From de80976d94ca0f38651dcdc6c337d53e7f2ee04a Mon Sep 17 00:00:00 2001 From: Pau Espin Pedrol Date: Fri, 8 Nov 2019 18:50:25 +0100 Subject: gmm: Fix assertion hit during RA UPD REQ before completting gmm attach Output: 20191107021548500 DMM <0002> gprs_gb.c:40 MM_STATE_Gb(2596296189)[0x6120000084a0]{Idle}: Received Event E_MM_PDU_RECEPTION 20191107021548500 DMM <0002> gprs_gmm.c:1531 MM(/d4b6d7af) -> GMM RA UPDATE REQUEST type="RA updating" 20191107021548501 DMM <0002> gprs_gmm.c:1615 MM(/d4b6d7af) The MM context cannot be used, RA: 901-70-2758-208 Assert failed mmctx->gb.llme == NULL gprs_gmm.c:1620 Scenario reproducing the crash can be triggered with TTCN3 SGSN_Tests.TC_attach_req_id_req_ra_update. Basically, SGSN first receives an ATTACH REQ with a given RA ID, then SGSN switches to state CommonProcedureInitiated and sends GMM ID REQ, and MS/PCU answers immediatelly with a RA Update instead with a new RA ID. Related: OS#3957, OS#4245 Change-Id: I64fa5cf1b427d3abb99e553e584897261a827ce6 --- src/sgsn/gprs_gmm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/sgsn/gprs_gmm.c') diff --git a/src/sgsn/gprs_gmm.c b/src/sgsn/gprs_gmm.c index b6b16854b..17daa7dcd 100644 --- a/src/sgsn/gprs_gmm.c +++ b/src/sgsn/gprs_gmm.c @@ -1615,9 +1615,9 @@ static int gsm48_rx_gmm_ra_upd_req(struct sgsn_mm_ctx *mmctx, struct msgb *msg, osmo_rai_name(&mmctx->ra)); /* mmctx is set to NULL and gprs_llgmm_unassign(llme) will be called below, let's make sure we don't keep dangling llme - pointers in mmctx (OS#3957). */ + pointers in mmctx (OS#3957, OS#4245). */ if (mmctx->ran_type == MM_CTX_T_GERAN_Gb) - OSMO_ASSERT(mmctx->gb.llme == NULL); + mmctx->gb.llme = NULL; mmctx = NULL; } -- cgit v1.2.3