Actions
Bug #2885
closedOsmoMSC crashes on MNCC disconnect
Start date:
01/27/2018
Due date:
% Done:
100%
Resolution:
Spec Reference:
Description
<0004> gsm_04_08.c:1359 transmit message MNCC_CALL_CONF_IND <0007> msc_mgcp.c:280 MGW(MGW_0)[0xa9bb0c0]{ST_CRCX_CN}: CRCX/RAN: response yields error: 542 FORCED_FAIL <0007> msc_mgcp.c:281 MGW(MGW_0)[0xa9bb0c0]{ST_CRCX_CN}: operation failed on MGW -- graceful shutdown... <0007> msc_mgcp.c:730 MGW(MGW_0)[0xa9bb0c0]{ST_HALT}: DLCX: response yields error: 250 OK <0007> msc_mgcp.c:731 MGW(MGW_0)[0xa9bb0c0]{ST_HALT}: operation failed on MGW -- graceful shutdown... <0007> msc_mgcp.c:157 MGW(MGW_0)[0xa9bb0c0]{ST_HALT}: transition to state ST_CALL not permitted! <0004> gsm_04_08.c:1359 transmit message MNCC_DISC_IND <0012> input/ipa.c:67 connection closed with server <0004> mncc_sock.c:85 MNCC Socket has LOST connection <0001> gsm_04_08.c:191 Clearing all currently active transactions!!! ==17608== Invalid read of size 8 ==17608== at 0x128B6A: msc_mgcp_call_release (msc_mgcp.c:1052) ==17608== by 0x11ED50: _gsm48_cc_trans_free (gsm_04_08.c:1419) ==17608== by 0x12BF94: trans_free (transaction.c:123) ==17608== by 0x11CFEA: gsm0408_clear_all_trans (gsm_04_08.c:196) ==17608== by 0x125A07: mncc_sock_close (mncc_sock.c:95) ==17608== by 0x125B1E: mncc_sock_read (mncc_sock.c:140) ==17608== by 0x125B1E: mncc_sock_cb (mncc_sock.c:198) ==17608== by 0x56D0950: osmo_fd_disp_fds (select.c:216) ==17608== by 0x56D0950: osmo_select_main (select.c:256) ==17608== by 0x11371B: main (msc_main.c:546) ==17608== Address 0xaaa3810 is 96 bytes inside a block of size 200 free'd ==17608== at 0x4C2DDBB: free (vg_replace_malloc.c:530) ==17608== by 0x505BE82: _talloc_free (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.1.10) ==17608== by 0x56D3C8E: _osmo_fsm_inst_dispatch (fsm.c:450) ==17608== by 0x12830B: fsm_timeout_cb (msc_mgcp.c:204) ==17608== by 0x56D4458: fsm_tmr_cb (fsm.c:185) ==17608== by 0x56D0305: osmo_timers_update (timer.c:257) ==17608== by 0x56D0904: osmo_select_main (select.c:253) ==17608== by 0x11371B: main (msc_main.c:546) ==17608== Block was alloc'd at ==17608== at 0x4C2CB8F: malloc (vg_replace_malloc.c:299) ==17608== by 0x505E150: _talloc_zero (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.1.10) ==17608== by 0x128448: msc_mgcp_call_assignment (msc_mgcp.c:902) ==17608== by 0x11C578: gsm48_cc_rx_call_conf (gsm_04_08.c:1847) ==17608== by 0x11FE8C: gsm0408_rcv_cc (gsm_04_08.c:3269) ==17608== by 0x11FE8C: gsm0408_dispatch (gsm_04_08.c:3380) ==17608== by 0x12D05C: msc_dtap (osmo_msc.c:108) ==17608== by 0x116BB2: rx_dtap (a_iface_bssap.c:683) ==17608== by 0x116BB2: a_sccp_rx_dt (a_iface_bssap.c:710) ==17608== by 0x114367: sccp_sap_up (a_iface.c:529) ==17608== by 0x56D3C8E: _osmo_fsm_inst_dispatch (fsm.c:450) ==17608== by 0x5D5D9D4: sccp_scoc_rx_from_scrc (sccp_scoc.c:1581) ==17608== by 0x5D5B6CA: scrc_rx_mtp_xfer_ind_xua (sccp_scrc.c:449) ==17608== by 0x5D5E5A4: mtp_user_prim_cb (sccp_user.c:176) ==17608==
So it seems that upon MNCC disconnect, it tries to free some MGCP state again, which was already free'd due to an earlier MGCP failure.
Files
Actions