Bug #2666
closedosmo-msc crashes when receiving SCCP with RI=GT from A
0%
Description
On the A interface, we use SCCP with PC/SSN only. However, if a SCCP message with RI (Routing Indicator) = GT (Global Title) arrives, the MSC spits out several hundred identical messages (hinting to infinite recursion of some sorts) and finally crashes:
<002e> sccp_scrc.c:279 GT Routing not implemented yet <002e> sccp_scrc.c:279 GT Routing not implemented yet <002e> sccp_scrc.c:279 GT Routing not implemented yet <002e> sccp_scrc.c:279 GT Routing not implemented yet <002e> sccp_scrc.c:279 GT Routing not implemented yet <002e> sccp_scrc.c:279 GT Routing not implemented yet <002e> sccp_scrc.c:279 GT Routing not implemented yet <002e> sccp_scrc.c:279 GT Routing not implemented yet <002e> sccp_scrc.c:279 GT Routing not implemented yet <002e> sccp_scrc.c:279 GT Routing not implemented yet <002e> sccp_scrc.c:279 GT Routing not implemented yet [1] 10151 segmentation fault ./osmo-msc
Updated by laforge almost 6 years ago
On Mon, May 07, 2018 at 11:19:51AM +0000, stsp [REDMINE] wrote:
What do I need to do to reproduce this problem?
You need to send a SCCP message that has the routing indicator set to GT (global title)
instead of PC/SSN (point code / ssn). You will need to construct it in some way (either in TTCN3
or using libosmo-sigtran).
whihc sets
- no globalTitle
- addressIndicator.globalTitleIndic '0000'B (no global title included)
- addressIndicator.routingIndicator '1'B (route on SSN)
you will need to set e.g.
addressIndicator.globalTitleIndic := '0001'B (NAI only) addressIndicator.routingIndicator == '0'B (route on GT) globalTitle := { gti0001 := { natureOfAddress := '0000011'B, oddeven := '0'B, globalTitleAddress := '012345'H } }
See ITU-T Q.713 Section 3.4 for the definition of the "Called Party Address"
Updated by stsp almost 6 years ago
I can reproduce the crash with a new TTCN3 test.
The segfault happens due to stack exhaustion:
Program received signal SIGSEGV, Segmentation fault. 0x00007ffff6ef870e in free () from /usr/lib/x86_64-linux-gnu/libasan.so.4 (gdb) bt #0 0x00007ffff6ef870e in free () from /usr/lib/x86_64-linux-gnu/libasan.so.4 #1 0x00007ffff3af65a5 in tzset_internal (always=<optimized out>) at tzset.c:402 #2 __tz_convert (timer=0x7fffff7fff30, use_localtime=use_localtime@entry=1, tp=tp@entry=0x7ffff3e126a0 <_tmbuf>) at tzset.c:584 #3 0x00007ffff3af3591 in __GI_localtime (t=<optimized out>) at localtime.c:39 #4 0x00007ffff3af34c9 in ctime (t=<optimized out>) at ctime.c:27 #5 0x00007ffff6e7e490 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.4 #6 0x00007ffff5ec570a in _output (target=0x6110000000a0, subsys=30, level=5, file=0x7ffff5087b60 "sccp_scrc.c", line=281, cont=0, format=0x7ffff5087e60 "GT Routing not implemented yet\n", ap=0x7fffff801110) at logging.c:374 #7 0x00007ffff5ec6fcd in osmo_vlogp (subsys=30, level=5, file=0x7ffff5087b60 "sccp_scrc.c", line=281, cont=0, format=0x7ffff5087e60 "GT Routing not implemented yet\n", ap=0x7fffff8011d0) at logging.c:525 #8 0x00007ffff5ec73dc in logp2 (subsys=-14, level=5, file=0x7ffff5087b60 "sccp_scrc.c", line=281, cont=0, format=0x7ffff5087e60 "GT Routing not implemented yet\n") at logging.c:558 #9 0x00007ffff502f389 in scrc_translate_node_9 (inst=0x611000004060, xua=0x60d00046d460, called=0x7fffff801440) at sccp_scrc.c:281 #10 0x00007ffff5030188 in scrc_rx_mtp_xfer_ind_xua (inst=0x611000004060, xua=0x60d00046d460) at sccp_scrc.c:488 #11 0x00007ffff503f4e0 in mtp_user_prim_cb (oph=0x61e002b44f68, ctx=0x611000004060) at sccp_user.c:176 #12 0x00007ffff505afe0 in deliver_to_mtp_user (osu=0x6110000040a8, xua=0x60d00046d2c0) at osmo_ss7_hmrt.c:94 #13 0x00007ffff505b373 in hmdt_message_for_distribution (inst=0x6140000006a0, xua=0x60d00046d2c0) at osmo_ss7_hmrt.c:133 #14 0x00007ffff505c3b8 in m3ua_hmdc_rx_from_l2 (inst=0x6140000006a0, xua=0x60d00046d2c0) at osmo_ss7_hmrt.c:275 #15 0x00007ffff505c748 in osmo_ss7_user_mtp_xfer_req (inst=0x6140000006a0, omp=0x61e002b44340) at osmo_ss7_hmrt.c:304 #16 0x00007ffff502e75a in sua2sccp_tx_m3ua (inst=0x611000004060, sua=0x60d00046d1f0) at sccp_scrc.c:109 #17 0x00007ffff502ec31 in gen_mtp_transfer_req_xua (inst=0x611000004060, xua=0x60d00046d1f0, called=0x7fffff8018b0) at sccp_scrc.c:156 #18 0x00007ffff502f073 in scrc_node_12 (inst=0x611000004060, xua=0x60d00046d1f0, called=0x7fffff8018b0) at sccp_scrc.c:200 #19 0x00007ffff502f1ad in scrc_node_7 (inst=0x611000004060, xua=0x60d00046d1f0, called=0x7fffff8018b0) at sccp_scrc.c:244 #20 0x00007ffff502f3a9 in scrc_translate_node_9 (inst=0x611000004060, xua=0x60d00046d1f0, called=0x7fffff8018b0) at sccp_scrc.c:283 #21 0x00007ffff5030188 in scrc_rx_mtp_xfer_ind_xua (inst=0x611000004060, xua=0x60d00046d1f0) at sccp_scrc.c:488 #22 0x00007ffff503f4e0 in mtp_user_prim_cb (oph=0x61e002b43768, ctx=0x611000004060) at sccp_user.c:176 #23 0x00007ffff505afe0 in deliver_to_mtp_user (osu=0x6110000040a8, xua=0x60d00046d050) at osmo_ss7_hmrt.c:94 #24 0x00007ffff505b373 in hmdt_message_for_distribution (inst=0x6140000006a0, xua=0x60d00046d050) at osmo_ss7_hmrt.c:133 #25 0x00007ffff505c3b8 in m3ua_hmdc_rx_from_l2 (inst=0x6140000006a0, xua=0x60d00046d050) at osmo_ss7_hmrt.c:275 #26 0x00007ffff505c748 in osmo_ss7_user_mtp_xfer_req (inst=0x6140000006a0, omp=0x61e002b42b40) at osmo_ss7_hmrt.c:304 #27 0x00007ffff502e75a in sua2sccp_tx_m3ua (inst=0x611000004060, sua=0x60d00047ff60) at sccp_scrc.c:109 #28 0x00007ffff502ec31 in gen_mtp_transfer_req_xua (inst=0x611000004060, xua=0x60d00047ff60, called=0x7fffff801d20) at sccp_scrc.c:156 #29 0x00007ffff502f073 in scrc_node_12 (inst=0x611000004060, xua=0x60d00047ff60, called=0x7fffff801d20) at sccp_scrc.c:200 #30 0x00007ffff502f1ad in scrc_node_7 (inst=0x611000004060, xua=0x60d00047ff60, called=0x7fffff801d20) at sccp_scrc.c:244 #31 0x00007ffff502f3a9 in scrc_translate_node_9 (inst=0x611000004060, xua=0x60d00047ff60, called=0x7fffff801d20) at sccp_scrc.c:283 #32 0x00007ffff5030188 in scrc_rx_mtp_xfer_ind_xua (inst=0x611000004060, xua=0x60d00047ff60) at sccp_scrc.c:488 #33 0x00007ffff503f4e0 in mtp_user_prim_cb (oph=0x61e002b41f68, ctx=0x611000004060) at sccp_user.c:176 #34 0x00007ffff505afe0 in deliver_to_mtp_user (osu=0x6110000040a8, xua=0x60d00047fdc0) at osmo_ss7_hmrt.c:94 #35 0x00007ffff505b373 in hmdt_message_for_distribution (inst=0x6140000006a0, xua=0x60d00047fdc0) at osmo_ss7_hmrt.c:133 #36 0x00007ffff505c3b8 in m3ua_hmdc_rx_from_l2 (inst=0x6140000006a0, xua=0x60d00047fdc0) at osmo_ss7_hmrt.c:275 #37 0x00007ffff505c748 in osmo_ss7_user_mtp_xfer_req (inst=0x6140000006a0, omp=0x61e002b41340) at osmo_ss7_hmrt.c:304 #38 0x00007ffff502e75a in sua2sccp_tx_m3ua (inst=0x611000004060, sua=0x60d00047fcf0) at sccp_scrc.c:109 #39 0x00007ffff502ec31 in gen_mtp_transfer_req_xua (inst=0x611000004060, xua=0x60d00047fcf0, called=0x7fffff802190) at sccp_scrc.c:156 #40 0x00007ffff502f073 in scrc_node_12 (inst=0x611000004060, xua=0x60d00047fcf0, called=0x7fffff802190) at sccp_scrc.c:200 #41 0x00007ffff502f1ad in scrc_node_7 (inst=0x611000004060, xua=0x60d00047fcf0, called=0x7fffff802190) at sccp_scrc.c:244 #42 0x00007ffff502f3a9 in scrc_translate_node_9 (inst=0x611000004060, xua=0x60d00047fcf0, called=0x7fffff802190) at sccp_scrc.c:283 #43 0x00007ffff5030188 in scrc_rx_mtp_xfer_ind_xua (inst=0x611000004060, xua=0x60d00047fcf0) at sccp_scrc.c:488 #44 0x00007ffff503f4e0 in mtp_user_prim_cb (oph=0x61e002b40768, ctx=0x611000004060) at sccp_user.c:176 #45 0x00007ffff505afe0 in deliver_to_mtp_user (osu=0x6110000040a8, xua=0x60d00047fb50) at osmo_ss7_hmrt.c:94 #46 0x00007ffff505b373 in hmdt_message_for_distribution (inst=0x6140000006a0, xua=0x60d00047fb50) at osmo_ss7_hmrt.c:133 #47 0x00007ffff505c3b8 in m3ua_hmdc_rx_from_l2 (inst=0x6140000006a0, xua=0x60d00047fb50) at osmo_ss7_hmrt.c:275 #48 0x00007ffff505c748 in osmo_ss7_user_mtp_xfer_req (inst=0x6140000006a0, omp=0x61e002b3fb40) at osmo_ss7_hmrt.c:304 #49 0x00007ffff502e75a in sua2sccp_tx_m3ua (inst=0x611000004060, sua=0x60d00047fa80) at sccp_scrc.c:109 #50 0x00007ffff502ec31 in gen_mtp_transfer_req_xua (inst=0x611000004060, xua=0x60d00047fa80, called=0x7fffff802600) at sccp_scrc.c:156 #51 0x00007ffff502f073 in scrc_node_12 (inst=0x611000004060, xua=0x60d00047fa80, called=0x7fffff802600) at sccp_scrc.c:200 #52 0x00007ffff502f1ad in scrc_node_7 (inst=0x611000004060, xua=0x60d00047fa80, called=0x7fffff802600) at sccp_scrc.c:244 #53 0x00007ffff502f3a9 in scrc_translate_node_9 (inst=0x611000004060, xua=0x60d00047fa80, called=0x7fffff802600) at sccp_scrc.c:283 #54 0x00007ffff5030188 in scrc_rx_mtp_xfer_ind_xua (inst=0x611000004060, xua=0x60d00047fa80) at sccp_scrc.c:488 #55 0x00007ffff503f4e0 in mtp_user_prim_cb (oph=0x61e002b3ef68, ctx=0x611000004060) at sccp_user.c:176 #56 0x00007ffff505afe0 in deliver_to_mtp_user (osu=0x6110000040a8, xua=0x60d00047f8e0) at osmo_ss7_hmrt.c:94 #57 0x00007ffff505b373 in hmdt_message_for_distribution (inst=0x6140000006a0, xua=0x60d00047f8e0) at osmo_ss7_hmrt.c:133 #58 0x00007ffff505c3b8 in m3ua_hmdc_rx_from_l2 (inst=0x6140000006a0, xua=0x60d00047f8e0) at osmo_ss7_hmrt.c:275 #59 0x00007ffff505c748 in osmo_ss7_user_mtp_xfer_req (inst=0x6140000006a0, omp=0x61e002b3e340) at osmo_ss7_hmrt.c:304 #60 0x00007ffff502e75a in sua2sccp_tx_m3ua (inst=0x611000004060, sua=0x60d00047f810) at sccp_scrc.c:109 #61 0x00007ffff502ec31 in gen_mtp_transfer_req_xua (inst=0x611000004060, xua=0x60d00047f810, called=0x7fffff802a70) at sccp_scrc.c:156 ---Type <return> to continue, or q <return> to quit---q Quit
The entire trace contains more than 81000 stack frames.
Updated by stsp almost 6 years ago
Suggested fix for the infinite recursion problem: https://gerrit.osmocom.org/#/c/libosmo-sccp/+/9463/
Updated by stsp almost 6 years ago
Leaving this issue open until the associated TTCN3 test has been merged.
The current plan is to create a small SCCP testsuite which uses libosmo-sccp's
m3ua_example SCCP test program.
This change allows the m3ua_example program to run as SCCP server with address sanitizer enabled:
https://gerrit.osmocom.org/#/c/libosmo-sccp/+/9477
Updated by stsp over 5 years ago
Related SCCP test suite: https://gerrit.osmocom.org/#/c/osmo-ttcn3-hacks/+/9653/
Updated by stsp over 5 years ago
- Status changed from In Progress to Resolved
The SCCP test suite has been merged.