-
-
Notifications
You must be signed in to change notification settings - Fork 696
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: S1SetupRequest with random MCC/MNC is not rejected #2491
Comments
I've fixed it and update it in the main branch. Please let me know if you have any other problem. Thanks a lot! |
Hello Sukchan, thanks for fixing the problem. The S1SetupRequest now fails as expected but I believe the cause code should be "unknown-PLMN" rather than "unspecified" (see also 3GPP TS 36.413, section 8.7.3.4) Here is the response I got: S1 Application Protocol S1AP-PDU: unsuccessfulOutcome (2) unsuccessfulOutcome procedureCode: id-S1Setup (17) criticality: reject (0) value S1SetupFailure protocolIEs: 2 items Item 0: id-Cause ProtocolIE-Field id: id-Cause (2) criticality: ignore (1) value Cause: misc (4) misc: unspecified (4) Item 1: id-TimeToWait ProtocolIE-Field id: id-TimeToWait (65) criticality: ignore (1) value TimeToWait: v10s (3) Before the change I was getting cause code "unknown-PLMN" when only the supported TAs were invalid. This has also changed to "unspecified" now. You can see the latest test results here: TC_s1ap_setup_wrong_plmn and TC_s1ap_setup_wrong_tac should pass when the cause code is changed to "unknown-PLMN" Best regards. |
I've modified it again based on your guide. Please let me know if you have any other idea. Thanks a lot! |
Hello Sukchan, now both tests pass. Thank you very much for fixing this. Best regards. |
* [MME] add facility to select smf(pgwu) by tac and e_cell_id. [mme.yaml] # o SMF selection by eNodeB TAC # (either single TAC or multiple TACs, DECIMAL representation) # # gtpc: # - addr: 127.0.0.4 # tac: 26000 # - addr: 127.0.2.4 # tac: [25000, 27000, 28000] # # o SMF selection by e_cell_id(28bit) # (either single or multiple e_cell_id, HEX representation) # # gtpc: # - addr: 127.0.0.4 # e_cell_id: abcde01 # - addr: 127.0.2.4 # e_cell_id: [12345, a9413, 98765] * [Fuzzing] oss-fuzz support for fuzzing (open5gs#2283) * [Fuzzing] oss-fuzz support for fuzzing Signed-off-by: Arjun Singh <ajsinghyadav00@gmail.com> * [Fuzzing] fix error 2284 Signed-off-by: Arjun Singh <ajsinghyadav00@gmail.com> --------- Signed-off-by: Arjun Singh <ajsinghyadav00@gmail.com> * [MME] try to fix the open5gs#2287 issue * [SMF] Disable Network Service request while ACTIVATING Disable Network triggered service request while UE triggered service request (open5gs#2294) * Update document (open5gs#2274, open5gs#1127) * [SBI] Fixed a bug with encoder/decoder of scpPorts (open5gs#2310, open5gs#2274) * [AMF] Fixed crash if served_tai_index < 0 (open5gs#2059) * [SGWU/UPF] Fixed crashed by gTPTunnel (open5gs#2313) SGWU/UPF crashes with ogs_pfcp_setup_far_gtpu_node by a special crafted gTPTunnel.transportLayerAddress * [AMF/MME] Fixed crashes by M-TMSI (open5gs#2307) * [AMF] Fixed crashes with assertion (open5gs#2312) AMF crashes with amf_nnssf_nsselection_handle_get assertion failure. * Release v2.6.4 * [PCF] Always expose SNSSAI label (open5gs#2320) * [SMF] Expose metrics for nr. of PDU session creations [ETSI TS 128 552 V16.9.0](https://www.etsi.org/deliver/etsi_ts/128500_128599/128552/16.09.00_60/ts_128552v160900p.pdf): Registration type label is not provided. A nonstandard PLMNID label is added to achieve uniqueness. - 5.3.1.3 Number of PDU sessions requested to be created by the SMF PLMNID and SNSSAI are defined during PDU session creation processing. Some requests can be rejected during processing before label values are known. Those requests are not counted under particular labels. To count also such requests, the basic metric with empty labels is exposed too. ``` fivegs_smffunction_sm_pdusessioncreationreq{plmnid="",snssai=""} 1 fivegs_smffunction_sm_pdusessioncreationreq{plmnid="00101",snssai="1000009"} 1 ``` - 5.3.1.4 Number of PDU sessions successfully created by the SMF ``` fivegs_smffunction_sm_pdusessioncreationsucc{plmnid="00101",snssai="1000009"} 1 ``` - 5.3.1.5 Number of PDU sessions failed to be created by the SMF ``` fivegs_smffunction_sm_pdusessioncreationfail{cause="400"} 1 ``` Example for one successful and one failed (during creation processing) PDU session creation: ``` fivegs_smffunction_sm_pdusessioncreationreq{plmnid="",snssai=""} 2 fivegs_smffunction_sm_pdusessioncreationreq{plmnid="00101",snssai="1000009"} 1 fivegs_smffunction_sm_pdusessioncreationsucc{plmnid="00101",snssai="1000009"} 1 fivegs_smffunction_sm_pdusessioncreationfail{cause="400"} 1 ``` * relocation of user-location-info on top level * [PFCP] Fix IPv4 PFCP advertise addresses * [PFCP] Support PFCP advertise address in F-SEID * [Fuzzing] bug fix 59062 and increasing converge Signed-off-by: Arjun Singh <ajsinghyadav00@gmail.com> * [HSS] SWx: SAR & MAR: set mandatory User-Name on failure cases Multimedia-Auth-Answer and Server-Assignment-Answer defines the AVP User-Name as mandatory. It must also be present on failure cases. See 3GPP TS 29.273 Rel 17. Signed-off-by: Alexander Couzens <lynxis@fe80.eu> * Updated SRS 5G SA Tutorial URL * [Docs] fixed CURL generates 16 ERROR Refer to curl/curl#3750 * [SBI] Fixed Invalid S-NSSAI format (open5gs#2337) * [CORE] Rollback ogs_pool_init/final (open5gs#2339) ogs_pool_init() shall be used in the initialization routine. Otherwise, memory will be fragment since this function uses system malloc() Compared with ogs_pool_init() ogs_pool_create() could be called while the process is running, so this function should use ogs_malloc() instead of system malloc() * [Docs] Update night build URI * [SBI,NAS] Fix conversion of bitrate between OpenAPI/NAS and internal representation From the OpenAPI document,TS29571_CommonData.yaml : BitRate String representing a bit rate; the prefixes follow the standard symbols from The International System of Units, and represent x1000 multipliers, with the exception that prefix "K" is used to represent the standard symbol "k". * [NAS] Improve algorithm for conversion of bitrate to NAS The improved algorithm better handles some odd bitrates. With the current version, the bitrates 63 Kbps and 65 Kbps would get converted into 48 Kbps (unit 16 Kbps x 3) and 64 Kbps (unit 64 Kbps x 1). Especially in the first case, the conversion error is quite signicant. Current version tries to find the biggest 'unit', while the 'value' is still above 0. With the updated version, the algorithm tries to find the 'unit' low enough, that the resulting 'value' can still fit into the 16-bit space without overflow. * [PFCP] Fix calculation of AMBR When converting bitrates from bits per second to kilobits per second, if the conversion results in fractions, the resulting value should be rounded upwards * [SMF/PFCP] Send framed routes in both UL and DL pdrs * Update 01-genodebs.md add ASKEY SCE2200 to the Commercial 5G list * [SMF] Fix typo in log line * fix Gy for 3GPP-User-Location-Info * [PCF] Fix calculation of NF Instance load information - the 'if' clause was comparing some value with an always '1' due to wrong calculation. Consequently, this 'if' statement never executed. - sizes for session pool and UE pools are directly linked between each other. We need to count the number of items only in one of the pools to correctly represent the NF load - if anything, we should also check the load of the application pool to determine correct load of the NF * [AMF,SMF,PCF] Rename the function for calculating NF Instance load - have a more consistent naming among the NF's - always have the same prefix (amf_/smf_/pcf_) depending on the NF - function name is always the same, how the function calculates the load is NF specific and internal to the function itself (but not the function name). * [SMF] Fix a use-after-free bug * [SMF] Fix Gx/Gy assert() if more than 64 CCRs are sent The current code uses the cc request number as an index to the transaction array (xact/xact_data). Since cc request number is a 32 bit integer this is unfeasible for longer sessions and if more than a handful of messages are exchanged per session. The array size was already increased in open5gs#2038 which simply delays the issue. Furthermore, the current code asserts that cc_request_number is <= MAX_CC_REQUEST_NUMBER which leads to an out-of-bounds write if cc_request_number == MAX_CC_REQUEST_NUMBER. Instead use a smaller array and index into it using cc_request_number % array size. More than 2 requests should never be in flight at any one time (initial or update request together with a termination request) so an array size of 4 should be fine. * [SMF] Decrease sessions metric on OLD Session Release Since [redesign](open5gs@8553c77) of fivegs_smffunction_sm_sessionnbr gauge, the metric doesn't expose some decrements. The decreasing of gauge had been moved out of function stats_remove_smf_session. It should be decreased every time stats_remove_smf_session is called, but this particular case is easily reproducible by killing UPF while the session is established. * [DOCS] Added VPP-UPF tutorial * [Docs] 5G SCTP Load Balancer Tutorial (open5gs#2391) * BTI Wirelss Femto Cell nCELL-F2240 added * [AMF] Fix search for correct SMF based on SmfInfo Each SMF's NfProfile can contain multiple SmfInfo items. The issue was that AMF checked only the first SmfInfo for correct S-NSSAI/NR-TAI information. In case of a 5G core setup with SMF handling 2 or more slices, and UE trying to establish multiple PDU sessions, AMF would report an error when trying to find the correct serving SMF. [amf] ERROR: [1:0] (NF discover) No [nsmf-pdusession] (../src/amf/nnrf-handler.c:85) * Follow-up on open5gs#2399 * fix boot-looping of UPF with interface in TAP mode * mac: fix mongodb config path for Apple Silicon * [NRF] Fix crash due to failing assertion on OPTIONS request * cosmetic: mme: Fix trailing whitespace in several files * Add CIFuzz workflow Add CIFuzz workflow action to have fuzzers build and run on each PR. This service is offered by OSS-Fuzz where open5gs already runs. CIFuzz can help catch regressions and fuzzing build issues early, and has a variety of features (see the URL above). In the current PR the fuzzers gets build on a pull request and will run for 300 seconds. Signed-off-by: David Korczynski <david@adalogics.com> * gtp: xact: Fix unneeded conditionals The xarg->org is set to a specific value above in the same function, so no need to check for its value. * gtp1: Add missing RAN INFORMATION RELAY msg The RAN INFORMATION RELAY message has no associated response, and hence it should not start T3-RESPONSE timer to retrigger retransmissions. TS 29.060 11.1: "The Error Indication, Version Not Supported, RAN Information Relay, Supported Extension Headers Notification and the SGSN Context Acknowledge messages shall be considered as Responses for the purpose of this clause" TS 29.060 7.5.14.1: "For handling of protocol errors the RAN Information Relay message is treated as a Response message." * [AMF] Handle N1N2MessageTransfer sess. est. reject from SMF * [SMF] On sess. est. fail, don't reply to AMF twice on the same stream * [SMF] Reject session on PFCP sess. est. timeout * [SMF] Don't abort session tear-down on PCF error * Follow-up on open5gs#2428 * mme: Introduce initial Gn iface (GTPv1C) support This interface allows supporting several inter-RAT mobility features towards pre-rel8-SGSNs (SGSNs without S3/S4 GTPV2C interface). Related specs: - 3GPP TS 23.401: -- "5.6 Network Assisted Cell Change" -- "5.15 RAN Information Management (RIM) procedures" -- "Annex D" - 3GPP TS 23.060 (general GERAN<->GERAN mobility) - 3GPP TS 29.060 * mme: s1ap: Implement rx of eNB DIRECT INFORMATION TRANSFER If destination is a GERAN network, attempt to use the new Gn interface to forward it to an SGSN if configured to do so. * mme: s1ap: Implement tx of MME DIRECT INFORMATION TRANSFER Triggered when receiving a GTPv1C RAN Information Relay message on Gn interface, targeted at one of the eNBs under the MME. * [HSS] Modify where to check mongodb version (open5gs#2425) * Fixed the build error * Follow-up on open5gs#2428 * [SMF] Reply with error instead of crashing when IP pool is exhausted * Follow-up on open5gs#2443 * mme: fix missing memset in mme_fd_init The 'data' struct used to specify the diameter dispatch options for the MME callbacks was not being initialized properly, which meant that the App id could contain garbage. This was preventing the callbacks from being invoked when receiving ISD/CLR requests. * mme: s1ap: Split rx HandoverRequired handling based on HandoverType This is a preparation towards adding other handover types in the future. * [AMF] Implicit Deregistration (Reset, ConnRefused) When AMF release the NAS signalling connection, ran_ue context is removed by ran_ue_remove() and amf_ue/ran_ue is de-associated by amf_ue_deassociate(). In this case, implicit deregistration is attempted by the mobile reachable timer according to the standard document, and amf_ue will be removed by amf_ue_remove(). TS 24.501 5.3.7 Handling of the periodic registration update timer and Start AMF_TIMER_MOBILE_REACHABLE mobile reachable timer The network supervises the periodic registration update procedure of the UE by means of the mobile reachable timer. If the UE is not registered for emergency services, the mobile reachable timer shall be longer than the value of timer T3512. In this case, by default, the mobile reachable timer is 4 minutes greater than the value of timer T3512. The mobile reachable timer shall be reset and started with the value as indicated above, when the AMF releases the NAS signalling connection for the UE. * Fixed build failure in osmocom/open5gs * [MME] Temporarily disable sgsn settings (open5gs#2441) * [MME] rework sgsn default route config in mme.yaml Move the config to the sgsn node instead of having a specific route with specific format "default: route", since anyway internally it's already applied to the sgsn object. * Added missing memory release (open5gs#2441, open5gs#2450) * fix tap mode arp table poisoning * [AMF/MME] Remove code that doesn't work (open5gs#2013) Based on the standard document below, when the UE is in the IDLE state, we checked the implicit timer and tried to send a message to the UE, but it doesn't work properly. So, first of all, I deleted the related code. - TS 24.301 Ch 5.3.7 If ISR is not activated, the network behaviour upon expiry of the mobile reachable timer is network dependent, but typically the network stops sending paging messages to the UE on the first expiry, and may take other appropriate actions - TS 24.501 Ch 5.3.7 The network behaviour upon expiry of the mobile reachable timer is network dependent, but typically the network stops sending paging messages to the UE on the first expiry, and may take other appropriate actions. * UPF HA - release/establish new PDU session in CM_IDLE (open5gs#2471) See also open5gs#2396, open5gs#2418 * Fixed security vulnerability for malformed packet * Fixed SIGPIPE problem (open5gs#2411, open5gs#2312) * Update VoLTE Dockerized Tutorial (open5gs#2484) * Added Roaming Document * Update document * Update Roaming Document * Add trace log for debugging open5gs#2287 * [UPF] Fix wrong number of QoS flows metric (open5gs#2490) * add search with msisdn (open5gs#2495) * add search with msisdn * add 2nd msisdn * UE slice shall be also available in RAN (open5gs#2482) Changed to that registration can be accepted only when the UE slice is available in the RAN slice. * S1Setup failure with invalid MCC/MNC (open5gs#2491) * [SMF] Fix crash on double policy deletion (open5gs#2489) * [AMF/MME] Follow-up on open5gs#2491 * [AMF/MME] Defaults 9 minutes for T3412/T3512 * [SBI] UDR stores PEI instead of PCF * Use x1000 multiplier for Kbps, Mbps, ... etc. (open5gs#2515) NAS, GTP, PFCP, SBI, all except S1AP/NGAP use x1000 multiplier for Kbps, Mbps, Gbps ... etc. From now on in WebUI all units also use a multiplier of x1000. * [SMF] Added SMF registrations (open5gs#2514, open5gs#2524) * [TLV] PFCP parser crash from FuzzingLabs (open5gs#2523) * [SBI] nghttp2 SETTING ACK should be sent (open5gs#2385) Whether or not to send a Setting ACK is determined by the nghttp2 library. Therefore, when nghttp2 informs us that it want to send an SETTING frame with ACK by nghttp2_session_want_write(), we need to call session_send() directly to send it. * [WebUI] Fixed a crash when editing Subscribe After the UE performs Registration/Attach, SQN field is created. If we edit subscriber information when SQN value is present, WebUI crash occurs. It is because the way to handle Long Type(SQN:Long) is different when the mongoose version is 6 or higher. To avoid this crash, we use the mongoose version down to 5.x first. * [SMF] Deregister issue during sess release (open5gs#2537) A situation in which you establish two sessions and release both of them. In the first SESSION, the UE normally sent PDUSessionResourceReleaseResponse and PDU session release complete. However, these were not sent when releasing the second SESSION. At this point, when the UE tried to do a deregistration, the SMF was not properly handling the exception. I've just fixed this. * [GTP] gtp_message_fuzz: Abrt in ogs_abort See below for details. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=59414 * [TLV] GTP parser crashg from FuzzingLabs See below for details https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61780#c1 * [TLV] Oops! Fixed my mistake on pull open5gs#2549 * Update docs.md * Fix typo and remove trailing whitespaces in nas-security * [AMF] amf_ue_set_suci: Assertion `suci` (open5gs#2567) Cannot convert SUCI in `Not implemented SUPI format [4]` * [WebUI] Update NodeJS installation Guide * [UDM] Fixed crash for invalid SUCI (open5gs#2571) Modifications were made to resolve the following assertion.. Invalid HNET PKI Value [0] (../lib/sbi/conv.c:135) ogs_supi_from_supi_or_suci: Expectation `supi' failed. (../lib/sbi/conv.c:262) udm_ue_add: Assertion `udm_ue->supi' failed. (../src/udm/context.c:144) backtrace() returned 8 addresses (../lib/core/ogs-abort.c:37) * Update open5gs-dbctl This is now consistent with the webui (check /webui/src/components/Subscriber/Edit.js:175) * Fixed dynamic-stack-buffer-overflow (open5gs#2578, open5gs#2577) * [NRF] Fixed NRF crash when Custom nfType (open5gs#2576) NF Instance Registration to reproduce crash: curl -v -X PUT -d '{"nfInstanceId":"0b8a8d59-af80-4fb7-8645-b832fd69d94a","nfType":"CUSTOM_INF","nfStatus":"REGISTERED","ipv4Addresses":["127.0.13.37"]}' --http2-prior-knowledge http://127.0.0.10:7777/nnrf-nfm/v1/nf-instances/0b8a8d59-af80-4fb7-8645-b832fd69d94a * [PFCP] Fixed Possible heap buffer overflow (open5gs#2585) After examining the call stack and reading the source code, I found that in /lib/core/ogs-pool.h line 152: (pool)->array[i] = i+1; then in lib/pfcp/context.c line 78: pdr_random_to_index[ogs_pfcp_pdr_teid_pool.array[i]] = i; ogs_pfcp_pdr_teid_pool.array[i] may exceed the size of pdr_random_to_index, leading to a heap-buffer-overflow. * [SMF] Invalid Message(SmContextCreateData) (open5gs#2590) curl --noproxy '*' --http2-prior-knowledge -X POST --header "Content-Type: multipart/related" --data-binary @pdu http:/192.168.29.231:7777/nsmf-pdusession/v1/sm-contexts Attaching file 'pdu' SMF crashes as not able to decode the message properly. SmContextCreateData is not accessible. * [GTPU] Fixed PDCP SN handling (open5gs#2584, open5gs#2477) Scenario is handover on S1AP, data forwarding is enabled, and the Source ENB is forwarding DL PDCP packets to EPC(SGWU) with PDCP SN included. SGWU is also forwarding these packets to the Target ENB. However the PDCP SN is not present in the forwarded packets from SGWU to Target ENB. I modified this part, and there was the same problem in 5GC, fixed it as well. A lot of code in GTP-U has been modified, so if you have any problems, please let us know right away. * Minor change to address timer warnings and erros in upf, patch for upf bearer removal when sgw restarts --------- Signed-off-by: Arjun Singh <ajsinghyadav00@gmail.com> Signed-off-by: David Korczynski <david@adalogics.com> Co-authored-by: Shigeru Ishida <s5u.ishida@gmail.com> Co-authored-by: Arjun <36335769+0x34d@users.noreply.github.com> Co-authored-by: Sukchan Lee <acetcom@gmail.com> Co-authored-by: Gaber Stare <g.stare@iskratel.si> Co-authored-by: Eugene Bogush <eugeneb2008@gmail.com> Co-authored-by: mitmitmitm <ois@oasd8i.at> Co-authored-by: Arjun Singh <ajsinghyadav00@gmail.com> Co-authored-by: Alexander Couzens <lynxis@fe80.eu> Co-authored-by: jmasterfunk84 <48972964+jmasterfunk84@users.noreply.github.com> Co-authored-by: Bostjan Meglic <b.meglic@iskratel.si> Co-authored-by: jy <u8906250@gmail.com> Co-authored-by: Pau Espin Pedrol <pespin@sysmocom.de> Co-authored-by: Daniel Willmann <dwillmann@sysmocom.de> Co-authored-by: Rolf Winter <rolf.winter@gmail.com> Co-authored-by: Robert Dash <rdash@fenixgroupinc.com> Co-authored-by: Jan Romann <jan.romann@hs-emden-leer.de> Co-authored-by: Matthias Bräuer <matthias@braeuer.dev> Co-authored-by: David Korczynski <david@adalogics.com> Co-authored-by: Emanuele Di Pascale <emanuele.dipascale@alefedge.com> Co-authored-by: bem4444 <106824649+bem4444@users.noreply.github.com> Co-authored-by: gstaa <93838663+gstaa@users.noreply.github.com> Co-authored-by: Abdelmuhaimen Seaudi <abdelmuhaimen.seaudi@orange.com> Co-authored-by: Carlos Giraldo <cgiraldo@gradiant.org> Co-authored-by: theodorsm <theodor@midtlien.com> Co-authored-by: Gabriel <41166074+gckopper@users.noreply.github.com> Co-authored-by: Ryan Dimsey <ryan@omnitouch.com.au>
Open5GS Release, Revision, or Tag
v2.6.4-60-g5764f72
Steps to reproduce
To reproduce the problem, perform a S1SetupRequest that uses an mcc/mnc that is not configured at the MME. (The TAs should match the configuration)
----------8<----------
----------8<----------
For configuration details see [1]. There I have configured a plmn-id of mcc: 001, mnc: 01. The S1SetupRequest that triggers the problem contains mcc: 262, mnc: 42. This obviously mismatches the configuration but it is still accepted by the MME.
To trigger this, the TTCN3 testcase TC_s1ap_setup_wrong_plmn can be used [2]
[1] https://gitea.osmocom.org/osmocom/docker-playground/src/branch/master/ttcn3-mme-test-ogs/ogs/open5gs-mme.yaml#L321
[2] https://jenkins.osmocom.org/jenkins/view/TTCN3/job/ttcn3-mme-test-ogs/test_results_analyzer/
Logs
Expected behaviour
To my understanding the MME should reject eNBs that try to negotiate with a foreigen mcc/mnc.
Observed Behaviour
(see also above). The MME happily accepts S1SetupRequests that contain Global-ENB-IDs with random MNC/MCC.
eNodeB/gNodeB
(no real eNB, just a TTCN3 testsuite that speaks S1AP)
UE Models and versions
No response
The text was updated successfully, but these errors were encountered: