From 8df6962dec80e90aedd36984ae179d706235569c Mon Sep 17 00:00:00 2001 From: Neels Hofmeyr Date: Sat, 2 Nov 2019 19:16:03 +0100 Subject: msc: add f_tc_invalid_mgcp_crash Make sure that osmo-msc doesn't crash if a successful CRCX response contains an invalid IP address. Originally/recently, osmo-msc did not validate the IP addresses at all. In an intermediate patch I added error handling, releasing the call. That uncovered a use-after-free problem in libosmo-mgcp-client. This problem is fixed by osmo_fsm_set_dealloc_ctx() and an osmo-mgw fix (see I7df2e9202b04e7ca7366bb0a8ec53cf3bb14faf3 in osmo-mgw). Add this test to make sure the crash is not re-introduced. Change-Id: I0c76b0a7a33a96a39a242ecd387ba3769161cf7a --- msc/MSC_Tests.ttcn | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'msc/MSC_Tests.ttcn') diff --git a/msc/MSC_Tests.ttcn b/msc/MSC_Tests.ttcn index 4ef592f0..480ec96b 100644 --- a/msc/MSC_Tests.ttcn +++ b/msc/MSC_Tests.ttcn @@ -5662,6 +5662,29 @@ testcase TC_lu_imsi_auth_tmsi_check_imei_early_err() runs on MTC_CT { vc_conn.done; } +friend function f_tc_invalid_mgcp_crash(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr { + f_init_handler(pars); + var CallParameters cpars := valueof(t_CallParams('12345'H, 0)); + + /* Set invalid IP address so that osmo-msc discards the rtp_stream and MGCP endpoint FSM instances in the middle + * of successful MGCP response dispatch. If things aren't safeguarded, the on_success() in osmo_mgcpc_ep_fsm + * will cause a use-after-free after that event dispatch. */ + cpars.mgw_conn_1.mgw_rtp_ip := "0.0.0.0"; + cpars.mgw_conn_2.mgw_rtp_ip := "0.0.0.0"; + cpars.rtp_sdp_format := "FOO/8000"; + cpars.expect_release := true; + + f_perform_lu(); + f_mo_call_establish(cpars); +} +testcase TC_invalid_mgcp_crash() runs on MTC_CT { + var BSC_ConnHdlr vc_conn; + f_init(); + + vc_conn := f_start_handler(refers(f_tc_invalid_mgcp_crash), 7); + vc_conn.done; +} + control { execute( TC_cr_before_reset() ); execute( TC_lu_imsi_noauth_tmsi() ); @@ -5792,6 +5815,7 @@ control { if (mp_enable_osmux_test) { execute( TC_lu_and_mt_call_osmux() ); } + execute( TC_invalid_mgcp_crash() ); } -- cgit v1.2.3