Age | Commit message (Collapse) | Author | Files | Lines |
|
Currently the function in sgsn_auth.c either have an sgsn_config or
an sgsn_instance parameter. Since then global sgsn variable is
already being used in that file and since other parts of the SGSN
related code also rely on a global sgsn singleton, these parameters
pretend to provide a flexibility that is not really supported.
Therefore this patch removes these parameters except for the ACL
related functions, which do not call code that uses the sgsn
variable.
Sponsored-by: On-Waves ehf
|
|
Currently the authorization is done in sgsn_auth_request for ACL
based authorization. This doesn't match the way remote authorization
would work, so that there is a second call to sgsn_auth_state already
present in sgsn_auth_update.
This patch removes the autorization check completely from
sgsn_auth_request which in turn calls sgsn_auth_update directly now.
Sponsored-by: On-Waves ehf
|
|
Currently every time an RA Update Req or an Attach Req is processed, a
new P-TMSI is allocated. When an MS issues another of these messages
before it has completed the first procedure, old_ptmsi is replaced by
ptmsi (and thus lost) and ptmsi is replaced by the newly allocated
P-TMSI. This can confuse the gbproxy, which can loose track of the
logical link then. At least a Blackberry emits a double set of RA Upd
Req messages from time to time which may be just 20ms apart.
This patch adds a check whether mm->ptmsi or mm->old_ptmsi are set.
If both are set, the P-TMSI is not re-allocated. This is only the
case, when the Complete message has not been received yet, since that
message will reset old_ptmsi.
Sponsored-by: On-Waves ehf
|
|
Currently when a Detach Accept is received for an unknown TLLI (which
is in general the case afer the SGSN has requested the detachment),
an XID reset is sent to the BSS, causing a BSSGP Status message. This
happens in gsm0408_rcv_gmm.
This patch moves the corresponding call to gprs_llgmm_reset downwards
so that it is not being called in that case.
Addresses:
SGSN->BSS TLLI: 0xd75b91d9 SAPI: LLGMM, UI (DTAP) (GMM) Detach Request
BSS->SGSN TLLI: 0xd75b91d9 SAPI: LLGMM, UI (DTAP) (GMM) Detach Accept
SGSN->BSS TLLI: 0xd75b91d9 SAPI: LLGMM, U, XID (Reset, IOV-UI)
BSS->SGSN TLLI: --- BSSGP STATUS (Unknown MS)
Sponsored-by: On-Waves ehf
|
|
Currently, the LLME is not cleaned up after sending an RA Update
Reject. This happens after entering a routing area from outside,
since in that case the SGSN sends an RA Update Reject (implicitly
detached) which causes the MS to restart the attach procedure.
The LLME is also not updated if an Attach Request with message errors
(encoding, invalid MI type) is received or if an MM context cannot be
allocated.
This patch changes gsm48_rx_gmm_ra_upd_req and gsm48_rx_gmm_att_req
to unassign the LLME or free the MM context (if available) after a
Reject message has been sent.
Ticket: OW#1324
Sponsored-by: On-Waves ehf
|
|
Currently the VTY 'auth-policy' command results in setting or clearing
the acl_enabled flag. This also enables the matching of the MCC/MNC
prefix of the IMSI.
This patch adds an additional policy 'acl-only' which disables the
MCC/MNC matching and relies on the ACL only.
Sponsored-by: On-Waves ehf
|
|
Currently the authorization of an IMSI is done by checking ACLs
synchronously which is not feasible when the subscriber data has to
be retrieved from an external source.
This patch changes this by using a callback when the information is
available. This is also done when only ACL are checked, in this case
the callback is invoked from within sgsn_auth_request(). The callback
function sgsn_update_subscriber_data calls sgsn_auth_update which
in turn calls either gsm0408_gprs_access_granted or
gsm0408_gprs_access_denied. gsm48_gmm_authorize is extended by a call
to sgsn_auth_request when IMSI and IMEI are available but the
auth_state is unknown.
The change has been successfully tested with single phones (E71 and
IPhone 5c).
Sponsored-by: On-Waves ehf
|
|
Currently the IMSI is only checked immediately when an Attach Request
is received that contains an IMSI IE. If it contains a P-TMSI
instead, access is always granted.
This commit moves the IMSI check to gsm48_gmm_authorize where it is
applied when IMSI and IMEI have been acquired. This fixes the
authorization when the Attach Accept doesn't contain an IMSI.
Sponsored-by: On-Waves ehf
|
|
Currently when forceing a reattach by sending a Detach
Request (reattach), the SGSN waits for the Detach Accept until it
frees the MM context (if present) and the LLME. If that message gets
lost or isn't sent by the MS, the LLME is never freed if it isn't
bound to an MM context.
This patch adds code to free the MM context/LLME when forcing a
reattachment.
Sponsored-by: On-Waves ehf
|
|
This patch replaces gsm0408_gprs_force_reattach(msg, mmctx) by two
functions
- gsm0408_gprs_force_reattach(mmctx)
- gsm0408_gprs_force_reattach_oldmsg(msg)
The old function basically consists of the code of the two new
functions, where the code path selected depends on mmctx == NULL,
which is harder to maintain, less obvious to use, and not consistent
with many other SGSN functions.
Sponsored-by: On-Waves ehf
|
|
Currently the MM context isn't always removed when it is
de-registered (mmctx_timer_cb), mm_state is set to GMM_DEREGISTERED
instead. This can lead to left-over MM contexts which are only
cleaned up if the MS reattaches.
This patch replaces all of these assignments by a call to
mm_ctx_cleanup_free.
Ticket: OW#1324
Sponsored-by: On-Waves ehf
|
|
Currently the GMM state is set to GMM-REGISTERED when an Attach
Accept or a RA Update Accept message is sent, even if a new P-TMSI is
included. In this case 04.08 requires (see 4.7.3.1.3 and 4.7.5.1.3),
that the state is set to GMM-COMMON-PROCEDURE-INITIATED when the
Accept is sent. When the Complete is received, the SGSN shall set
the state to GMM-REGISTERED.
This patch modifies the state updates accordingly.
Sponsored-by: On-Waves ehf
|
|
Currently the order of the 'if' clauses in gsm48_gmm_authorize
doesn't match the order in which the conditional parts are entered.
This makes it difficult to maintain. In addition the t3350_mode is
not stored in every path, so that this information is lost when the
identification procedure is started. Since the default value
coincidentally is GMM_T3350_MODE_ATT, this doesn't hurt for Attach
Requests which are the only messages that initially trigger the
authentication yet.
This patch changes the order of the 'if' clause to match the
processing order, it removes the t3350_mode parameter entirely and
introduces a mm->pending_req field. The latter must be set when the
request that causes the authorization before calling
gsm48_gmm_authorize. The gprs_t3350_mode enum is extended by
GMM_T3350_MODE_NONE (value 0, which is the default) to make it
possible to detect related initialisation errors or race conditions.
Sponsored-by: On-Waves ehf
|
|
Currently gbproxy_make_sgsn_tlli always returns a foreign TLLI when
it uses the (SGSN) P-TMSI to generate one.
This patch changes the implementation to return a SGSN TLLI of the
same type like the BSS TLLI in that case.
Sponsored-by: On-Waves ehf
|
|
The command definition delete_gb_link_by_id_cmd lacks a description
for the sgsn-nsei token.
This patch adds the missing description.
Addresses:
Verifying src/gprs/osmo-gbproxy -c doc/examples/osmo-gbproxy/osmo-gbproxy.cfg, test verify_doc
Documentation error (missing docs):
<command id='delete-gbproxy-link <0-65534> (tlli|imsi|sgsn-nsei) IDENT'>
<param name='IDENT' doc='(null)' />
Sponsored-by: On-Waves ehf
|
|
Currently the LLME is not deleted when a GMM Status message is
received for which a mmctx cannot be found. This can fill the LLME
list with unneeded entries.
This patch adds code to unassign the LLME in that case.
Ticket: OW#1324
Sponsored-by: On-Waves ehf
|
|
The following functions are not being used:
- gsm48_tx_gmm_status_oldmsg
- gsm48_tx_sm_status_oldmsg
This patch removes the function definitions.
Sponsored-by: On-Waves ehf
|
|
Currently, when a Detach Request is received with an unknown TLLI,
it is answered by another Detach Request (!), even when a power_off
Type is used.
This patch uses gsm48_rx_gmm_det_req to handle the message instead.
So this function is changed to cope with a NULL mmctx. In that case
it doesn't unassign the llme, so this must be done manually
afterwards.
Sponsored-by: On-Waves ehf
|
|
Currently, every time the SGSN received a Detach Request from the MS
via an established logical link, it is answered by a Detach Accept.
This violates the specification (GSM 04.08, 4.7.4.1.2 and .3), which
states, that it should only be sent, if "the detach type IE value
indicates that the detach request has not been sent due to switching
off".
This patch adds a conditional to limit the sending of Detach Accept
accordingly.
Sponsored-by: On-Waves ehf
|
|
Currently the ACL code is located in sgsn_vty.c.
This commit moves this to a new file sgsn_auth.c as a first step to
make authorization more flexible in order to implement remote
acquisition on subsciber data.
Sponsored-by: On-Waves ehf
|
|
Currently each received Ident Resp triggers an Attach Accept/Reject
if IMSI and IMEI are known. This has led to duplicated Attach Accept
messages when used with the gbproxy (IMSI acquisition active) and
with certain mobile equipment (iOS).
This patch modifies gsm48_rx_gmm_id_resp to discard Ident Resp messages
if all required information (IMEI and IMSI) has been gathered.
Ticket: OW#1322
Sponsored-by: On-Waves ehf
|
|
Currently the P-TMSI IE in PAGING_PS is not patched.
This commit adds code to patch BSSGP P-TMSI IE in
gbproxy_patch_bssgp independently from the P-TMSI patching at the LLC
layer. It also extends gbproxy_update_link_state_dl to use the IMSI
to find the link_info if the TLLI is not present in the message.
Note that the spec (GSM 08.18, 7.2) requires to use of the P-TMSI
instead of the IMSI to select the MS if that IE is available.
Nevertheless as long as the IMSI is always present in downlink BSSGP
messages and as long as the optional P-TMSI refers to the same MS
(which is the case currently), this is not an issue.
Sponsored-by: On-Waves ehf
|
|
Currently, when P-TMSI patching is enabled, a new BSS P-TMSI is
generated for each Attach Accept. So two duplicated, subsequent
Attach Accept messages will be mapped to different BSS side P-TMSI.
Because the last one will replace former ones in the link_info
struct, the MS will fail to access the SGSN if it uses the former
P-TMSI to derive the new TLLI.
This patch checks the SGSN P-TMSI already assigned to the link_info
and only generates a new BSS P-TMSI on mismatch (or if the BSS P-TMSI
hasn't been set yet).
Ticket: OW#1322
Sponsored-by: On-Waves ehf
|
|
The osmo-sgsn sends Status messages (or nothing in case of non
GMM/GSM) when the TLLI is unknown. This prevents the MS from
reconnecting.
This patch adds the initiation of an MT detach procedure to force a
re-attach to set up a valid LLE context if an LLE or an MM context
cannot be found. Since this can also be triggered by non-GMM SAPI
messages, a GPRS application callback sgsn_force_reattach_oldmsg is
added which in turn calls the GMM layer to generate the GSM 04.08
specific messages.
Note that the MS can be left in REGISTERED state after initially
wanting to detach itself, since it will receive a Detach Req
(re-attach) when sending a DEACT PDP CTX REQ after the SGSN or
gbproxy (P-TMSI patching enabled) has been restarted. This same
behaviour has been observed with another SGSN.
Sponsored-by: On-Waves ehf
|
|
Currently the PDP contexts are hard freed (via sgsn_pdp_ctx_free)
at some places in gprs_gmm.c on the reception of a Detach Req and on
re-use of an IMSI that is already associated with an MM context. This
can lead to segfaults when there is a pending request or a data
indication at libgtp.
This patch add a new function sgsn_pdp_ctx_terminate that de-associates
the PTP context from the MM context, deactivates SNDCP, sets pdp->mm
to NULL and then calls sgsn_delete_pdp_ctx. sgsn_libgtp is updated to
check for pdp->mm being non-NULL before dereferencing it. The
sgsn_pdp_ctx_terminate function will be called for each PDP context of
an MM context before this context is going to be deleted via
sgsn_mm_ctx_free. To ensure, that the ctx->llme (which is accessed
during the deactivation of SNDCP) remains valid, the call to
gprs_llgmm_assign is moved after the call to sgsn_mm_ctx_free. The
handling of re-used IMSIs is changed to mimic the processing of a
Detach Req.
Addresses:
<0002> gprs_gmm.c:654 MM(/f6b31ab0) Deleting old MM Context for same
IMSI p_tmsi_old=0xc6f19134
<000f> gprs_sgsn.c:259 PDP freeing PDP context that still has a
libgtp handle attached to it, this shouldn't happen!
[...]
SEGFAULT
Ticket: OW#1311
Sponsored-by: On-Waves ehf
|
|
Currently the timer is not stopped before the MM context is freed
which can lead to failure if sgsn_mm_ctx_free is called while timer
protected procedures are active.
This patch add code to cancel the timer if necessary from within
sgsn_mm_ctx_free.
Ticket: OW#1322
Sponsored-by: On-Waves ehf
|
|
|
|
Currently the code segfaults when the link shall be deleted by IMSI
when the IMSI has not been set yet.
This patch adds a NULL check to skip the entry before calling
gsm48_mi_to_string,
Adresses:
Program received signal SIGSEGV, Segmentation fault.
0xb693af77 in gsm48_mi_to_string (string=0xbfffe020 "", str_len=200,
mi=0x0, mi_len=0) at gsm48.c:360
360 mi_type = mi[0] & GSM_MI_TYPE_MASK;
str_len=200, mi=0x0, mi_len=0) at gsm48.c:360
self=0x807c9a0 <delete_gb_link_by_id_cmd>, vty=0xb4303c70,
argc=3, argv=0xbfffe1c0) at gb_proxy_vty.c:670
...
Sponsored-by: On-Waves ehf
|
|
Currently all PTP messages are in general forwarded to the SGSN even
when the BVCI is not known to the gbproxy. Only if message patching
is active and the peer cannot be determined, a log message is
generated, a STATUS message returned, and the message discarded.
The intention for this was to keep the old gbproxy's behaviour if
patching is disabled. But the code gets much more complex this way.
Another drawback is that when the SGSN returns a corresponding STATUS
message, it cannot be routed to the BSS where the original message
came from.
This patch therefore changes the behaviour to reject BSSGP PTP uplink
messages immediately if the BVCI is not known.
Fixes: Coverity CID 1244240
Ticket: OW#1317
Sponsored-by: On-Waves ehf
|
|
This has been re-produced using the "osmo-pcu emulator" code
and a ping to force segmented SNDCP messages. When the NS link
enters the DEAD/BLOCKED state the msgb would be freed twice.
Once inside gprs_ns_sendmsg and once by the caller. Based on the
return one can not see if the parameter has been deleted.
I changed libosmocore/libosmogb to always free the msgb in case
of an error on the way to gprs_ns_sendmsg. Catch up, avoid the
double free and fix some memory leaks. In case the sending fails
assume the entire segmented message is at end and free the
original input data.
This has been tested by posix suspending/resuming the emulator
process to have the GPRS-NS link go to dead/blocked to alive
and unblocked. The ping recovers and "SIGUSR1" to the SGSN does
not show active memory allocations.
The SGSN calls bssgp_tx_dl_ud at the lowest level and has the
following callchains. Most of them allocate the msgb and have
no early return and transfer ownership already:
<- gprs_llc_tx_u
<- gprs_llc_tx_ui
<- gsm48_gmm_sendmsg (all callers sane)
<- _tx_status
<- _tx_detach_req
<- gprs_llc_tx_xid (all callers sane)
<- sndcp_unitdata_req
<- sndcp_send_ud_frag
|
|
To get a clue which message caused the error without having to enable
LOGL_DEBUG, information about how far the parser came (message name,
parsed fields) is logged with LOGL_NOTICE along with a full hexdump
of the message.
Ticket: OW#1307
Sponsored-by: On-Waves ehf
|
|
Currently, the log level is always LOGL_DEBUG. In case of errors it
would be helpful to use a higher log level.
This patch adds a log_level parameter to gprs_gb_log_parse_context to
let the caller decide about the level.
Ticket: OW#1307
Sponsored-by: On-Waves ehf
|
|
This function tries to get an accurate name for the message even if
the parsing has been aborted due to message errors.
The patch also moves the settings of the BSSGP related fields in
parse_ctx from behind to the front of bssgp_tlv_parse, to get more
information in the case of failure. This is now consistent with the
handling of the llc and g48_hdr fields.
Id addition, gprs_gb_log_parse_context now uses the new function to
derive a more accurate message name.
Ticket: OW#1307
Sponsored-by: On-Waves ehf
|
|
Currently it is possible to set the secondary SGSN NSEI to the same
value like the (primary) SGSN NSEI. This leads to undefined behaviour
and is hard to recognize.
This patch adds checks to either NSEI configuration command to refuse
conflicting values.
Ticket: OW#1306
Sponsored-by: On-Waves ehf
|
|
Currently, ptmsi_enc and new_ptmsi_enc point to the beginning of the
mobile identity. Since all P-TMSI in 04.08 (MM) are encoded this way (1
byte header + 4 byte P-TMSI value). This is different to the P-TMSI
encoding in 08.18 (BSSGP), where the P-TMSI is encoded into 4 byte
without MI header.
This patch changes the code to use pointers to the P-TMSI value,
which is encoded in the same way in both specifications.
Sponsored-by: On-Waves ehf
|
|
Currently BSSGP PTP messages are silently dropped when the BVCI is
not known and patching is enabled. The nanoBTS will not recognize
this and continue to send messages on the BVCI. If it receives a
STATUS(BVCI unknown) instead, it will start a BVC reset procedure
instead.
This patch modifies gbprox_rx_ptp_from_bss() to return a
STATUS(BVCI unknown) to the BSS instead of dropping the message.
Sponsored-by: On-Waves ehf
|
|
This patch removes some superfluous ';' from the code.
Sponsored-by: On-Waves ehf
|
|
Currently the parse expects a 'MS network capability' IE with
2 <= length <= 3 which is compliant to GSM 04.08, 9.4.1 but not to
GSM 24.008, 9.4.1 which specifies 3 <= length <= 9. Thus the parser
rejects messages with a length >= 4 (including length field).
This patch relaxes the length check to accept either range by
requiring 2 <= length <= 9.
Ticket: OW#1258
Sponsored-by: On-Waves ehf
|
|
Currently one regexp ('patching') is used for all matching.
This patch adds a second category 'routing' which is exclusively used
for SGSN selection. It also adds a corresponding VTY command:
- match-imsi patching RE : MS related patching (currently APN)
- match-imsi routing RE : Select secondary SGSN on match only
- no match-imsi : Clear all filter expressions
Ticket: OW#1258
Sponsored-by: On-Waves ehf
|
|
This patch modifies the match-imsi command to allow for different
match categories (currently only 'patching' is provided).
- match-imsi patching RE : Filter APN patching and routing
- no match-imsi : Clear all filter expressions
Sponsored-by: On-Waves ehf
|
|
The current implementation makes it difficult to add further match
expressions.
This patch adds a new struct gbproxy_match that contains the fields
needed for each match expression. The matches (config) and the
results (link_info) are stored in arrays. All related functions are
updated to use them. The old fields in the config structure are
removed.
Sponsored-by: On-Waves ehf
|
|
Currently the pointers are computed by adding an offset to the new
message's _data pointer even when the original pointer is NULL.
This leads to invalid pointers in the copied msgb.
This patch adds a NULL check to each computation such that NULL
pointers are not adjusted.
Sponsored-by: On-Waves ehf
|
|
This patch adds und uses the function gbproxy_gsm48_to_peer() which
takes a GSM 04.08 message, encapsulates it in BSSGP and LLC, and
sends it to the BSS peer. This function increments vu_gen_tx_bss
which is now used instead of imsi_acq_retries to set the N(U) of the
outgoing message.
Since imsi_acq_retries isn't currently incremented before a Detach
Accept is generated, this patch also fixes the N(U) of such messages.
Sponsored-by: On-Waves ehf
|
|
Currently then link_info is not cleaned up completely, when
gbproxy_unregister_link_info is called.
This patch adds a function gbproxy_reset_link that must be defined
externally. This is done in gb_proxy.c, where it resets the IMSI
acquisition.
Sponsored-by: On-Waves ehf
|
|
That message is currently ignored but should invalidate the TLLI and
de-register the logical link instead.
This patch extends the parser to recognize such messages and to set
the invalidate_tlli flag.
Sponsored-by: On-Waves ehf
|
|
Currently time() is used for age calculations. This time source
may jump either forwards or backwards in time (NTP update, leap
seconds).
This patch replaces the use of time() by using
clock_gettime(CLOCK_MONOTONIC) instead.
Sponsored-by: On-Waves ehf
|
|
Don't return a link_info if TLLI is 0 resp. P-TMSI is 0xffff. These
values are used for uninitialised or cleared fields and can possibly
match several entries.
Sponsored-by: On-Waves ehf
|
|
Since the (former) TLLI list has developed into a logical link list,
related commands are renamed accordingly.
- tlli-list * -> link-list *
- delete-gbproxy-tlli * -> delete-gbproxy-link *
- show gbproxy tllis -> show gbproxy links
Sponsored-by: On-Waves ehf
|
|
This field in struct gbproxy_patch_state has involved and holds a
list of all tracked logical links now. Thus the name is modified
accordingly.
Sponsored-by: On-Waves ehf
|
|
Currently in many places where 'tlli' (Temporary Logical Link
Identifier) within identifiers is used, the logical link itself is
meant instead. For instance, the tlli_info contain information about
an LLC logical link including up to four individual TLLI.
To avoid confusion between these concepts, this patch replaces all
'tlli_info' by 'link_info' and a few 'tlli' by 'link'.
Sponsored-by: On-Waves ehf
|