sms: Fix crash on RLL Establish Request timeouts with active call
Sylvain pointed out that in the current crash log the transaction
we try to read the SMS from is actually a transaction for Call
Control. On AMD64 the struct layout is different and that leads to
a crash when the CC transaction is in front of the SMS transaction.
Look at the trans->protocol to fix the crash. The issue got
introduced in 6a3d765bf97349535602ed5b2b55d2093aa18d71 (2010)
when I added the SAPI N Reject handling.
#0 smpp_sms_cb (subsys=1, signal=4, handler_data=0xbb8270, signal_data=0x7fff33574ea0)
at smpp_openbsc.c:284
284 if (sms->source != SMS_SOURCE_SMPP)
(gdb) bt
#0 smpp_sms_cb (subsys=1, signal=4, handler_data=0xbb8270, signal_data=0x7fff33574ea0)
at smpp_openbsc.c:284
#1 0x00007f424e4a094c in osmo_signal_dispatch (subsys=1, signal=4,
signal_data=0x7fff33574ea0) at signal.c:105
#2 0x000000000042b070 in send_signal (sig_no=<optimized out>, trans=<optimized out>,
sms=<optimized out>, paging_result=<optimized out>) at gsm_04_11.c:125
#3 0x000000000042ccd2 in gsm411_sapi_n_reject (conn=0xec6790) at gsm_04_11.c:1000
#4 0x0000000000408983 in send_sapi_reject (link_id=<optimized out>, conn=<optimized out>)
at bsc_api.c:733
#5 rll_ind_cb (_data=<optimized out>, lchan=<optimized out>, link_id=<optimized out>,
rllr_ind=<optimized out>) at bsc_api.c:755
#6 rll_ind_cb (lchan=<optimized out>, link_id=<optimized out>, _data=<optimized out>,
rllr_ind=<optimized out>) at bsc_api.c:736
#7 0x000000000041f8d2 in complete_rllr (rllr=<optimized out>, type=<optimized out>)
at bsc_rll.c:55
#8 0x00007f424e4a03bc in osmo_timers_update () at timer.c:243
#9 0x00007f424e4a069b in osmo_select_main (polling=0) at select.c:133
#10 0x0000000000407394 in main (argc=<optimized out>, argv=0x7fff33575238) at bsc_hack.c:346
(gdb) frame 3
#3 0x000000000042ccd2 in gsm411_sapi_n_reject (conn=0xec6790) at gsm_04_11.c:1000
1000 send_signal(S_SMS_UNKNOWN_ERROR, trans, sms, 0);
(gdb) p trans
$1 = (struct gsm_trans *) 0xedba80
(gdb) p *trans
....
data = 0x1}}, sms = 0x3439323400000003}}}
(gdb) p trans->protocol
$4 = 3 '\003'
diff --git a/openbsc/src/libmsc/gsm_04_11.c b/openbsc/src/libmsc/gsm_04_11.c
index 19b6030..97a67ee 100644
--- a/openbsc/src/libmsc/gsm_04_11.c
+++ b/openbsc/src/libmsc/gsm_04_11.c
@@ -988,19 +988,24 @@
net = conn->bts->network;
- llist_for_each_entry_safe(trans, tmp, &net->trans_list, entry)
- if (trans->conn == conn) {
- struct gsm_sms *sms = trans->sms.sms;
- if (!sms) {
- LOGP(DLSMS, LOGL_ERROR, "SAPI Reject but no "
- "SMS.\n");
- continue;
- }
+ llist_for_each_entry_safe(trans, tmp, &net->trans_list, entry) {
+ struct gsm_sms *sms;
- send_signal(S_SMS_UNKNOWN_ERROR, trans, sms, 0);
- sms_free(sms);
- trans->sms.sms = NULL;
- trans_free(trans);
+ if (trans->conn != conn)
+ continue;
+ if (trans->protocol != GSM48_PDISC_SMS)
+ continue;
+
+ sms = trans->sms.sms;
+ if (!sms) {
+ LOGP(DLSMS, LOGL_ERROR, "SAPI Reject but no SMS.\n");
+ continue;
}
+
+ send_signal(S_SMS_UNKNOWN_ERROR, trans, sms, 0);
+ sms_free(sms);
+ trans->sms.sms = NULL;
+ trans_free(trans);
+ }
}