EV_FROM_RAN_UP_L2
20220113120029108 DMSC <0007> /git/osmo-msc/src/libmsc/msc_i.c:85 msc_a(IMSI-901700000015256:MSISDN-4599:TMSI-0x892BB4A5:GERAN-A-23:PAGING_RESP)[0x6120000225a0]{MSC_A_ST_COMMUNICATING}: Received Event MSC_A_EV_FROM_I_PROCESS_ACCESS_SIGNALLING_REQUEST
20220113120029108 DREF <000b> /git/osmo-msc/src/libmsc/msc_a.c:206 msc_a(IMSI-901700000015256:MSISDN-4599:TMSI-0x892BB4A5:GERAN-A-23:PAGING_RESP)[0x6120000225a0]{MSC_A_ST_COMMUNICATING}: + msc_a_ran_dec: now used by 2 (cc,msc_a_ran_dec)
20220113120029108 DBSSAP <0011> /git/osmo-msc/src/libmsc/msc_a.c:1625 msc_a(IMSI-901700000015256:MSISDN-4599:TMSI-0x892BB4A5:GERAN-A-23:PAGING_RESP)[0x6120000225a0]{MSC_A_ST_COMMUNICATING}: RAN decode: BSSAP DTAP
20220113120029108 DRLL <0000> /git/osmo-msc/src/libmsc/msc_a.c:1228 msc_a(IMSI-901700000015256:MSISDN-4599:TMSI-0x892BB4A5:GERAN-A-23:PAGING_RESP)[0x6120000225a0]{MSC_A_ST_COMMUNICATING}: Dispatching 04.08 message: CC GSM48_MT_CC_CONNECT
20220113120029108 DCC <0001> /git/osmo-msc/src/libmsc/gsm_04_08_cc.c:2217 trans(CC:CALL_RECEIVED IMSI-901700000015256:MSISDN-4599:TMSI-0x892BB4A5:GERAN-A-23:PAGING_RESP callref-0x2 tid-0) rx CONNECT in state CALL_RECEIVED
20220113120029108 DCC <0001> /git/osmo-msc/src/libmsc/gsm_04_08_cc.c:225 trans(CC:CALL_RECEIVED IMSI-901700000015256:MSISDN-4599:TMSI-0x892BB4A5:GERAN-A-23:PAGING_RESP callref-0x2 tid-0) stopping pending timer T301
20220113120029108 DCC <0001> /git/osmo-msc/src/libmsc/gsm_04_08_cc.c:191 trans(CC:CALL_RECEIVED IMSI-901700000015256:MSISDN-4599:TMSI-0x892BB4A5:GERAN-A-23:PAGING_RESP callref-0x2 tid-0) new state CALL_RECEIVED -> CONNECT_REQUEST
20220113120029108 DMNCC <0005> /git/osmo-msc/src/libmsc/gsm_04_08_cc.c:237 trans(CC:CONNECT_REQUEST IMSI-901700000015256:MSISDN-4599:TMSI-0x892BB4A5:GERAN-A-23:PAGING_RESP callref-0x2 tid-0) tx MNCC_SETUP_CNF
20220113120029108 DMNCC <0005> /git/osmo-msc/src/libmsc/mncc_builtin.c:299 (call 2) Received message MNCC_SETUP_CNF
20220113120029108 DMNCC <0005> /git/osmo-msc/src/libmsc/mncc_builtin.c:180 (call 2) Acknowledge SETUP.
20220113120029108 DMNCC <0005> /git/osmo-msc/src/libmsc/gsm_04_08_cc.c:2006 trans(CC:CONNECT_REQUEST IMSI-901700000015256:MSISDN-4599:TMSI-0x892BB4A5:GERAN-A-23:PAGING_RESP callref-0x2 tid-0) rx MNCC_SETUP_COMPL_REQ
20220113120029108 DCC <0001> /git/osmo-msc/src/libmsc/gsm_04_08_cc.c:104 trans(CC:CONNECT_REQUEST IMSI-901700000015256:MSISDN-4599:TMSI-0x892BB4A5:GERAN-A-23:PAGING_RESP callref-0x2 tid-0) stopping pending guard timer
20220113120029108 DCC <0001> /git/osmo-msc/src/libmsc/gsm_04_08_cc.c:121 trans(CC:CONNECT_REQUEST IMSI-901700000015256:MSISDN-4599:TMSI-0x892BB4A5:GERAN-A-23:PAGING_RESP callref-0x2 tid-0) starting guard timer with 180 seconds
20220113120029108 DCC <0001> /git/osmo-msc/src/libmsc/gsm_04_08_cc.c:2030 trans(CC:CONNECT_REQUEST IMSI-901700000015256:MSISDN-4599:TMSI-0x892BB4A5:GERAN-A-23:PAGING_RESP callref-0x2 tid-0) rx MNCC_SETUP_COMPL_REQ in state CONNECT_REQUEST
20220113120029108 DCC <0001> /git/osmo-msc/src/libmsc/gsm_04_08_cc.c:191 trans(CC:CONNECT_REQUEST IMSI-901700000015256:MSISDN-4599:TMSI-0x892BB4A5:GERAN-A-23:PAGING_RESP callref-0x2 tid-0) new state CONNECT_REQUEST -> ACTIVE
20220113120029108 DCC <0001> /git/osmo-msc/src/libmsc/gsm_04_08_cc.c:104 trans(CC:ACTIVE IMSI-901700000015256:MSISDN-4599:TMSI-0x892BB4A5:GERAN-A-23:PAGING_RESP callref-0x2 tid-0) stopping pending guard timer
20220113120029108 DBSSAP <0011> /git/osmo-msc/src/libmsc/msc_a.c:1688 msc_a(IMSI-901700000015256:MSISDN-4599:TMSI-0x892BB4A5:GERAN-A-23:PAGING_RESP)[0x6120000225a0]{MSC_A_ST_COMMUNICATING}: Sending DTAP: CC GSM48_MT_CC_CONNECT_ACK
20220113120029108 DBSSAP <0011> /git/osmo-msc/src/libmsc/ran_msg_a.c:1237 msc_a(IMSI-901700000015256:MSISDN-4599:TMSI-0x892BB4A5:GERAN-A-23:PAGING_RESP)[0x6120000225a0]{MSC_A_ST_COMMUNICATING}: RAN encode: BSSMAP: DTAP
20220113120029109 DMSC <0007> /git/osmo-msc/src/libmsc/msc_a.c:1695 msc_i(IMSI-901700000015256:MSISDN-4599:TMSI-0x892BB4A5:GERAN-A-23:PAGING_RESP)[0x612000022420]{READY}: Received Event MSC_I_EV_FROM_A_FORWARD_ACCESS_SIGNALLING_REQUEST
20220113120029109 DRR <0003> /git/osmo-msc/src/libmsc/ran_conn.c:117 ran_peer(GERAN-A:RI-SSN_PC:PC-0-0-2:SSN-BSSAP)[0x6120000078a0]{READY}: Received Event RAN_PEER_EV_MSG_DOWN_CO
20220113120029109 DLSCCP <0021> /git/libosmo-sccp/src/sccp_scoc.c:1731 Received SCCP User Primitive (N-DATA.request)
20220113120029109 DLSCCP <0021> /git/libosmo-sccp/src/sccp_scoc.c:1772 SCCP-SCOC(23)[0x612000022120]{ACTIVE}: Received Event N-DATA.req
20220113120029109 DLSS7 <0020> /git/libosmo-sccp/src/sccp_scrc.c:401 sccp_scrc_rx_scoc_conn_msg: HDR=(CO:CODT,V=0,LEN=0), PART(T=Routing Context,L=4,D=00000000), PART(T=Destination Reference,L=4,D=00000013), PART(T=Data,L=5,D=010002030f)
20220113120029109 DLSS7 <0020> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:280 m3ua_hmdc_rx_from_l2(): dpc=2=0.0.2 not local, message is for routing
20220113120029109 DLSS7 <0020> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:227 Found route for dpc=2=0.0.2: pc=0=0.0.0 mask=0x0=0.0.0 via AS as-clnt-OsmoMSC-A-Iu proto=m3ua
20220113120029109 DLSS7 <0020> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:235 rt->dest.as proto is M3UA for dpc=2=0.0.2
20220113120029109 DLSS7 <0020> /git/libosmo-sccp/src/m3ua.c:508 XUA_AS(as-clnt-OsmoMSC-A-Iu)[0x6120000072a0]{AS_ACTIVE}: Received Event AS-TRANSFER.req
20220113120029109 DMNCC <0005> /git/osmo-msc/src/libmsc/mncc_builtin.c:188 (call 2, remote 80000002) Sending CONNECT to remote.
20220113120029109 DMNCC <0005> /git/osmo-msc/src/libmsc/gsm_04_08_cc.c:2006 trans(CC:CALL_DELIVERED IMSI-901700000015259:MSISDN-888:TMSI-0x3DBD26B3:UTRAN-Iu-22:CM_SERVICE_REQ callref-0x80000002 tid-8) rx MNCC_SETUP_RSP
20220113120029109 DCC <0001> /git/osmo-msc/src/libmsc/gsm_04_08_cc.c:104 trans(CC:CALL_DELIVERED IMSI-901700000015259:MSISDN-888:TMSI-0x3DBD26B3:UTRAN-Iu-22:CM_SERVICE_REQ callref-0x80000002 tid-8) stopping pending guard timer
20220113120029109 DCC <0001> /git/osmo-msc/src/libmsc/gsm_04_08_cc.c:121 trans(CC:CALL_DELIVERED IMSI-901700000015259:MSISDN-888:TMSI-0x3DBD26B3:UTRAN-Iu-22:CM_SERVICE_REQ callref-0x80000002 tid-8) starting guard timer with 180 seconds
20220113120029109 DCC <0001> /git/osmo-msc/src/libmsc/gsm_04_08_cc.c:2030 trans(CC:CALL_DELIVERED IMSI-901700000015259:MSISDN-888:TMSI-0x3DBD26B3:UTRAN-Iu-22:CM_SERVICE_REQ callref-0x80000002 tid-8) rx MNCC_SETUP_RSP in state CALL_DELIVERED
20220113120029109 DCC <0001> /git/osmo-msc/src/libmsc/gsm_04_08_cc.c:500 trans(CC:CALL_DELIVERED IMSI-901700000015259:MSISDN-888:TMSI-0x3DBD26B3:UTRAN-Iu-22:CM_SERVICE_REQ callref-0x80000002 tid-8) starting timer T313 with 30 seconds
20220113120029109 DCC <0001> /git/osmo-msc/src/libmsc/gsm_04_08_cc.c:191 trans(CC:CALL_DELIVERED IMSI-901700000015259:MSISDN-888:TMSI-0x3DBD26B3:UTRAN-Iu-22:CM_SERVICE_REQ callref-0x80000002 tid-8) new state CALL_DELIVERED -> CONNECT_IND
20220113120029109 DIUCS <0010> /git/osmo-msc/src/libmsc/msc_a.c:1688 msc_a(IMSI-901700000015259:MSISDN-888:TMSI-0x3DBD26B3:UTRAN-Iu-22:CM_SERVICE_REQ)[0x612000020da0]{MSC_A_ST_COMMUNICATING}: Sending DTAP: CC GSM48_MT_CC_CONNECT
20220113120029109 DIUCS <0010> /git/osmo-msc/src/libmsc/ran_msg_iu.c:409 msc_a(IMSI-901700000015259:MSISDN-888:TMSI-0x3DBD26B3:UTRAN-Iu-22:CM_SERVICE_REQ)[0x612000020da0]{MSC_A_ST_COMMUNICATING}: RAN encode: RANAP: DirectTransfer
20220113120029109 DMSC <0007> /git/osmo-msc/src/libmsc/msc_a.c:1695 msc_i(IMSI-901700000015259:MSISDN-888:TMSI-0x3DBD26B3:UTRAN-Iu-22:CM_SERVICE_REQ)[0x612000020c20]{READY}: Received Event MSC_I_EV_FROM_A_FORWARD_ACCESS_SIGNALLING_REQUEST
20220113120029109 DRR <0003> /git/osmo-msc/src/libmsc/ran_conn.c:117 ran_peer(UTRAN-Iu:RI-SSN_PC:PC-0-23-5:SSN-RANAP)[0x61200001a1a0]{READY}: Received Event RAN_PEER_EV_MSG_DOWN_CO
20220113120029109 DLSCCP <0021> /git/libosmo-sccp/src/sccp_scoc.c:1731 Received SCCP User Primitive (N-DATA.request)
20220113120029109 DLSCCP <0021> /git/libosmo-sccp/src/sccp_scoc.c:1772 SCCP-SCOC(22)[0x612000020920]{ACTIVE}: Received Event N-DATA.req
20220113120029109 DLSS7 <0020> /git/libosmo-sccp/src/sccp_scrc.c:401 sccp_scrc_rx_scoc_conn_msg: HDR=(CO:CODT,V=0,LEN=0), PART(T=Routing Context,L=4,D=00000000), PART(T=Destination Reference,L=4,D=000003ec), PART(T=Data,L=24,D=00144014000002001040080783074c03805499003b400100)
20220113120029109 DLSS7 <0020> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:280 m3ua_hmdc_rx_from_l2(): dpc=189=0.23.5 not local, message is for routing
20220113120029109 DLSS7 <0020> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:227 Found route for dpc=189=0.23.5: pc=0=0.0.0 mask=0x0=0.0.0 via AS as-clnt-OsmoMSC-A-Iu proto=m3ua
20220113120029109 DLSS7 <0020> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:235 rt->dest.as proto is M3UA for dpc=189=0.23.5
20220113120029110 DLSS7 <0020> /git/libosmo-sccp/src/m3ua.c:508 XUA_AS(as-clnt-OsmoMSC-A-Iu)[0x6120000072a0]{AS_ACTIVE}: Received Event AS-TRANSFER.req
20220113120029110 DMNCC <0005> /git/osmo-msc/src/libmsc/mncc_builtin.c:195 (call 2, remote 80000002) Bridging with remote.
20220113120029110 DCC <0001> /git/osmo-msc/src/libmsc/gsm_04_08_cc.c:370 trans(CC:ACTIVE IMSI-901700000015256:MSISDN-4599:TMSI-0x892BB4A5:GERAN-A-23:PAGING_RESP callref-0x2 tid-0) MNCC_BRIDGE: Local bridge to callref 0x80000002
20220113120029110 DCC <0001> /git/osmo-msc/src/libmsc/gsm_04_08_cc.c:371 trans(CC:CONNECT_IND IMSI-901700000015259:MSISDN-888:TMSI-0x3DBD26B3:UTRAN-Iu-22:CM_SERVICE_REQ callref-0x80000002 tid-8) MNCC_BRIDGE: Local bridge to callref 0x2
/git/osmo-msc/src/libmsc/call_leg.c:348:15: runtime error: member access within null pointer of type 'struct rtp_stream'
20220113120029110 DCC <0001> /git/osmo-msc/src/libmsc/rtp_stream.c:392 rtp_stream(IMSI-901700000015256:MSISDN-4599:TMSI-0x892BB4A5:GERAN-A-23:PAGING_RESP:trans-0:call-2:RTP_TO_CN:CI-70415DB9:no-remote-port:local-127-0-0-2-9014)[0x612000023920]{ESTABLISHING}: setting codec to AMR/8000/1
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff4d6f536 in osmo_sockaddr_str_is_set (sockaddr_str=sockaddr_str@entry=0x20) at /git/libosmocore/src/sockaddr_str.c:60
60 && *sockaddr_str->ip
(gdb) bt
#0 0x00007ffff4d6f536 in osmo_sockaddr_str_is_set (sockaddr_str=sockaddr_str@entry=0x20) at /git/libosmocore/src/sockaddr_str.c:60
#1 0x00007ffff4d705f5 in osmo_sockaddr_str_is_nonzero (sockaddr_str=sockaddr_str@entry=0x20)
at /git/libosmocore/src/sockaddr_str.c:75
#2 0x000055555581687e in call_leg_ensure_ci (cl=cl@entry=0x60e000060d60, dir=dir@entry=RTP_TO_CN, call_id=call_id@entry=2,
for_trans=for_trans@entry=0x61d00029aee0, codec_if_known=codec_if_known@entry=0x7fffffff8af0, remote_addr_if_known=remote_addr_if_known@entry=0x20)
at /git/osmo-msc/src/libmsc/call_leg.c:326
#3 0x0000555555816ee1 in call_leg_local_bridge (cl1=cl1@entry=0x60e000060d60, call_id1=<optimized out>, trans1=trans1@entry=0x61d00029aee0,
cl2=cl2@entry=0x60e00005d2c0, call_id2=call_id2@entry=2147483650, trans2=trans2@entry=0x61d0002986e0)
at /git/osmo-msc/src/libmsc/call_leg.c:347
#4 0x000055555595a62d in tch_bridge (net=net@entry=0x6190000082e0, bridge=bridge@entry=0x7fffffff9500)
at /git/osmo-msc/src/libmsc/gsm_04_08_cc.c:380
#5 0x00005555559738a5 in mncc_tx_to_gsm_cc (net=net@entry=0x6190000082e0, msg=msg@entry=0x7fffffff9500)
at /git/osmo-msc/src/libmsc/gsm_04_08_cc.c:1867
#6 0x000055555597be8e in mncc_tx_to_cc (net=0x6190000082e0, arg=arg@entry=0x7fffffff9500)
at /git/osmo-msc/src/libmsc/gsm_04_08_cc.c:2105
#7 0x0000555555861cbd in mncc_setup_cnf (call=call@entry=0x60c0000d3360, connect=connect@entry=0x61d0002af968)
at /git/osmo-msc/src/libmsc/mncc_builtin.c:197
#8 0x0000555555863b4d in int_mncc_recv (net=<optimized out>, msg=<optimized out>) at /git/osmo-msc/src/libmsc/mncc_builtin.c:307
#9 0x000055555596806d in cc_tx_to_mncc (net=net@entry=0x6190000082e0, msg=msg@entry=0x61d0002af8e0)
at /git/osmo-msc/src/libmsc/gsm_04_08_cc.c:131
#10 0x00005555559682c9 in mncc_recvmsg (net=0x6190000082e0, trans=trans@entry=0x61d00029aee0, msg_type=msg_type@entry=260, mncc=mncc@entry=0x7fffffffa6b0)
at /git/osmo-msc/src/libmsc/gsm_04_08_cc.c:248
#11 0x000055555596f1ab in gsm48_cc_rx_connect (trans=0x61d00029aee0, msg=<optimized out>)
at /git/osmo-msc/src/libmsc/gsm_04_08_cc.c:941
#12 0x000055555597e027 in gsm0408_rcv_cc (msc_a=msc_a@entry=0x61d00029d6e0, msg=msg@entry=0x61a0000516e0)
at /git/osmo-msc/src/libmsc/gsm_04_08_cc.c:2240
#13 0x0000555555884e2e in msc_a_up_l3 (msc_a=msc_a@entry=0x61d00029d6e0, msg=0x61a0000516e0) at /git/osmo-msc/src/libmsc/msc_a.c:1277
#14 0x00005555558919aa in msc_a_ran_dec_from_msc_i (msc_a=msc_a@entry=0x61d00029d6e0, d=d@entry=0x7fffffffc9f0)
at /git/osmo-msc/src/libmsc/msc_a.c:1442
#15 0x00005555558949e6 in msc_a_ran_decode_cb (msc_a_fi=<optimized out>, data=0x7fffffffc9f0, msg=0x7fffffffc180)
at /git/osmo-msc/src/libmsc/msc_a.c:1626
#16 0x00005555558d7ee0 in ran_decoded (ran_dec=ran_dec@entry=0x7fffffffc920, ran_msg=ran_msg@entry=0x7fffffffc180)
at /git/osmo-msc/src/libmsc/ran_msg.c:155
#17 0x00005555558db69a in ran_a_decode_l3 (ran_dec=ran_dec@entry=0x7fffffffc920, l3=l3@entry=0x61a0000516e0)
at /git/osmo-msc/src/libmsc/ran_msg_a.c:861
#18 0x00005555558ed60f in ran_a_decode_l2 (ran_dec=ran_dec@entry=0x7fffffffc920, bssap=0x61a0000516e0)
at /git/osmo-msc/src/libmsc/ran_msg_a.c:885
#19 0x0000555555876f43 in msc_role_ran_decode (fi=0x6120000225a0, an_apdu=an_apdu@entry=0x7fffffffd5c0,
decode_cb=decode_cb@entry=0x555555894555 <msc_a_ran_decode_cb>, decode_cb_data=decode_cb_data@entry=0x7fffffffc9f0)
at /git/osmo-msc/src/libmsc/msub.c:593
#20 0x0000555555879509 in msc_a_ran_dec (msc_a=msc_a@entry=0x61d00029d6e0, an_apdu=an_apdu@entry=0x7fffffffd5c0, from_role=from_role@entry=MSC_ROLE_I)
at /git/osmo-msc/src/libmsc/msc_a.c:207
#21 0x000055555588c011 in msc_a_fsm_communicating (fi=0x6120000225a0, event=9, data=0x7fffffffd5c0)
at /git/osmo-msc/src/libmsc/msc_a.c:657
--Type <RET> for more, q to quit, c to continue without paging--
#22 0x00007ffff4d1a01f in _osmo_fsm_inst_dispatch (fi=0x6120000225a0, event=event@entry=9, data=data@entry=0x7fffffffd5c0,
file=file@entry=0x5555559dde80 "/git/osmo-msc/src/libmsc/msc_i.c", line=line@entry=85)
at /git/libosmocore/src/fsm.c:872
#23 0x0000555555873c5c in _msub_role_dispatch (msub=0x60e00005d560, to_role=to_role@entry=MSC_ROLE_A, to_role_event=to_role_event@entry=9,
an_apdu=an_apdu@entry=0x7fffffffd5c0, file=file@entry=0x5555559dde80 "/git/osmo-msc/src/libmsc/msc_i.c", line=line@entry=85)
at /git/osmo-msc/src/libmsc/msub.c:449
#24 0x000055555589a5e6 in msc_i_ready_decode_cb (msc_i_fi=<optimized out>, data=0x7fffffffd5c0, msg=<optimized out>)
at /git/osmo-msc/src/libmsc/msc_i.c:85
#25 0x00005555558d7ee0 in ran_decoded (ran_dec=ran_dec@entry=0x7fffffffd430, ran_msg=ran_msg@entry=0x7fffffffcc90)
at /git/osmo-msc/src/libmsc/ran_msg.c:155
#26 0x00005555558db69a in ran_a_decode_l3 (ran_dec=ran_dec@entry=0x7fffffffd430, l3=l3@entry=0x61a0000516e0)
at /git/osmo-msc/src/libmsc/ran_msg_a.c:861
#27 0x00005555558ed60f in ran_a_decode_l2 (ran_dec=ran_dec@entry=0x7fffffffd430, bssap=0x61a0000516e0)
at /git/osmo-msc/src/libmsc/ran_msg_a.c:885
#28 0x0000555555876f43 in msc_role_ran_decode (fi=0x612000022420, an_apdu=an_apdu@entry=0x7fffffffd5c0,
decode_cb=decode_cb@entry=0x55555589a501 <msc_i_ready_decode_cb>, decode_cb_data=decode_cb_data@entry=0x7fffffffd5c0)
at /git/osmo-msc/src/libmsc/msub.c:593
#29 0x000055555589ba60 in msc_i_fsm_ready (fi=<optimized out>, event=9, data=0x7fffffffd5c0) at /git/osmo-msc/src/libmsc/msc_i.c:110
#30 0x00007ffff4d1a01f in _osmo_fsm_inst_dispatch (fi=0x612000022420, event=event@entry=9, data=data@entry=0x7fffffffd5c0,
file=file@entry=0x5555559e98c0 "/git/osmo-msc/src/libmsc/ran_peer.c", line=line@entry=407)
at /git/libosmocore/src/fsm.c:872
#31 0x00005555558f6052 in ran_peer_st_ready (fi=<optimized out>, event=<optimized out>, data=<optimized out>)
at /git/osmo-msc/src/libmsc/ran_peer.c:407
#32 0x00007ffff4d1a01f in _osmo_fsm_inst_dispatch (fi=fi@entry=0x6120000078a0, event=event@entry=2, data=data@entry=0x7fffffffd720,
file=file@entry=0x5555559e98c0 "/git/osmo-msc/src/libmsc/ran_peer.c", line=line@entry=591)
at /git/libosmocore/src/fsm.c:872
#33 0x00005555558fb90b in ran_peer_up_l2 (sri=<optimized out>, calling_addr=<optimized out>, co=<optimized out>, conn_id=<optimized out>, l2=<optimized out>)
at /git/osmo-msc/src/libmsc/ran_peer.c:591
#34 0x0000555555817d73 in sccp_ran_sap_up (oph=0x61a000051768, _scu=<optimized out>) at /git/osmo-msc/src/libmsc/sccp_ran.c:110
#35 0x00007ffff5fa8901 in sccp_user_prim_up (scu=0x60f000004420, prim=prim@entry=0x61a000051768)
at /git/libosmo-sccp/src/sccp_user.c:177
#36 0x00007ffff5fa14d1 in scu_gen_encode_and_send (conn=conn@entry=0x6180000684e0, event=event@entry=11, xua=xua@entry=0x60d000050a10,
primitive=primitive@entry=1, operation=operation@entry=PRIM_OP_INDICATION) at /git/libosmo-sccp/src/sccp_scoc.c:805
#37 0x00007ffff5fa4fd3 in scoc_fsm_active (fi=0x612000022120, event=11, data=0x60d000050a10)
at /git/libosmo-sccp/src/sccp_scoc.c:1124
#38 0x00007ffff4d1a01f in _osmo_fsm_inst_dispatch (fi=0x612000022120, event=event@entry=11, data=data@entry=0x60d000050a10,
file=file@entry=0x7ffff600d3c0 "/git/libosmo-sccp/src/sccp_scoc.c", line=line@entry=1698)
at /git/libosmocore/src/fsm.c:872
#39 0x00007ffff5fa657f in sccp_scoc_rx_from_scrc (inst=inst@entry=0x612000007720, xua=xua@entry=0x60d000050a10)
at /git/libosmo-sccp/src/sccp_scoc.c:1698
#40 0x00007ffff5f96337 in scrc_rx_mtp_xfer_ind_xua (inst=inst@entry=0x612000007720, xua=xua@entry=0x60d000050a10)
at /git/libosmo-sccp/src/sccp_scrc.c:479
#41 0x00007ffff5fa7671 in mtp_user_prim_cb (oph=0x61e000154b68, ctx=0x612000007720) at /git/libosmo-sccp/src/sccp_user.c:202
#42 0x00007ffff5fd388c in deliver_to_mtp_user (osu=<optimized out>, xua=xua@entry=0x60d000050940)
--Type <RET> for more, q to quit, c to continue without paging--
at /git/libosmo-sccp/src/osmo_ss7_hmrt.c:95
#43 0x00007ffff5fd3b34 in hmdt_message_for_distribution (inst=inst@entry=0x6140000024a0, xua=xua@entry=0x60d000050940)
at /git/libosmo-sccp/src/osmo_ss7_hmrt.c:134
#44 0x00007ffff5fd4b9b in m3ua_hmdc_rx_from_l2 (inst=0x6140000024a0, xua=xua@entry=0x60d000050940)
at /git/libosmo-sccp/src/osmo_ss7_hmrt.c:278
#45 0x00007ffff5f6e002 in m3ua_rx_xfer (asp=asp@entry=0x6180000090e0, xua=xua@entry=0x60d000050940)
at /git/libosmo-sccp/src/m3ua.c:577
#46 0x00007ffff5f6ee3f in m3ua_rx_msg (asp=asp@entry=0x6180000090e0, msg=msg@entry=0x61e000153ce0)
at /git/libosmo-sccp/src/m3ua.c:732
#47 0x00007ffff5fd1709 in xua_cli_read_cb (conn=<optimized out>) at /git/libosmo-sccp/src/osmo_ss7.c:1950
#48 0x00007ffff5dd25a7 in osmo_stream_cli_read (cli=cli@entry=0x6180000094e0) at /git/libosmo-netif/src/stream.c:327
#49 0x00007ffff5dd583d in osmo_stream_cli_fd_cb (ofd=0x6180000094e0, what=<optimized out>) at /git/libosmo-netif/src/stream.c:446
#50 0x00007ffff4d005cf in poll_disp_fds (n_fd=n_fd@entry=8) at /git/libosmocore/src/select.c:361
#51 0x00007ffff4d006cf in _osmo_select_main (polling=polling@entry=0) at /git/libosmocore/src/select.c:399
#52 0x00007ffff4d00815 in osmo_select_main_ctx (polling=polling@entry=0) at /git/libosmocore/src/select.c:455
#53 0x00005555558143d5 in main (argc=<optimized out>, argv=<optimized out>) at /git/osmo-msc/src/osmo-msc/msc_main.c:784
Full log attached.
Files
Updated by pespin over 2 years ago
- Category set to Call Control
call_leg_local_bridge() is calling call_leg_ensure_ci().
In call_leg_local_bridge(), cl2->rtp[RTP_TO_CN] is NULL, and the calculated pointer "&cl2->rtp[RTP_TO_CN]->local" passed to call_leg_ensure_ci() is hence NULL + offset = 0x20.
We probably need to add some checks there to avoid accessing NULL pointers.
Updated by pespin over 2 years ago
This situation happens because in this case the RAB-AssignmentRequest sent MSC->HNBGW->nano3g was never forwarded HNBGW->nano3g (due to an error in my config), which means that entire call leg is never completed. So we should prevent osmo-msc to crash in this scenario.
Updated by pespin over 2 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 90
Updated by pespin about 2 years ago
- Status changed from Feedback to Resolved
- % Done changed from 90 to 100
Merged, closing.
Actions
