debian: New release with cherry-pick of gbproxy fix

Currently the last message received is patched with the meta
information of each stored message. This can lead to invalid memory
accesses.

This commit replaces msg by stored_msg in the call to
gbproxy_patch_bssgp.

Note that the fix has not been validated by unit tests yet.

Addresses:
  Program received signal SIGSEGV, Segmentation fault.
  #0  memmove () at ../sysdeps/i386/i686/memmove.S:68
  #1  0x08052ee9 in gprs_msgb_resize_area at gprs_utils.c:99
  #2  0x0804f4de in gbproxy_patch_apn_ie at gb_proxy_patch.c:108
  #3  0x0804f7cd in gbproxy_patch_llc at gb_proxy_patch.c:253
  #4  0x0804f9cb in gbproxy_patch_bssgp at gb_proxy_patch.c:348
  #5  0x0804abf5 in gbproxy_flush_stored_messages at gb_proxy.c:347

Ticket: OW#1550
Sponsored-by: On-Waves ehf

debian/changelog

@@ -1,8 +1,83 @@
-openbsc (0.14.0) UNRELEASED; urgency=low
+openbsc (0.15.0+z6) unstable; urgency=medium
+
+  * Include gbproxy fix (4339a539585030c4e1b846d024a005f3d5a631a4) on top of z5 
+
+ -- Holger Hans Peter Freyther <holger@moiji-mobile.com>  Thu, 17 Dec 2015 08:34:28 +0100
+
+openbsc (0.15.0+z5) unstable; urgency=medium
+
+  * Based on 5e95a411946ba3c520f048c07f8fdc3dff26d564
+  * First GTPhub build
+
+ -- Holger Hans Peter Freyther <holger@moiji-mobile.com>  Mon, 30 Nov 2015 13:36:36 +0100
+
+openbsc (0.15.0+z4) unstable; urgency=medium
+
+  * Based on 98fa3dc1c655033b31d90ed051cfa9144e30248c
+  * Extended GBproxy counters 
+
+ -- Holger Hans Peter Freyther <holger@moiji-mobile.com>  Tue, 10 Nov 2015 09:36:55 +0100
+
+openbsc (0.15.0+z3) unstable; urgency=medium
+
+  * Based on 292769e19e1ec7ea28b69370f04569501020659f
+  * StatsD support
+  * Beginning of OAP in the SGSN
+  * Stronger random numbers for TMSI, TLLI in NITB, SGSN and GBProxy 
+
+ -- Holger Hans Peter Freyther <holger@moiji-mobile.com>  Tue, 03 Nov 2015 09:46:41 +0100
+
+openbsc (0.15.0+z2) unstable; urgency=medium
+
+  * Allow to bind osmux to different ip addresses.
+  * Based on a777c9ee3d4e433c713f7a5c346519aa0321f096 
+
+ -- Holger Hans Peter Freyther <holger@moiji-mobile.com>  Mon, 12 Oct 2015 20:38:27 +0200
+
+openbsc (0.15.0+z1) unstable; urgency=medium
+
+  * Revert the SGSN fix
+  * New build with osmux and NAT
+  * Based on fa07b489dc3e14579b34365c0a0f1b5d5a70138f
+
+ -- Holger Hans Peter Freyther <holger@moiji-mobile.com>  Mon, 12 Oct 2015 10:23:44 +0200
+
+openbsc (0.14.0+z12) unstable; urgency=medium
+
+  * GBProxy compat commands
+  * Misc updates from 925504bfe0834be6b1549af51242ef24fa2a0eaa 
+
+ -- Holger Hans Peter Freyther <holger@moiji-mobile.com>  Mon, 12 Oct 2015 10:01:26 +0200
+
+openbsc (0.14.0+z11) unstable; urgency=medium
+
+  * Build with BSC NAT multi bind option 
+
+ -- Holger Hans Peter Freyther <holger@moiji-mobile.com>  Thu, 24 Sep 2015 10:45:23 +0200
+
+openbsc (0.14.0+z10) unstable; urgency=medium
+
+  * Build with MGCP NAT fixes. 
+
+ -- Holger Hans Peter Freyther <holger@moiji-mobile.com>  Sun, 16 Aug 2015 15:30:15 +0200
+
+openbsc (0.14.0+z9) unstable; urgency=low
 
   * New upstream tag and additional patches.
+  * SGSN/GSUP extensions
+  * New NAT command.
+  * Potential fix to QoS GTP sending
+  * Merged GSUP extensions (change of IE)
+  * Added simple CDR module to the SGSN
+  * Put charging_id into CDR, send RAI/UCI/IMEI(SV) on PDP ctx creation.
+  * Log HLR-Number, provide hlr-Number in purgeMS
+  * Set LAC/CI to 0xFFFE/0xFF
+  * Set spare selection mode flags.
+  * Use the verified mode
+  * Resolve GGSN dynamically
+  * Never append the domain name to the query
 
- -- Holger Hans Peter Freyther <holger@freyther.de>  Sat, 14 Mar 2015 20:33:25 +0100
+ -- Holger Hans Peter Freyther <holger@moiji-mobile.com>  Sun, 16 Aug 2015 15:29:53 +0200
 
 openbsc (0.12.0+git26-7) unstable; urgency=low
 

openbsc/src/gprs/gb_proxy.c

@@ -344,7 +344,7 @@ static void gbproxy_flush_stored_messages(struct gbproxy_peer *peer,
 		gprs_gb_parse_bssgp(msgb_bssgph(stored_msg),
 				    msgb_bssgp_len(stored_msg),
 				    &tmp_parse_ctx);
-		gbproxy_patch_bssgp(msg, msgb_bssgph(stored_msg),
+		gbproxy_patch_bssgp(stored_msg, msgb_bssgph(stored_msg),
 				    msgb_bssgp_len(stored_msg),
 				    peer, link_info, &len_change,
 				    &tmp_parse_ctx);

openbsc/src/gprs/gprs_gsup_client.c

@@ -94,6 +94,9 @@ static void connect_timer_cb(void *gsupc_)
 {
 	struct gprs_gsup_client *gsupc = gsupc_;
 
+	LOGP(DGPRS, LOGL_INFO, "GSUP timer callback (%s)\n",
+	     gsupc->is_connected ? "connected" : "not connected");
+
 	if (gsupc->is_connected)
 		return;
 

openbsc/src/gprs/gprs_llc.c

@@ -65,16 +65,27 @@ static int _bssgp_tx_dl_ud(struct msgb *msg, struct sgsn_mm_ctx *mmctx)
 	 * not yet have a MMC context (e.g. XID negotiation of primarly
 	 * LLC connection fro GMM sapi). */
 	if (mmctx) {
-		dup.imsi = mmctx->imsi;
-		dup.drx_parms = mmctx->drx_parms;
-		dup.ms_ra_cap.len = mmctx->ms_radio_access_capa.len;
-		dup.ms_ra_cap.v = mmctx->ms_radio_access_capa.buf;
-
 		/* make sure we only send it to the right llme */
-		OSMO_ASSERT(msgb_tlli(msg) == mmctx->llme->tlli
-				|| msgb_tlli(msg) == mmctx->llme->old_tlli
-				|| tlli_foreign2local(msgb_tlli(msg)) == mmctx->llme->tlli
-				|| tlli_foreign2local(msgb_tlli(msg)) == mmctx->llme->old_tlli);
+		if (msgb_tlli(msg) != mmctx->llme->tlli &&
+		    msgb_tlli(msg) != mmctx->llme->old_tlli &&
+		    tlli_foreign2local(msgb_tlli(msg)) != mmctx->llme->tlli &&
+		    tlli_foreign2local(msgb_tlli(msg)) != mmctx->llme->old_tlli)
+		{
+			LOGP(DLLC, LOGL_ERROR,
+			     "MM context TLLI mismatch when sending DL unitdata, "
+			     "msg TLLI = %08x, ctx TLLI = %08x, "
+			     "ctx old TLLI = %08x. "
+			     "Using default values for IMSI, DRX, RA CAP\n",
+			     msgb_tlli(msg),
+			     mmctx->llme->tlli,
+			     mmctx->llme->old_tlli);
+			osmo_log_backtrace(DLLC, LOGL_INFO);
+		} else {
+			dup.imsi = mmctx->imsi;
+			dup.drx_parms = mmctx->drx_parms;
+			dup.ms_ra_cap.len = mmctx->ms_radio_access_capa.len;
+			dup.ms_ra_cap.v = mmctx->ms_radio_access_capa.buf;
+		}
 	}
 	memcpy(&dup.qos_profile, qos_profile_default,
 		sizeof(qos_profile_default));

openbsc/tests/sgsn/sgsn_test.c

@@ -19,6 +19,12 @@
  *
  */
 
+/* TODO:
+ * - add test cases for Detach(reattach)
+ * - add test cases for PDP context deletion
+ * - add test cases for Cancel pending timer in sgsn_mm_ctx_cleanup_free
+ */
+
 #include <openbsc/gprs_llc.h>
 #include <openbsc/sgsn.h>
 #include <openbsc/gprs_gmm.h>