Project

General

Profile

Actions

Bug #1761

closed

LAPD: segfault when bootstrapping Nokia InSite

Added by laforge over 7 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Nokia BTS
Target version:
-
Start date:
07/03/2016
Due date:
% Done:

100%

Spec Reference:

Description

When bootstrapping a Nokia InSite BTS, current OsmoNITB segfaults.

The reason for this is as follows:

  • ABM is established.
  • LAPD code hands an I frame to the application using send_dl_l3()
  • user application decides to call lapd_sap_stop() resulting in a local RELEASE request to LAPD
  • LAPD clears the transmit history and changes to IDLE state
  • application returns from processing the I frame
  • code proceeds in lapd_rx_i() and tries to transmit an I frame, as it didn't realize the state has meanwhile changed
  • lapd_send_i() tries to use dl->tx_hist -> boom.

As this is the second bug related to accessing a free'd tx_hist, the code seems to require a more thorough audit.


Related issues

Related to libosmocore - Bug #1760: LAPD: segfault in T200 call-backClosedlaforge07/03/2016

Actions
Related to libosmocore - Bug #1762: Review LAPD code for race conditions regarding state, particularly in RELEASENewlaforge07/03/2016

Actions
Related to OsmoBSC - Bug #3975: osmo-bsc crash during startup with nokia insiteClosedlaforge05/04/2019

Actions
Related to libosmocore - Bug #4646: SEGV when bringing up Nokia InSiteResolvedlaforge07/04/2020

Actions
Related to libosmocore - Bug #1982: LAPD: segfault in lapd_est_req functionResolvedlaforge03/14/2017

Actions
Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)