Project

General

Profile

Actions

Bug #2666

closed

osmo-msc crashes when receiving SCCP with RI=GT from A

Added by laforge over 6 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
A interface (AoIP)
Target version:
-
Start date:
11/20/2017
Due date:
% Done:

0%

Resolution:
Spec Reference:

Description

On the A interface, we use SCCP with PC/SSN only. However, if a SCCP message with RI (Routing Indicator) = GT (Global Title) arrives, the MSC spits out several hundred identical messages (hinting to infinite recursion of some sorts) and finally crashes:

<002e> sccp_scrc.c:279 GT Routing not implemented yet
<002e> sccp_scrc.c:279 GT Routing not implemented yet
<002e> sccp_scrc.c:279 GT Routing not implemented yet
<002e> sccp_scrc.c:279 GT Routing not implemented yet
<002e> sccp_scrc.c:279 GT Routing not implemented yet
<002e> sccp_scrc.c:279 GT Routing not implemented yet
<002e> sccp_scrc.c:279 GT Routing not implemented yet
<002e> sccp_scrc.c:279 GT Routing not implemented yet
<002e> sccp_scrc.c:279 GT Routing not implemented yet
<002e> sccp_scrc.c:279 GT Routing not implemented yet
<002e> sccp_scrc.c:279 GT Routing not implemented yet
[1]    10151 segmentation fault  ./osmo-msc
Actions #1

Updated by laforge over 6 years ago

  • Category set to A interface (AoIP)
Actions #2

Updated by laforge almost 6 years ago

  • Assignee changed from laforge to stsp
Actions #3

Updated by stsp almost 6 years ago

What do I need to do to reproduce this problem?

Actions #4

Updated by laforge almost 6 years ago

On Mon, May 07, 2018 at 11:19:51AM +0000, stsp [REDMINE] wrote:

What do I need to do to reproduce this problem?

You need to send a SCCP message that has the routing indicator set to GT (global title)
instead of PC/SSN (point code / ssn). You will need to construct it in some way (either in TTCN3
or using libosmo-sigtran).

In TTCN3 we're currently using ts_SccpAddr_PC_SSN() to generate our SCCP addresses,
whihc sets
  • no globalTitle
  • addressIndicator.globalTitleIndic '0000'B (no global title included)
  • addressIndicator.routingIndicator '1'B (route on SSN)

you will need to set e.g.

addressIndicator.globalTitleIndic := '0001'B (NAI only)
addressIndicator.routingIndicator == '0'B (route on GT)
globalTitle := {
    gti0001 := {
        natureOfAddress := '0000011'B,
        oddeven := '0'B,
        globalTitleAddress := '012345'H
    }
}

See ITU-T Q.713 Section 3.4 for the definition of the "Called Party Address"

Actions #5

Updated by stsp almost 6 years ago

  • Status changed from New to In Progress
Actions #6

Updated by stsp almost 6 years ago

I can reproduce the crash with a new TTCN3 test.

The segfault happens due to stack exhaustion:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6ef870e in free () from /usr/lib/x86_64-linux-gnu/libasan.so.4
(gdb) bt
#0  0x00007ffff6ef870e in free () from /usr/lib/x86_64-linux-gnu/libasan.so.4
#1  0x00007ffff3af65a5 in tzset_internal (always=<optimized out>) at tzset.c:402
#2  __tz_convert (timer=0x7fffff7fff30, use_localtime=use_localtime@entry=1, tp=tp@entry=0x7ffff3e126a0 <_tmbuf>) at tzset.c:584
#3  0x00007ffff3af3591 in __GI_localtime (t=<optimized out>) at localtime.c:39
#4  0x00007ffff3af34c9 in ctime (t=<optimized out>) at ctime.c:27
#5  0x00007ffff6e7e490 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.4
#6  0x00007ffff5ec570a in _output (target=0x6110000000a0, subsys=30, level=5, file=0x7ffff5087b60 "sccp_scrc.c", line=281, cont=0, format=0x7ffff5087e60 "GT Routing not implemented yet\n", ap=0x7fffff801110)
    at logging.c:374
#7  0x00007ffff5ec6fcd in osmo_vlogp (subsys=30, level=5, file=0x7ffff5087b60 "sccp_scrc.c", line=281, cont=0, format=0x7ffff5087e60 "GT Routing not implemented yet\n", ap=0x7fffff8011d0) at logging.c:525
#8  0x00007ffff5ec73dc in logp2 (subsys=-14, level=5, file=0x7ffff5087b60 "sccp_scrc.c", line=281, cont=0, format=0x7ffff5087e60 "GT Routing not implemented yet\n") at logging.c:558
#9  0x00007ffff502f389 in scrc_translate_node_9 (inst=0x611000004060, xua=0x60d00046d460, called=0x7fffff801440) at sccp_scrc.c:281
#10 0x00007ffff5030188 in scrc_rx_mtp_xfer_ind_xua (inst=0x611000004060, xua=0x60d00046d460) at sccp_scrc.c:488
#11 0x00007ffff503f4e0 in mtp_user_prim_cb (oph=0x61e002b44f68, ctx=0x611000004060) at sccp_user.c:176
#12 0x00007ffff505afe0 in deliver_to_mtp_user (osu=0x6110000040a8, xua=0x60d00046d2c0) at osmo_ss7_hmrt.c:94
#13 0x00007ffff505b373 in hmdt_message_for_distribution (inst=0x6140000006a0, xua=0x60d00046d2c0) at osmo_ss7_hmrt.c:133
#14 0x00007ffff505c3b8 in m3ua_hmdc_rx_from_l2 (inst=0x6140000006a0, xua=0x60d00046d2c0) at osmo_ss7_hmrt.c:275
#15 0x00007ffff505c748 in osmo_ss7_user_mtp_xfer_req (inst=0x6140000006a0, omp=0x61e002b44340) at osmo_ss7_hmrt.c:304
#16 0x00007ffff502e75a in sua2sccp_tx_m3ua (inst=0x611000004060, sua=0x60d00046d1f0) at sccp_scrc.c:109
#17 0x00007ffff502ec31 in gen_mtp_transfer_req_xua (inst=0x611000004060, xua=0x60d00046d1f0, called=0x7fffff8018b0) at sccp_scrc.c:156
#18 0x00007ffff502f073 in scrc_node_12 (inst=0x611000004060, xua=0x60d00046d1f0, called=0x7fffff8018b0) at sccp_scrc.c:200
#19 0x00007ffff502f1ad in scrc_node_7 (inst=0x611000004060, xua=0x60d00046d1f0, called=0x7fffff8018b0) at sccp_scrc.c:244
#20 0x00007ffff502f3a9 in scrc_translate_node_9 (inst=0x611000004060, xua=0x60d00046d1f0, called=0x7fffff8018b0) at sccp_scrc.c:283
#21 0x00007ffff5030188 in scrc_rx_mtp_xfer_ind_xua (inst=0x611000004060, xua=0x60d00046d1f0) at sccp_scrc.c:488
#22 0x00007ffff503f4e0 in mtp_user_prim_cb (oph=0x61e002b43768, ctx=0x611000004060) at sccp_user.c:176
#23 0x00007ffff505afe0 in deliver_to_mtp_user (osu=0x6110000040a8, xua=0x60d00046d050) at osmo_ss7_hmrt.c:94
#24 0x00007ffff505b373 in hmdt_message_for_distribution (inst=0x6140000006a0, xua=0x60d00046d050) at osmo_ss7_hmrt.c:133
#25 0x00007ffff505c3b8 in m3ua_hmdc_rx_from_l2 (inst=0x6140000006a0, xua=0x60d00046d050) at osmo_ss7_hmrt.c:275
#26 0x00007ffff505c748 in osmo_ss7_user_mtp_xfer_req (inst=0x6140000006a0, omp=0x61e002b42b40) at osmo_ss7_hmrt.c:304
#27 0x00007ffff502e75a in sua2sccp_tx_m3ua (inst=0x611000004060, sua=0x60d00047ff60) at sccp_scrc.c:109
#28 0x00007ffff502ec31 in gen_mtp_transfer_req_xua (inst=0x611000004060, xua=0x60d00047ff60, called=0x7fffff801d20) at sccp_scrc.c:156
#29 0x00007ffff502f073 in scrc_node_12 (inst=0x611000004060, xua=0x60d00047ff60, called=0x7fffff801d20) at sccp_scrc.c:200
#30 0x00007ffff502f1ad in scrc_node_7 (inst=0x611000004060, xua=0x60d00047ff60, called=0x7fffff801d20) at sccp_scrc.c:244
#31 0x00007ffff502f3a9 in scrc_translate_node_9 (inst=0x611000004060, xua=0x60d00047ff60, called=0x7fffff801d20) at sccp_scrc.c:283
#32 0x00007ffff5030188 in scrc_rx_mtp_xfer_ind_xua (inst=0x611000004060, xua=0x60d00047ff60) at sccp_scrc.c:488
#33 0x00007ffff503f4e0 in mtp_user_prim_cb (oph=0x61e002b41f68, ctx=0x611000004060) at sccp_user.c:176
#34 0x00007ffff505afe0 in deliver_to_mtp_user (osu=0x6110000040a8, xua=0x60d00047fdc0) at osmo_ss7_hmrt.c:94
#35 0x00007ffff505b373 in hmdt_message_for_distribution (inst=0x6140000006a0, xua=0x60d00047fdc0) at osmo_ss7_hmrt.c:133
#36 0x00007ffff505c3b8 in m3ua_hmdc_rx_from_l2 (inst=0x6140000006a0, xua=0x60d00047fdc0) at osmo_ss7_hmrt.c:275
#37 0x00007ffff505c748 in osmo_ss7_user_mtp_xfer_req (inst=0x6140000006a0, omp=0x61e002b41340) at osmo_ss7_hmrt.c:304
#38 0x00007ffff502e75a in sua2sccp_tx_m3ua (inst=0x611000004060, sua=0x60d00047fcf0) at sccp_scrc.c:109
#39 0x00007ffff502ec31 in gen_mtp_transfer_req_xua (inst=0x611000004060, xua=0x60d00047fcf0, called=0x7fffff802190) at sccp_scrc.c:156
#40 0x00007ffff502f073 in scrc_node_12 (inst=0x611000004060, xua=0x60d00047fcf0, called=0x7fffff802190) at sccp_scrc.c:200
#41 0x00007ffff502f1ad in scrc_node_7 (inst=0x611000004060, xua=0x60d00047fcf0, called=0x7fffff802190) at sccp_scrc.c:244
#42 0x00007ffff502f3a9 in scrc_translate_node_9 (inst=0x611000004060, xua=0x60d00047fcf0, called=0x7fffff802190) at sccp_scrc.c:283
#43 0x00007ffff5030188 in scrc_rx_mtp_xfer_ind_xua (inst=0x611000004060, xua=0x60d00047fcf0) at sccp_scrc.c:488
#44 0x00007ffff503f4e0 in mtp_user_prim_cb (oph=0x61e002b40768, ctx=0x611000004060) at sccp_user.c:176
#45 0x00007ffff505afe0 in deliver_to_mtp_user (osu=0x6110000040a8, xua=0x60d00047fb50) at osmo_ss7_hmrt.c:94
#46 0x00007ffff505b373 in hmdt_message_for_distribution (inst=0x6140000006a0, xua=0x60d00047fb50) at osmo_ss7_hmrt.c:133
#47 0x00007ffff505c3b8 in m3ua_hmdc_rx_from_l2 (inst=0x6140000006a0, xua=0x60d00047fb50) at osmo_ss7_hmrt.c:275
#48 0x00007ffff505c748 in osmo_ss7_user_mtp_xfer_req (inst=0x6140000006a0, omp=0x61e002b3fb40) at osmo_ss7_hmrt.c:304
#49 0x00007ffff502e75a in sua2sccp_tx_m3ua (inst=0x611000004060, sua=0x60d00047fa80) at sccp_scrc.c:109
#50 0x00007ffff502ec31 in gen_mtp_transfer_req_xua (inst=0x611000004060, xua=0x60d00047fa80, called=0x7fffff802600) at sccp_scrc.c:156
#51 0x00007ffff502f073 in scrc_node_12 (inst=0x611000004060, xua=0x60d00047fa80, called=0x7fffff802600) at sccp_scrc.c:200
#52 0x00007ffff502f1ad in scrc_node_7 (inst=0x611000004060, xua=0x60d00047fa80, called=0x7fffff802600) at sccp_scrc.c:244
#53 0x00007ffff502f3a9 in scrc_translate_node_9 (inst=0x611000004060, xua=0x60d00047fa80, called=0x7fffff802600) at sccp_scrc.c:283
#54 0x00007ffff5030188 in scrc_rx_mtp_xfer_ind_xua (inst=0x611000004060, xua=0x60d00047fa80) at sccp_scrc.c:488
#55 0x00007ffff503f4e0 in mtp_user_prim_cb (oph=0x61e002b3ef68, ctx=0x611000004060) at sccp_user.c:176
#56 0x00007ffff505afe0 in deliver_to_mtp_user (osu=0x6110000040a8, xua=0x60d00047f8e0) at osmo_ss7_hmrt.c:94
#57 0x00007ffff505b373 in hmdt_message_for_distribution (inst=0x6140000006a0, xua=0x60d00047f8e0) at osmo_ss7_hmrt.c:133
#58 0x00007ffff505c3b8 in m3ua_hmdc_rx_from_l2 (inst=0x6140000006a0, xua=0x60d00047f8e0) at osmo_ss7_hmrt.c:275
#59 0x00007ffff505c748 in osmo_ss7_user_mtp_xfer_req (inst=0x6140000006a0, omp=0x61e002b3e340) at osmo_ss7_hmrt.c:304
#60 0x00007ffff502e75a in sua2sccp_tx_m3ua (inst=0x611000004060, sua=0x60d00047f810) at sccp_scrc.c:109
#61 0x00007ffff502ec31 in gen_mtp_transfer_req_xua (inst=0x611000004060, xua=0x60d00047f810, called=0x7fffff802a70) at sccp_scrc.c:156
---Type <return> to continue, or q <return> to quit---q
Quit

The entire trace contains more than 81000 stack frames.

Actions #7

Updated by stsp almost 6 years ago

Suggested fix for the infinite recursion problem: https://gerrit.osmocom.org/#/c/libosmo-sccp/+/9463/

Actions #8

Updated by stsp almost 6 years ago

Leaving this issue open until the associated TTCN3 test has been merged.

The current plan is to create a small SCCP testsuite which uses libosmo-sccp's
m3ua_example SCCP test program.

This change allows the m3ua_example program to run as SCCP server with address sanitizer enabled:
https://gerrit.osmocom.org/#/c/libosmo-sccp/+/9477

Actions #10

Updated by stsp over 5 years ago

  • Status changed from In Progress to Resolved

The SCCP test suite has been merged.

Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)