Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Eclipse Titan » TEXT codec and abort() via regerror()
TEXT codec and abort() via regerror() [message #1777134] Fri, 24 November 2017 19:53 Go to next message
Harald Welte is currently offline Harald WelteFriend
Messages: 48
Registered: July 2017
Location: Berlin, Germany
Member

I'm running a TEXT based MGCP decoder in a somewhat more complex parallel test configuration, and it fails with the following backtrace:

 ./IPA_Test: Abort was called
/usr/lib/titan/libttcn3-parallel-dynamic.so(_Z14signal_handleri+0xa3)[0x7f9a77b23813]
/lib/x86_64-linux-gnu/libc.so.6(+0x33af0)[0x7f9a761e7af0]
/lib/x86_64-linux-gnu/libc.so.6(gsignal+0x110)[0x7f9a761e7a70]
/lib/x86_64-linux-gnu/libc.so.6(abort+0x17a)[0x7f9a761e919a]
/lib/x86_64-linux-gnu/libc.so.6(regerror+0x75)[0x7f9a76286985]
/usr/lib/titan/libttcn3-parallel-dynamic.so(_ZNK11Token_Match11match_beginER11TTCN_Buffer+0x1b1)[0x7f9a77af1b11]
./MGCP_Types.so(_ZN11MGCP__Types11MgcpCommand11TEXT_decodeERK21TTCN_Typedescriptor_tR11TTCN_BufferR16Limit_Token_Listbb+0x90)[0x7f9a7ea70904]
./MGCP_Types.so(_ZN11MGCP__Types11MgcpCommand6decodeERK21TTCN_Typedescriptor_tR11TTCN_BufferN11TTCN_EncDec8coding_tEz+0x417)[0x7f9a7ea70229]
./MGCP_Types.so(_ZN11MGCP__Types16dec__MgcpCommandERK10CHARSTRING+0xbc)[0x7f9a7ea81323]
./IPA_Emulation.so(_ZN14IPA__Emulation17f__mgcp__to__userERK11OCTETSTRING+0x11b)[0x7f9a7fa0ad41]
./IPA_Emulation.so(_ZN14IPA__Emulation10ScanEventsEv+0x520)[0x7f9a7fa0b44d]
./IPA_Emulation.so(_ZN14IPA__Emulation12main__clientERK10CHARSTRINGRK7INTEGERS2_S5_+0xa1)[0x7f9a7fa0a8c4]
./IPA_Emulation.so(+0x21ba5)[0x7f9a7fa0cba5]
/usr/lib/titan/libttcn3-parallel-dynamic.so(_ZN11Module_List14start_functionEPKcS1_R8Text_Buf+0x2b)[0x7f9a77ad5d3b]
/usr/lib/titan/libttcn3-parallel-dynamic.so(_ZN12TTCN_Runtime14start_functionEPKcS1_R8Text_Buf+0x25)[0x7f9a77ae69e5]
/usr/lib/titan/libttcn3-parallel-dynamic.so(_ZN18TTCN_Communication13process_startEv+0x42)[0x7f9a77aad802]
/usr/lib/titan/libttcn3-parallel-dynamic.so(_ZN18TTCN_Communication23process_all_messages_tcEv+0x2f5)[0x7f9a77aae055]
/usr/lib/titan/libttcn3-parallel-dynamic.so(_ZN12TTCN_Runtime8ptc_mainEv+0xdf)[0x7f9a77aea50f]
/usr/lib/titan/libttcn3-parallel-dynamic.so(main+0x330)[0x7f9a77824da0]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f9a761d4561]
./IPA_Test(+0xa1a)[0x564e293a0a1a]
MC@nataraja: Unexpected end of PTC connection (6) from 127.0.0.1 [127.0.0.1].                                                                                    


So the generated code wants to do something with regular expressions and then that fails, hence it calls regerror() but this in turn crashes with an abort.

In TEXT.cc of titan.core I can find
int Token_Match::match_begin(TTCN_Buffer& buff) const
{
  int retval=-1;
  int ret_val=-1;
  if(null_match){
    if (TTCN_EncDec::get_error_behavior(TTCN_EncDec::ET_LOG_MATCHING) !=
        TTCN_EncDec::EB_IGNORE) {
      char msg[ERRMSG_BUFSIZE2];
      regerror(ret_val, &posix_regexp_begin, msg, ERRMSG_BUFSIZE2);


I'm running eclipse-titan 6.2.0-1 as packaged by debian, not a version compiled myself.

I checked the commit log, and apart from 603b99b3a9953a193cb086df383c4f20d165a68a I couldn't find any recent changes/fixes, so I don't think a more recent TITAN version would have this already fixed.

The funny part is: When I decode the exact same MGCP payload using a simplistic single-component test case, it succeeds :/

CRCX 1128017070 1@mgw MGCP 1.0
C: 2CD6ED06
L: p:20, a:PCMU
M: recvonly


In any case, I think no matter what kind of input data gets passed to a TEXT codec, the titan runtime shouldn't call regerr() in a way that it aborts, so there might be something like a double-failure here. My code runs titan into an error path, and that error path causes the abort.
Re: TEXT codec and abort() via regerror() [message #1777135 is a reply to message #1777134] Fri, 24 November 2017 19:56 Go to previous messageGo to next message
Harald Welte is currently offline Harald WelteFriend
Messages: 48
Registered: July 2017
Location: Berlin, Germany
Member

The test suite is the one found in http://git.osmocom.org/osmo-ttcn3-hacks/tree/ipa

All that should be needed to reproduce is to run it (the test suite emulates some transactions of both a MSC and BSC connecting over a non-standard SCCP-over-TCP protocol stacking (but is decoded by wireshark).

The offending dec_MgcpCommand() is in Line 193 of library/IPA_Emulation.ttcn
Re: TEXT codec and abort() via regerror() [message #1777138 is a reply to message #1777135] Fri, 24 November 2017 20:56 Go to previous messageGo to next message
Gábor Szalai is currently offline Gábor SzalaiFriend
Messages: 26
Registered: December 2015
Junior Member
nice bug
The
      char msg[ERRMSG_BUFSIZE2];
      regerror(ret_val, &posix_regexp_begin, msg, ERRMSG_BUFSIZE2);


shouldn't be there.
Re: TEXT codec and abort() via regerror() [message #1777667 is a reply to message #1777138] Fri, 01 December 2017 11:15 Go to previous message
Elemer Lelik is currently offline Elemer LelikFriend
Messages: 807
Registered: January 2015
Senior Member
Hi Harald,

the fix for this has been committed,

see https://bugs.eclipse.org/bugs/show_bug.cgi?id=527793

so you can build a repaired Titan at your convenience.

If it's not urgent, you could wait though for the corrective release 6.3.pl1 to be released (well, tagged ) in a day or two.

Best regards
Elemer


Previous Topic:Heads up on the upcoming release of Titan version 6.3.0
Next Topic:TCP Port: Connection Interrupted error
Goto Forum:
  


Current Time: Mon Sep 24 08:23:16 GMT 2018

Powered by FUDForum. Page generated in 0.01995 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top