msc: add f_tc_invalid_mgcp_crash
Make sure that osmo-msc doesn't crash if a successful CRCX response contains an
invalid IP address.
Originally/recently, osmo-msc did not validate the IP addresses at all. In an
intermediate patch I added error handling, releasing the call. That uncovered a
use-after-free problem in libosmo-mgcp-client. This problem is fixed by
osmo_fsm_set_dealloc_ctx() and an osmo-mgw fix (see
I7df2e9202b04e7ca7366bb0a8ec53cf3bb14faf3 in osmo-mgw).
Add this test to make sure the crash is not re-introduced.
Change-Id: I0c76b0a7a33a96a39a242ecd387ba3769161cf7a
diff --git a/msc/MSC_Tests.ttcn b/msc/MSC_Tests.ttcn
index 4ef592f..480ec96 100644
--- a/msc/MSC_Tests.ttcn
+++ b/msc/MSC_Tests.ttcn
@@ -5662,6 +5662,29 @@
vc_conn.done;
}
+friend function f_tc_invalid_mgcp_crash(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
+ f_init_handler(pars);
+ var CallParameters cpars := valueof(t_CallParams('12345'H, 0));
+
+ /* Set invalid IP address so that osmo-msc discards the rtp_stream and MGCP endpoint FSM instances in the middle
+ * of successful MGCP response dispatch. If things aren't safeguarded, the on_success() in osmo_mgcpc_ep_fsm
+ * will cause a use-after-free after that event dispatch. */
+ cpars.mgw_conn_1.mgw_rtp_ip := "0.0.0.0";
+ cpars.mgw_conn_2.mgw_rtp_ip := "0.0.0.0";
+ cpars.rtp_sdp_format := "FOO/8000";
+ cpars.expect_release := true;
+
+ f_perform_lu();
+ f_mo_call_establish(cpars);
+}
+testcase TC_invalid_mgcp_crash() runs on MTC_CT {
+ var BSC_ConnHdlr vc_conn;
+ f_init();
+
+ vc_conn := f_start_handler(refers(f_tc_invalid_mgcp_crash), 7);
+ vc_conn.done;
+}
+
control {
execute( TC_cr_before_reset() );
execute( TC_lu_imsi_noauth_tmsi() );
@@ -5792,6 +5815,7 @@
if (mp_enable_osmux_test) {
execute( TC_lu_and_mt_call_osmux() );
}
+ execute( TC_invalid_mgcp_crash() );
}