Feature: TS 29.581 V18.6.0 uplift

[davidjwbbc]

Passes the source IP address from the provisioned Distribution Sessions in the UserDataIngSession to the MBSTF for use in the FLUTE session. Also allocates a TSI to be used by the MBSTF in the FLUTE session.

This is the final TS 29.581 V18.6.0 uplift PR to provide the full implementation of the uplift for reference point Nmb2 between the MBSF and MBSTF. This implements the changes to the UpTrafficFlowInfo data type agreed in SA#111.

This also includes some bug fixes for issues found while testing this uplift feature, most importantly a refactoring of the active periods handling and Distribution Session state transitions.

Closes #27

[davidjwbbc]

Fixed an issue spotted by @devbbc:

When creating the MBS Session and MBSTF Distribution Session the current released MBSF does a discovery step to find an MBSTF before creating MBS Session on the MB-SMF using the MBSTF discovered address as the SSM source address. This is because the MBSTF filled in the SSM Source used in the FLUTE session with its own source address.

This uplift carries an SSM source address from the AP through the MBSF to both the MB-SMF and MBSTF. Therefore the discovery step is no longer needed since the SSM source is now available from the AP.

This last commit removes the discovery step, goes straight to the (discovery of the MB-SMF and) creation of MBS session and uses the provided SSM source address when requesting the MBS Session.

[rjb1000]

Thanks, @devbbc and @davidjwbbc.

[jordijoangimenez]

Thanks for the testing. I'll get there soon!

[ErikGaida]

Hey @davidjwbbc. I ran some tests and caught a some bugs. Some of them seem to touch the recently refactored logic, while others might be pre-existing issues. I don't want to necessarily block this PR by issues that are not related to this PR, so feel free to decide whether you want to include the fixes here or if we should tackle them in a separate follow-up issue

Not directly related to the changes in this PR, but I ran into an issue during setup:

The commands

1. sudo python3 -m pip install --upgrade meson

fails on modern Ubuntu/Debian systems due to PEP 668 (externally-managed-environment).

error: externally-managed-environment

× This environment is externally managed
╰─> To install Python packages system-wide, try apt install
    python3-xyz, where xyz is the package you are trying to
    install.
    
    If you wish to install a non-Debian-packaged Python package,
    create a virtual environment using python3 -m venv path/to/venv.
    Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make
    sure you have python3-full installed.
    
    If you wish to install a non-Debian packaged Python application,
    it may be easiest to use pipx install xyz, which will manage a
    virtual environment for you. Make sure you have pipx installed.
    
    See /usr/share/doc/python3.12/README.venv for more information.

note: If you believe this is a mistake, please contact your Python installation or OS distribution provider. You can override this, at the risk of breaking your Python installation or OS, by passing --break-system-packages.
hint: See PEP 668 for the detailed specification.

2. meson test -C build regression

erik@FAME-1000658274-L14:~/rt-mbs-function$ cd ~/rt-mbs-function
meson test -C build regression

ERROR: *:regression test name does not match any test

Bugs Found:

erik@FAME-1000658274-L14:~/rt-mbs-function$ curl --http2-prior-knowledge -i -X POST "http://127.0.0.67:7777/nmbsf-mbs-ud-ingest/v1" -H 'content-type: application/json' -d '{}'

04/21 17:47:54.533: [app] INFO: Configuration: './build/src/mbsf/mbsf.yaml' (../subprojects/open5gs/lib/app/ogs-init.c:144)
04/21 17:47:54.533: [app] INFO: File Logging: '/tmp/mbsfd.log' (../subprojects/open5gs/lib/app/ogs-init.c:147)
04/21 17:47:54.533: [app] INFO: LOG-LEVEL: 'info' (../subprojects/open5gs/lib/app/ogs-init.c:150)
04/21 17:47:54.534: [sbi] INFO: NF EndPoint(addr) setup [127.0.0.200:7777] (../subprojects/open5gs/lib/sbi/context.c:478)
04/21 17:47:54.534: [sbi] INFO: NF EndPoint(addr) setup [127.0.0.10:7777] (../subprojects/open5gs/lib/sbi/context.c:430)
Downloading separate debug info for /lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2
04/21 17:47:54.586: [MBSF] INFO: SERVER NAME NODE=localhost (../src/mbsf/Open5GSNetworkFunction.cc:285)                       
04/21 17:47:54.587: [MBSF] INFO: NF UUID: 761987e2-3d99-41f1-b50d-21000188444d (../src/mbsf/Open5GSNetworkFunction.cc:237)
04/21 17:47:54.587: [MBSF] INFO: MBSF Service [nmbsf-mbs-us] (../src/mbsf/Open5GSNetworkFunction.cc:246)
04/21 17:47:54.587: [MBSF] INFO: NF UUID: 76198bb6-3d99-41f1-b50d-21000188444d (../src/mbsf/Open5GSNetworkFunction.cc:237)
04/21 17:47:54.587: [MBSF] INFO: MBSF Service [nmbsf-mbs-ud-ingest] (../src/mbsf/Open5GSNetworkFunction.cc:246)
04/21 17:47:54.588: [sbi] INFO: nghttp2_server() [http://127.0.0.67]:7777 (../subprojects/open5gs/lib/sbi/nghttp2-server.c:424)
[New Thread 0x7ffff59da6c0 (LWP 152990)]
04/21 17:47:54.590: [MBSF] INFO: [76117052-3d99-41f1-b50d-21000188444d] MBSF Running (../src/mbsf/MBSFEventHandler.cc:62)
04/21 17:47:54.593: [sbi] INFO: [76117052-3d99-41f1-b50d-21000188444d] NF registered [Heartbeat:10s] (../subprojects/open5gs/lib/sbi/nf-sm.c:208)
04/21 17:47:54.594: [sbi] INFO: NF EndPoint(addr) setup [127.0.0.10:7777] (../subprojects/open5gs/lib/sbi/nnrf-handler.c:960)
04/21 17:47:54.595: [sbi] INFO: [761a9358-3d99-41f1-9352-7372429a684f] Subscription created until 2026-04-22T17:47:54.594064+02:00 [duration:86400000000,validity:86400.000000,patch:43200.000000] (../subprojects/open5gs/lib/sbi/nnrf-handler.c:879)
terminate called after throwing an instance of 'std::logic_error'
  what():  basic_string: construction from null is not valid

Thread 2 "open5gs-mbsfd" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff59da6c0 (LWP 152990)]
Download failed: Das Argument ist ungültig.  Continuing without source file ./nptl/./nptl/pthread_kill.c.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
Warnung: 44	./nptl/pthread_kill.c: Datei oder Verzeichnis nicht gefunden
(gdb) 

erik@FAME-1000658274-L14:~/rt-mbs-function$ curl --http2-prior-knowledge -i \
  -X POST "http://127.0.0.67:7777/nmbsf-mbs-ud-ingest/v1/sessions" \
  -H 'content-type: application/json' \
  --data @- <<'JSON'
{
  "mbsUserServId": "2afb33f6-3d9d-41f1-884a-67e08390d069",
  "mbsDisSessInfos": {
    "AP_MBS_SESSION_1": {
      "mbsSessionId": {
        "ssm": {
          "sourceIpAddr": { "ipv4Addr": "127.0.0.110" },
          "destIpAddr": { "ipv4Addr": "232.10.0.159" }
        }
      },
      "mbsDistSessState": "INACTIVE",
      "maxContBitRate": "10 Mbps",
      "distrMethod": "OBJECT",
      "objDistrInfo": {
        "operatingMode": "STREAMING",
        "objAcqMethod": "PULL",
        "objIngUri": "https://livesim2.dashif.org/livesim2/WAVE/vectors/cfhd_sets/12.5_25_50/t1/2022-10-17/",
        "objAcqIds": ["stream.mpd"],
        "objDistUri": "http://127.0.0.2/"
      }
    }
  }
}
JSON
HTTP/2 502 
server: Open5GS v2.6.4-576-g05adfc4+
date: Tue, 21 Apr 2026 16:23:58 GMT
content-length: 192
content-type: application/problem+json

{"title":"External Server Error","status":502,"detail":"MBS Session ID [sourceIpAddr: 127.0.0.110, destIpAddr: 232.10.0.159] already exists in the MBS System\n","cause":"INBOUND_SERVER_ERROR"}

04/21 18:23:58.383: [MBSF] WARNING: Attempt to insert duplicate UniqueMBSSessionId[MbsSessionId[ssm = SSM[sourceIpAddr = IpAddr["127.0.0.110"], destIpAddr = IpAddr["232.10.0.159"]]]] into context (../src/mbsf/Context.cc:280)
04/21 18:23:58.384: [mb-smf-service-consumer] ERROR: MB-SMF responded with a 500 status code (../subprojects/rt-5gc-service-consumers/lib/mb-smf-service-consumer/mb-smf-service-consumer.c:209)

3. Hanging HTTP Request: If a tmgi is provided instead of an ssm

erik@FAME-1000658274-L14:~/rt-mbs-function$  curl --http2-prior-knowledge -i   -X POST "http://127.0.0.67:7777/nmbsf-mbs-s/v1/mbs-user-servicens"   -H 'content-type: application/json'   -d '{
  "extServiceIds": ["urn:3gpp:my-service"],
  "servType": "MULTICAST",
  "servClass": "urn:3gpp:test",
  "servAnnModes": ["PASSED_BACK"],
  "servNameDescs": [
    {                                                   
      "language": "en",
      "servName": "Test Service"
    }   
  ]                                  
}'
HTTP/2 201 
server: Open5GS v2.6.4-576-g05adfc4+
date: Tue, 21 Apr 2026 18:00:45 GMT
content-length: 214
etag: b82158b7a0ce1802c17e811376478cd46d77c5ba1c2a9f2081d90ef9cefd31db
last-modified: Tue, 21 Apr 2026 18:00:45 UTC
cache-control: max-age=60
server: MBSF-localhost/18 (info.title=nmbsf-mbs-us; info.version=1.1.0) rt-mbs-function/0.1.0
location: /nmbsf-mbs-us/v1/mbs-user-services/05284af6-3dac-41f1-98c1-ffa87596804e
content-type: application/json

{
	"extServiceIds":	["urn:3gpp:my-service"],
	"servType":	"MULTICAST",
	"servClass":	"urn:3gpp:test",
	"servAnnModes":	["PASSED_BACK"],
	"servNameDescs":	[{
			"servName":	"Test Service",
			"language":	"en"
		}]

erik@FAME-1000658274-L14:~/rt-mbs-function$ curl --http2-prior-knowledge -i \
  -X POST "http://127.0.0.67:7777/nmbsf-mbs-ud-ingest/v1/sessions" \
  -H 'content-type: application/json' \
  -d '{
  "mbsUserServId": "05284af6-3dac-41f1-98c1-ffa87596804e",
  "mbsDisSessInfos": {
    "AP_MBS_SESSION_1": {
      "mbsSessionId": {
        "tmgi": {
          "mbsServiceId": "000002",
          "plmnId": { "mcc": "208", "mnc": "93" }
        }                                        
      },
      "mbsDistSessState": "INACTIVE",
      "maxContBitRate": "10 Mbps",
      "distrMethod": "PACKET"
    }                        
  }
}'

erik@FAME-1000658274-L14:~/rt-mbs-function$ curl --http2-prior-knowledge -i   -X POST "http://127.0.0.67:7777/nmbsf-mbs-ud-ingest/v1/sessions"   -H 'content-type: application/json'   -d '{
  "mbsUserServId": "05284af6-3dac-41f1-98c1-ffa87596804e",
  "mbsDisSessInfos": {
    "AP_MBS_SESSION_1": {
      "mbsSessionId": {
        "ssm": {
          "sourceIpAddr": { "ipv4Addr": "127.0.0.112" },
          "destIpAddr": { "ipv4Addr": "232.10.0.162" }
        }
      },
      "mbsDistSessState": "INACTIVE",
      "maxContBitRate": "10 Mbps",
      "distrMethod": "PACKET"
    }
  }
}'

04/21 20:06:57.234: [MBSF] INFO: OGS_EVENT_SBI_TIMER [2] (../src/mbsf/MBSFEventHandler.cc:241)
04/21 20:07:07.243: [MBSF] INFO: OGS_EVENT_SBI_TIMER [2] (../src/mbsf/MBSFEventHandler.cc:241)
04/21 20:07:17.253: [MBSF] INFO: OGS_EVENT_SBI_TIMER [2] (../src/mbsf/MBSFEventHandler.cc:241)
terminate called after throwing an instance of 'std::bad_optional_access'
  what():  bad optional access

Thread 2 "open5gs-mbsfd" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff59da6c0 (LWP 162206)]
Download failed: Das Argument ist ungültig.  Continuing without source file ./nptl/./nptl/pthread_kill.c.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
Warnung: 44	./nptl/pthread_kill.c: Datei oder Verzeichnis nicht gefunden
(gdb) 

erik@FAME-1000658274-L14:~/rt-mbs-function$ curl --http2-prior-knowledge -i   -X POST "http://127.0.0.67:7777/nmbsf-mbs-us/v1/mbs-user-services"   -H 'content-type: application/json'   -d '{
  "extServiceIds": ["urn:3gpp:my-service"],
  "servType": "MULTICAST",
  "servClass": "urn:3gpp:test",
  "servAnnModes": ["PASSED_BACK"],
  "servNameDescs": [
    {                              
      "language": "en",
      "servName": "Test Service"
    }   
  ]                                  
}'
HTTP/2 201 
server: Open5GS v2.6.4-576-g05adfc4+
date: Tue, 21 Apr 2026 18:13:43 GMT
content-length: 214
etag: b82158b7a0ce1802c17e811376478cd46d77c5ba1c2a9f2081d90ef9cefd31db
last-modified: Tue, 21 Apr 2026 18:13:43 UTC
cache-control: max-age=60
server: MBSF-localhost/18 (info.title=nmbsf-mbs-us; info.version=1.1.0) rt-mbs-function/0.1.0
location: /nmbsf-mbs-us/v1/mbs-user-services/d4f48276-3dad-41f1-8a64-0f42b06e37d4
content-type: application/json

{
	"extServiceIds":	["urn:3gpp:my-service"],
	"servType":	"MULTICAST",
	"servClass":	"urn:3gpp:test",
	"servAnnModes":	["PASSED_BACK"],
	"servNameDescs":	[{
			"servName":	"Test Service",
			"language":	"en"
		}]
}erik@FAME-1000658274-L14:~/rt-mbs-function$ 
curl --http2-prior-knowledge -i \
  -X POST "http://127.0.0.67:7777/nmbsf-mbs-ud-ingest/v1/sessions" \
  -H 'content-type: application/json' \
  -d '{
  "mbsUserServId": "d4f48276-3dad-41f1-8a64-0f42b06e37d4",
  "mbsDisSessInfos": {
    "AP_MBS_SESSION_1": {
      "mbsSessionId": {
        "ssm": {
          "sourceIpAddr": { "ipv4Addr": "127.0.0.113" },
          "destIpAddr": { "ipv4Addr": "232.10.0.163" }
        }
      },
      "mbsDistSessState": "INACTIVE",
      "maxContBitRate": "10 Mbps",
      "distrMethod": "PACKET"
    }
  }
}'

04/21 20:14:06.501: [MBSF] INFO: OGS_EVENT_SBI_TIMER [2] (../src/mbsf/MBSFEventHandler.cc:241)
terminate called after throwing an instance of 'std::bad_optional_access'
  what():  bad optional access

Thread 2 "open5gs-mbsfd" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff59da6c0 (LWP 162796)]
Download failed: Das Argument ist ungültig.  Continuing without source file ./nptl/./nptl/pthread_kill.c.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
Warnung: 44	./nptl/pthread_kill.c: Datei oder Verzeichnis nicht gefunden

6. Not sure this is AI Output:

Critical Memory Corruption via Invalid reinterpret_cast in State Transitions
Severity: High

Description: In UserDataIngSession.cc, the changeDistSessionState function incorrectly casts a void* parameter to a const char* to extract a session ID. However, the pointer being passed actually points to a C++ struct (UserDataIngDistSessId), not a null-terminated C-string. This invalid cast leads to undefined behavior, reading arbitrary memory as a string, and ultimately causes garbage IDs to be processed or an immediate Segmentation Fault when the session attempts to transition its state (e.g., from INACTIVE to ACTIVE).

Root Cause Analysis: When a session state transition is triggered, the setMbstfsInDesiredState() function passes a pointer to a struct:

cpp
UserDataIngDistSessId id{m_UserDataIngSessionId, dist_sess_id};
changeDistSessionState(&id); // Passing a pointer to the struct

However, changeDistSessionState(void *data) expects a C-string and performs a dangerous reinterpret_cast:

cpp
void UserDataIngSession::changeDistSessionState(void *data) {
    const char *id = reinterpret_cast<const char*>(data); // <--- INVALID CAST
    std::string user_data_ing_session_id(id);             // Reads raw object memory as a string
    // ...
}

Reinterpreting the memory layout of a UserDataIngDistSessId object as a const char* violates strict aliasing rules and memory safety.

Recommendation: Stop using type erasure (void*) where possible. The data pointer should be cast back to its actual type using static_cast before accessing its members:

cpp
void UserDataIngSession::changeDistSessionState(void *data) {
    auto *id = static_cast<UserDataIngDistSessId*>(data);
    std::string user_data_ing_session_id = id->user_data_ing_session_id;
    // ...
}