commit a06ac18d2249ba16fb9272ba83a3b1a9453a3134
author Pau Espin Pedrol <pespin@sysmocom.de> Tue Jan 26 19:13:43 2021 +0100
committer Pau Espin Pedrol <pespin@sysmocom.de> Fri Jan 29 12:59:30 2021 +0100
tree 38573e1808819bd8745ad12fdf16e2f4dabd918e
parent 41a22a7ab816df7de9cbd4f398e106cc77dd81a5

NACC: Send only Pkt Cell Chg Continue if SI retrieve fails

If fore some reason we fail to fetch SI of target cell, we move
directly to NACC_ST_TX_CELL_CHG_CONTINUE in order to submit a Cell
Change Continue against the MS without providing any Packet Neighbor
Cell Data beforehand, as per spec that's probably the best we can do
in this scenario (TS 44.060):
"""
1)  The network responds with a PACKET CELL CHANGE CONTINUE message.
If a mobile station as response to a PACKET CELL CHANGE NOTIFICATION
message receives a PACKET CELL CHANGE CONTINUE message without receiving
any neighbour cell system information, the mobile station shall stop timer
T3208, stop timer T3210 if still running, leave CCN mode and continue cell
reselection in NC0/NC1 mode.
"""

This commit also fixes a use-after-free triggered by TTCN3 test
TC_nacc_outbound_rac_ci-resolve_fail_parse_response, where the "cmd"
pointer passed to nacc_fsm_ctrl_reply_cb() was freed during FSM
termination (its talloc ctx was under ctx->neigh_ctrl_conn) and the
libosmocore code calling that callback was later on accessing
cmd->defer.
Since due to this change the FSM is no longer syncrhonously freed, the
issue is gone.

Related: SYS#4909
Change-Id: Ie3f12a08ad611b1086d3f4ab7c3d34af43c07961

src/nacc_fsm.c

diff --git a/src/nacc_fsm.c b/src/nacc_fsm.c
index 85e29c5..fcf4b58 100644
--- a/src/nacc_fsm.c
+++ b/src/nacc_fsm.c
@@ -342,7 +342,7 @@
 
 err_term:
 	talloc_free(cmd);
-	osmo_fsm_inst_term(fi, OSMO_FSM_TERM_ERROR, NULL);
+	nacc_fsm_state_chg(fi, NACC_ST_TX_CELL_CHG_CONTINUE);
 }
 
 
@@ -383,14 +383,14 @@
 
 	/* SI info not in cache, resolve it using RIM procedure against SGSN */
 	if (fill_rim_ran_info_req(ctx, &pdu) < 0) {
-		osmo_fsm_inst_term(fi, OSMO_FSM_TERM_ERROR, NULL);
+		nacc_fsm_state_chg(fi, NACC_ST_TX_CELL_CHG_CONTINUE);
 		return;
 	}
 
 	rc = bssgp_tx_rim(&pdu, gprs_ns2_nse_nsei(ctx->ms->bts->nse));
 	if (rc < 0) {
 		LOGPFSML(fi, LOGL_ERROR, "Failed transmitting RIM PDU: %d\n", rc);
-		osmo_fsm_inst_term(fi, OSMO_FSM_TERM_ERROR, NULL);
+		nacc_fsm_state_chg(fi, NACC_ST_TX_CELL_CHG_CONTINUE);
 		return;
 	}
 }
@@ -578,7 +578,7 @@
 		 cmd->type, cmd->variable, osmo_escape_str(cmd->reply, -1));
 
 	if (cmd->type != CTRL_TYPE_GET_REPLY || !cmd->reply) {
-		osmo_fsm_inst_term(ctx->fi, OSMO_FSM_TERM_ERROR, NULL);
+		nacc_fsm_state_chg(ctx->fi, NACC_ST_TX_CELL_CHG_CONTINUE);
 		return;
 	}
 
@@ -618,7 +618,7 @@
 
 free_ret:
 	talloc_free(tmp);
-	osmo_fsm_inst_term(ctx->fi, OSMO_FSM_TERM_ERROR, NULL);
+	nacc_fsm_state_chg(ctx->fi, NACC_ST_TX_CELL_CHG_CONTINUE);
 	return;
 }