commit 2a98a73be4fbd361d372e28c79a2fc2dc37709fe
author Philipp Maier <pmaier@sysmocom.de> Mon Mar 19 16:06:12 2018 +0100
committer Philipp Maier <pmaier@sysmocom.de> Mon Mar 19 16:12:31 2018 +0100
tree 41af5ebccdc750673699e9c4fcace03ed25b12f1
parent cd6685767140891d1d21b76e6ce65549dce1b994

MSC_Tests: Test what happens when the DLCX is dropped

Test the reaction of osmo-msc when the DLCX at the end of a call
is not answered. Normally osmo-msc should time out and clear the
connection.

Change-ID osmo-msc:I78f1b6a9149488a4ad3f120c1e190a83c07d4b89 fixes
a regression that causes osmo-msc to segfault due to a use after
free. This testcase provokes the situation that leads to the
crash.

Change-Id: Ic124ea116496209f9a1d8e74ae3e3a36cf866db0
Related OS#2881
Related OS#2882

msc/MSC_Tests.ttcn

diff --git a/msc/MSC_Tests.ttcn b/msc/MSC_Tests.ttcn
index 698b341..5ae5d60 100644
--- a/msc/MSC_Tests.ttcn
+++ b/msc/MSC_Tests.ttcn
@@ -1734,6 +1734,45 @@
 }
 
 
+/* LU followed by MT call (including paging) */
+private function f_tc_lu_and_mt_call_no_dlcx_resp(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
+	f_init_handler(pars);
+	//FIXME: odd digits var CallParameters cpars := valueof(t_CallParams('12345'H, 0));
+	var CallParameters cpars := valueof(t_CallParams('123456'H, 0));
+	cpars.bss_rtp_port := 1110;
+	cpars.mgcp_connection_id_bss := '10004'H;
+	cpars.mgcp_connection_id_mss := '10005'H;
+
+	/* Note: This is an optional parameter. When the call-agent (MSC) does
+	 * supply a full endpoint name this setting will be overwritten. */
+	cpars.mgcp_ep := "rtpbridge/1@mgw";
+
+	/* Intentionally disable the CRCX response */
+	cpars.mgw_drop_dlcx := true;
+
+	/* Perform location update and call */
+	f_perform_lu();
+	f_mt_call(cpars);
+}
+testcase TC_lu_and_mt_call_no_dlcx_resp() runs on MTC_CT {
+	var BSC_ConnHdlr vc_conn;
+	f_init();
+
+	/* Perform an almost normal looking locationupdate + mt-call, but do
+	 * not respond to the DLCX at the end of the call */
+	vc_conn := f_start_handler(refers(f_tc_lu_and_mt_call_no_dlcx_resp), 41);
+	vc_conn.done;
+
+	/* Wait a guard period until the MGCP layer in the MSC times out,
+	 * if the MSC is vulnerable to the use-after-free situation that is
+	 * fixed by I78f1b6a9149488a4ad3f120c1e190a83c07d4b89 then it should
+	 * segfault now */
+	f_sleep(6.0);
+
+	/* Run the init procedures once more. If the MSC has crashed, this
+	 * this will fail */
+	f_init();
+}
 
 /* TODO:
    * continue to send repeated MO signalling messages to keep channel open: does MSC tmeout?
@@ -1791,6 +1830,7 @@
 	execute( TC_lu_imsi_auth_tmsi_encr_13_2() );
 	execute( TC_lu_imsi_auth_tmsi_encr_013_2() );
 	execute( TC_mo_release_timeout() );
+	execute( TC_lu_and_mt_call_no_dlcx_resp() );
 
 	execute( TC_lu_and_mt_call() );