pcu: Test Downlink UNIT_DATA messages from SGSN containing IMSI IE

osmo-pcu.git 0052051c07af63da98137c9f8e3b3119642eb587 introduced a bug (fixed in 1d68cdff928f32941aff36c70e4543203c283d15) where no MS could GMM attach to the network, but no test showed the issue. This couple test verifies both correct behavior and also ensures wrong IMSI is detected and reported. Related: OS#4729 Change-Id: I5072d80b7ed9945a6083cdf3254efb8b8f119c54
author: Pau Espin Pedrol <pespin@sysmocom.de> 2020-08-27 18:54:24 +0200
committer: laforge <laforge@osmocom.org> 2020-08-29 07:56:46 +0000
commit: c03eb12b58c7d1968bdda10d27b15f3b8aab2d41 (patch)
tree: 7ba3d43480d6f315eb6054423e1936a173a98ab7
parent: 6ef5dfab86227330babbc7a0f4712668807e2b48 (diff)
2 files changed, 116 insertions, 3 deletions
diff --git a/library/Osmocom_Gb_Types.ttcn b/library/Osmocom_Gb_Types.ttcn
index a5182686..3aeba8fa 100644
--- a/library/Osmocom_Gb_Types.ttcn
+++ b/library/Osmocom_Gb_Types.ttcn
@@ -1077,7 +1077,7 @@ octetstring sdu) := {
 	template PDU_BSSGP ts_BSSGP_STATUS(template BssgpBvci bvci, template BssgpCause cause,
 					   PDU_BSSGP pdu) := {
 		pDU_BSSGP_STATUS := {
-			bssgpPduType := '0A'O,
+			bssgpPduType := '41'O,
 			cause := t_BSSGP_CAUSE(cause),
 			bVCI := t_BSSGP_BVCI(bvci),
 			pDU_in_Error := {
@@ -1091,6 +1091,23 @@ octetstring sdu) := {
 		}
 	}
 
+	template PDU_BSSGP tr_BSSGP_STATUS(template BVCI bvci := ?, template BssgpCause cause := ?,
+					   template octetstring pdu := ?) := {
+		pDU_BSSGP_STATUS := {
+			bssgpPduType := '41'O,
+			cause := t_BSSGP_CAUSE(cause),
+			bVCI := bvci,
+			pDU_in_Error := {
+				iEI := '15'O,
+				ext := '1'B,
+				lengthIndicator := {
+					length1 := ?
+				},
+				erroneous_BSSGP_PDU := pdu
+			}
+		}
+	}
+
 	private function f_presence_bit_MultislotCap_GPRS_BSSGP(template (omit) MultislotCap_GPRS_BSSGP mscap_gprs) return BIT1 {
 		if (istemplatekind(mscap_gprs, "omit")) {
 			return '0'B;
@@ -1202,7 +1219,9 @@ octetstring sdu) := {
 		}
 	}
 
-	template PDU_BSSGP ts_BSSGP_DL_UD(GprsTlli tlli, octetstring pdu, template (omit) MSRadioAccessCapabilityV_BSSGP racap := omit) := {
+	template PDU_BSSGP ts_BSSGP_DL_UD(GprsTlli tlli, octetstring pdu,
+					  template (omit) MSRadioAccessCapabilityV_BSSGP racap := omit,
+					  template (omit) IMSI_BSSGP imsi := omit) := {
 		pDU_BSSGP_DL_UNITDATA := {
 			bssgpPduType := '00'O,
 			tLLI_current := tlli,
@@ -1211,7 +1230,7 @@ octetstring sdu) := {
 			mS_Radio_Access_Capability := ts_BSSGP_IE_MSRAcap_omit(racap),
 			priority := omit,
 			dRX_Parameters := omit,
-			iMSI := omit,
+			iMSI := imsi,
 			tLLI_old := omit,
 			pFI := omit,
 			lSA_Information := omit,
diff --git a/pcu/PCU_Tests.ttcn b/pcu/PCU_Tests.ttcn
index 3c8be304..9bcf9c60 100644
--- a/pcu/PCU_Tests.ttcn
+++ b/pcu/PCU_Tests.ttcn
@@ -1831,6 +1831,98 @@ testcase TC_paging_ps_from_sgsn_ptp() runs on RAW_PCU_Test_CT {
 	f_tc_paging_ps_from_sgsn(mp_gb_cfg.bvci);
 }
 
+/* Verify osmo-pcu handles DL UNIT_DATA from SGSN with IMSI IE correctly. See OS#4729 */
+testcase TC_bssgp_dl_unitdata_with_valid_imsi() runs on RAW_PCU_Test_CT {
+	var RlcmacDlBlock dl_block;
+	var octetstring data := f_rnd_octstring(10);
+	var uint32_t sched_fn;
+	var uint32_t dl_fn;
+	var GprsMS ms;
+
+	/* Initialize NS/BSSGP side */
+	f_init_bssgp();
+	/* Initialize GPRS MS side */
+	f_init_gprs_ms();
+	ms := g_ms[0]; /* We only use first MS in this test */
+
+	/* Initialize the PCU interface abstraction */
+	f_init_raw(testcasename());
+
+	/* Establish BSSGP connection to the PCU */
+	f_bssgp_establish();
+	f_bssgp_client_llgmm_assign('FFFFFFFF'O, ms.tlli);
+
+	/* Establish an Uplink TBF */
+	f_ms_establish_ul_tbf(ms);
+
+	/* Fake GMM GPRS Attach or similar, PCU doesn't care about upper layers here */
+	f_ms_tx_ul_data_block_multi(ms, 1, with_tlli := true);
+	f_rx_rlcmac_dl_block_exp_ack_nack(dl_block, sched_fn);
+	/* DL ACK/NACK sets poll+rrbp requesting PACKET CONTROL ACK */
+	f_ms_tx_ul_block(ms, ts_RLCMAC_CTRL_ACK(ms.tlli), sched_fn);
+
+	/* UL block should be received in SGSN */
+	BSSGP[0].receive(tr_BSSGP_UL_UD(ms.tlli, mp_gb_cfg.cell_id));
+
+	/* Now SGSN sends some DL data, PCU will page on CCCH (PCH) */
+	BSSGP[0].send(ts_BSSGP_DL_UD(ms.tlli, data, imsi := ts_BSSGP_IMSI(ms.imsi)));
+	f_ms_exp_dl_tbf_ass_ccch(ms, PCU_IF_SAPI_PCH);
+
+	/* Wait timer X2002 and DL block is available after CCCH IMM ASS: */
+	f_sleep(X2002);
+	f_rx_rlcmac_dl_block_exp_data(dl_block, dl_fn, data, 0);
+
+	/* ACK the DL block */
+	f_acknackdesc_ack_block(ms.dl_tbf.acknack_desc, dl_block, '1'B);
+	f_ms_tx_ul_block(ms, ts_RLCMAC_DL_ACK_NACK(ms.dl_tbf.tfi, ms.dl_tbf.acknack_desc),
+			     f_dl_block_ack_fn(dl_block, dl_fn));
+
+	f_shutdown(__BFILE__, __LINE__, final := true);
+}
+
+/* Verify osmo-pcu acts on incorrect IMSI IE content in DL UNIT_DATA from SGSN. See OS#4729 */
+testcase TC_bssgp_dl_unitdata_with_invalid_imsi() runs on RAW_PCU_Test_CT {
+	var RlcmacDlBlock dl_block;
+	var octetstring data := f_rnd_octstring(10);
+	var uint32_t sched_fn;
+	var uint32_t dl_fn;
+	var GprsMS ms;
+
+	/* Initialize NS/BSSGP side */
+	f_init_bssgp();
+	/* Initialize GPRS MS side */
+	f_init_gprs_ms();
+	ms := g_ms[0]; /* We only use first MS in this test */
+
+	/* Initialize the PCU interface abstraction */
+	f_init_raw(testcasename());
+
+	/* Establish BSSGP connection to the PCU */
+	f_bssgp_establish();
+	f_bssgp_client_llgmm_assign('FFFFFFFF'O, ms.tlli);
+
+	/* Establish an Uplink TBF */
+	f_ms_establish_ul_tbf(ms);
+
+	/* Fake GMM GPRS Attach or similar, PCU doesn't care about upper layers here */
+	f_ms_tx_ul_data_block_multi(ms, 1, with_tlli := true);
+	f_rx_rlcmac_dl_block_exp_ack_nack(dl_block, sched_fn);
+	/* DL ACK/NACK sets poll+rrbp requesting PACKET CONTROL ACK */
+	f_ms_tx_ul_block(ms, ts_RLCMAC_CTRL_ACK(ms.tlli), sched_fn);
+
+	/* UL block should be received in SGSN */
+	BSSGP[0].receive(tr_BSSGP_UL_UD(ms.tlli, mp_gb_cfg.cell_id));
+
+	/* Now SGSN sends some DL data with an invalid IMSI */
+	BSSGP[0].send(ts_BSSGP_DL_UD(ms.tlli, data, imsi := ts_BSSGP_IMSI('1122'H)));
+
+	BSSGP_SIG[0].receive(tr_BSSGP_STATUS(omit, BSSGP_CAUSE_CONDITIONAL_IE_ERROR, ?));
+
+	/* TODO: make sure no data is sent over PCU -> MS */
+
+	f_shutdown(__BFILE__, __LINE__, final := true);
+}
+
 private function f_TC_egprs_pkt_chan_req(in EGPRSPktChRequest req,
 					 template GsmRrMessage t_imm_ass := ?,
 					 PCUIF_BurstType bt := BURST_TYPE_1)
@@ -2359,6 +2451,8 @@ control {
 	execute( TC_paging_ps_from_sgsn_sign_ptmsi() );
 	execute( TC_paging_ps_from_sgsn_sign() );
 	execute( TC_paging_ps_from_sgsn_ptp() );
+	execute( TC_bssgp_dl_unitdata_with_valid_imsi() );
+	execute( TC_bssgp_dl_unitdata_with_invalid_imsi() );
 
 	/* EGPRS specific test cases */
 	execute( TC_egprs_pkt_chan_req_signalling() );
author	Pau Espin Pedrol <pespin@sysmocom.de>	2020-08-27 18:54:24 +0200
committer	laforge <laforge@osmocom.org>	2020-08-29 07:56:46 +0000
commit	c03eb12b58c7d1968bdda10d27b15f3b8aab2d41 (patch)
tree	7ba3d43480d6f315eb6054423e1936a173a98ab7
parent	6ef5dfab86227330babbc7a0f4712668807e2b48 (diff)