Age | Commit message (Collapse) | Author | Files | Lines |
|
On a Detach/Re-attach cycle the Address Sanitizer detected a
use-after-free kind of problem. That is because we tried to
destroy the LLME twice. The first time it is destroyed as part
of the Detach handling ans the second time it is destroyed as
part of destroying the old MM context.
In case the GPRS GMM detach message is lost the SGSN needs
to reply besides not having a MM entry.
The alternative would have been to add NULL checks for all
usages of ctx->llme which would not have helped with the
readability.
Sponsored-by: On-Waves ehf
|
|
On an "unassignment" this code verifies that the LLME will vanish
from the list of LLMEs. We assume that this doesn't create a
memory leak.
|
|
Fixes: CID#1240205
|
|
Many log levels were DEBUG without any good reason. Also where possible
the details of the MM or PDP context are now logged with LOGMM/PDPCTXP.
|
|
Currently when gprs_llgmm_reset() is invoked an XID reset is sent but
the local LLC parameters (e.g. V(U)) are not cleared (see GSM 04.64,
8.5.3.1). This can lead to discarded messages on the SGSN side.
This patch modifies gprs_llgmm_reset to clear vu_send, vu_recv,
oc_ui_send, oc_ui_recv.
Sponsored-by: On-Waves ehf
|
|
Currently the SGSN side message's TLLI are searched without checking
the originating SGSN. This leads to collisions if both SGSN use the
same P-TMSI for different MS.
With this patch, the SGSN NSEI is stored within the tlli_info and is
used in comparisons to separate the namespaces.
Note that this type of collision cannot happen with BSS numbers,
since the tlli_info are already separated and stored per (BSS) peer.
Sponsored-by: On-Waves ehf
|
|
Currently it is possible to create serveral entries referring to the
same P-TMSI/TLLI by using P-TMSI assigment via Attach Accept or
RA Update Accept messages. This can lead to the use of the wrong
tlli_info.
This patch adds gbproxy_remove_matching_tllis() that removes all
conflicting entries. This function is called after the P-TMSIs and
the resulting TLLIs has been set up.
Sponsored-by: On-Waves ehf
|
|
Since this message puts the MS into DEREGISTERED state (like a detach
procedure), this message is parsed and the invalidate_tlli field is
set accordingly.
Sponsored-by: On-Waves ehf
|
|
This commit adds/modifies the following VTY commands:
- delete-gbproxy-tlli <NSEI> de-registered : Delete all
de-registered entries
- show gbproxy tllis : Display 'DE-REGISTERED' when appropriate
In addition, the implementation of the delete-gbproxy-tlli command
has been split into two functions (with and without TLLI/IMSI
value).
Sponsored-by: On-Waves ehf
|
|
gprs_gb_log_parse_context() uses a sequence of LOGP calls to compose
a single message line. This leads to cluttered log output.
This patch replaces all but the first LOGP applications in this
function by applications of LOGPC.
Sponsored-by: On-Waves ehf
|
|
Currently it is possible to create several tlli_info entries with the
same IMSI.
This patch disables this by adding a check before the imsi field
is updated.
Sponsored-by: On-Waves ehf
|
|
Currently a tlli_info entry is deleted when the TLLI gets invalidated
by a Detach message.
This patch introduces the possibility to keep tlli_info entries in
the list. Those entries then have cleared TLLI fields, are marked as
de-registered, and can only be retrieved by a message containing an
IMSI or a P-TMSI.
The following VTY configuration commands are added to the gbproxy
node:
- tlli-list keep-mode never : Don't keep the entries (default)
- tlli-list keep-mode re-attach : Only keep them, when a Detach
message with re-attach required has been received
- tlli-list keep-mode identified : Only keep entries which are
associated with an IMSI
- tlli-list keep-mode always : Keep all entries
Note that at least one of max-length or max-age should be set when
this feature is used to limit the number of entries.
Sponsored-by: On-Waves ehf
|
|
Currently when patching is basically enabled P-TMSI and TLLI gets
patched even when P-TMSI patching is not enabled. Albeit the result
is correct in this case (the same value is re-written), the counter
shows unexpected results.
This patch adds configuration checks for P-TMSI and TLLI patching. It
also reorders the code of gbproxy_patch_raid to return early if there
is nothing to patch.
Sponsored-by: On-Waves ehf
|
|
This function is a remainder of the initial implemenation that was
not meant for TLLI patching and can be used for the BSS side only.
The SGSN side is already using a composition of more flexible
single purpose functions.
This patch changes the implementation to use a similar approach. The
function is moved to gbproxy_test.c and renamed to register_tlli to
keep the tests intact.
Sponsored-by: On-Waves ehf
|
|
If IMSI acquisition is enabled and the gbproxy receives a Detach
request from the MS, it cannot pass it to the SGSN since the
acquisition has not yet been completed.
This patch implements the generation of a Detach Accept message and
for this case and updates the TLLI state accordingly.
Sponsored-by: On-Waves ehf
|
|
Currently the RAI in the LLC part of the message is not updated if
the message has been taken from the list of stored messages. The
reason is, that old_raid_matches is update in
gbprox_process_bssgp_ul() but not in gbproxy_flush_stored_messages().
This patch moves the check to gprs_gb_parse_bssgp() which is called
at both places and where other fields like parse_ctx->tlli are set,
too.
In addition, old_raid_matches is replaced by old_raid_is_foreign
since this is clearer in the case when there is no old RAI at all.
Several RAI patch counter assertions are also added to
test_gbproxy_ra_patching().
Sponsored-by: On-Waves ehf
|
|
Since at all places where mi_data/mi_data_len is used it will always
contain an IMSI. Thus the names of the identifiers have been updated
accordingly for clarity.
Sponsored-by: On-Waves ehf
|
|
This commit changes gbproxy_imsi_acquisition as follows:
tlli_info->mi_data_len is used instead of parse_ctx->imsi to check,
whether the IMSI is known already. Since the function is always
called after gbproxy_update_tlli_ul(), the two values are already
synchronized.
Messages are always flushed when the IMSI gets known, if the current
message is IDENT RESP discard it, otherwise continue processing as
usual.
The 'if' clauses are simplified for better readability.
Sponsored-by: On-Waves ehf
|
|
gbprox_process_bssgp_ul has grown quite large mainly by the addition
of IMSI acquisition.
This patch moves that code into several smaller functions. In
addition, the peer resolution which is similar to that in
gbprox_process_bssgp_dl is moved into a separate function, too.
Sponsored-by: On-Waves ehf
|
|
This patch removes the patch_mode feature including the related VTY
command patch-mode. Where sensible, the other configuration flags are
queried instead.
In addition, this initial checks in gbprox_process_bssgp_dl() and
gbprox_process_bssgp_ul() have been updated.
The patch mode feature has not been used and was increasingly
difficult to maintain.
Sponsored-by: On-Waves ehf
|
|
Currently the stored messages are only removed, when IMSI acquisition
has succeeded. In addition, receiving two ATTACH_REQ messages in
sequence (e.g. due to loss of a Identity Req/Resp message) will not
restart the IMSI acquisition procedure.
This patch adds gbproxy_tlli_info_discard_messages() to clean up the
message list and calls it from gbproxy_delete_tlli() fixing a
potential memory leak. It is also called when an Attach Request
message has been received. In that case the imsi_acq_pending flag is
cleared, too. This would (re-)trigger the IMSI acquisition procedure
at each of these messages. If an Ident Response has been lost,
resending the Ident Request with the same N(U) will not work.
Therefore the N(U) gets incremented on each Ident Request generated
by the gbproxy. The first N(U) used is 256 which shouldn't collide
with the V(UT) used by the SGSN given that P-TMSI patching is enabled
(since a new random TLLI is used initially on every new (no
tlli_info) connection and V(U) starts with zero then).
Ticket: OW#1261
Sponsored-by: On-Waves ehf
|
|
Currently, a new P-TMSI within an Attach Accept or within an RA
Update Request is applied to the TLLI mapping (gbproxy_reassign_tlli)
_before_ patching is done. This can lead to inconsistent behaviour
when the TLLI validation has not been completed, which is the case
when subsequent RA UDP REQ are received. The new TLLI must not be
applied to the message itself yet, it should only be considered for
following messages.
This patch moves the TLLI reassignment to
gbproxy_update_tlli_state_after() to fix that.
It also separates the implementation of the feature that a new
tlli_info can be created when such a message is received from the
SGSN. This makes sense, when P-TMSI patching is not active and the
tlli_info entry has expired.
Sponsored-by: On-Waves ehf
|
|
Currently tlli_info are created for SGSN originated messages when
the SGSN TLLI cannot be found and P-TMSI patching is active. This
doesn't make much sense, since the BSS side TLLI is not known in this
case. Given that the SGSN is working properly, that can only happen
if either the tlli_info has expired or the gbproxy has been
restarted.
This patch disables the creation of a tlli_info in this case.
Note that these messages are passed unmodified to the MS so far.
Sponsored-by: On-Waves ehf
|
|
Since the secondary SGSN selection and APN patching can both be
enable/disabled by IMSI matching, this patch introduces a separate
match-imsi command and removes the corresponding variant of the
core-access-point-name command.
P-TMSI patching and IMSI acquisition are enabled/disabled by
match-imsi resp. secondary-sgsn. The patch-ptmsi and acquire-imsi
commands are still available for internal testing but are subject to
being removed.
Sponsored-by: On-Waves ehf
|
|
This patch extends the 'show gbproxy tllis' command to display the
number of stored messages per tlli_info if there are any.
Sponsored-by: On-Waves ehf
|
|
Currently all STATUS messages coming from the SGSN are just logged
and dropped. This prevents the PCU from recognising that the
(secondary) SGSN doesn't know about a certain BVCI and might require
a reset procedure.
This patch changes gbprox_rx_sig_from_bss() to forward STATUS
messages with cause "Invalid BVCI" containing a BVCI to the BSS.
Note that this will not forward broken "Invalid BVCI"
messages which do not include a BVCI IE.
Sponsored-by: On-Waves ehf
|
|
Currently the gbproxy sends STATUS messages that are not compliant to
GSM 08.18, 10.4.14.1: The BVCI must be included if (and only if) the
cause is either "BVCI blocked" or "BVCI unknown".
This patch adds a missing BVCI to UNKNOWN_BVCI and BVCI_BLOCKED
status messages if the BVCI is available. Otherwise, INV_MAND_INF is
used instead.
Sponsored-by: On-Waves ehf
|
|
Currently the numeric TLLI or tlli_info's enable_patching flag is
used to decide, whether a APN shall be patched or the secondary SGSN
shall be used. Using the numeric TLLI imposes a problem, when
TLLI/P-TMSI patching is used, since gbproxy_check_tlli uses the BSS
side TLLI namespace when trying to get the tlli_info.
This patch modifies the gbproxy_check_tlli() function to accept a
tlli_info pointer instead of a numeric TLLI. The tlli_info is already
available when the function is called. Since this a similar approach
has been used by accessing the enable_patching flag directly, this
commit unifies checking by always using this function instead of the
flag outside of gb_proxy_tlli.c.
This fixes the APN patching that doesn't work currently when P-TMSI
patching is enabled.
Sponsored-by: On-Waves ehf
|
|
Currently the new command acquire-imsi and secondary-sgsn are not
included into the write command's output.
This is fixed by this commit.
Sponsored-by: On-Waves ehf
|
|
Some messages that are related to the BVC itself must be forwarded to
the secondary SGSN, too.
This patch implements this for BVC-RESET (BVCI != 0) and FLOW-CONTROL-BVC
messages. The resulting acknowledgement messages from the secondary
SGSN are silently dropped. The idea behind this is that the primary
SGSN is responsible for setting up and maintaining the BVC whereas
the secondary SGSN is rather passive and just has to accept it.
Ticket: OW#1258
Sponsored-by: On-Waves ehf
|
|
This patch modifies gbprox_process_bssgp_ul() to send the message to
the secondary SGSN if the IMSI has matched and routing to the
secondary SGSN is enabled. The destination for stored messages is
modified accordingly.
Ticket: OW#1261
Sponsored-by: On-Waves ehf
|
|
This patch refactors SGSN NSEI handling to support a secondary SGSN.
It adds the following VTY commands:
- secondary-sgsn nsei <0-65534>
- no secondary-sgsn
Sending messages to the secondary SGSN is not yet implemented, but
received messages from such a SGSN would be forwarded to the BSS
peers.
Sponsored-by: On-Waves ehf
|
|
This should have been part of the 'Implement IMSI acquisition'
commit, where a similar change has been made for BSS originated PTP
messages.
Sponsored-by: On-Waves ehf
|
|
This patch fixes the remaining 'unused' warnings.
Sponsored-by: On-Waves ehf
|
|
To modify or route messages based on the IMSI the latter must be known
when the action shall take place.
This patch modifies the gbproxy to optionally retain and enqueue
messages from the MS while initiating an identification procedure.
Further message processing of the LLC PTP link towards the SGSN will
be done, when the identity of the MS has been acquired.
Note that the N(U) of the LLC GMM SAPI are not adjusted, so it is
possible that adjacent messages of a single LLC link arriving either
at the BSS or the SGSN have the same N(U) and might get discarded,
leading to retransmissions and additional delay.
Note also that retransmissions and packet loss are not yet handled
explicitely. If for instance the generated IDENT REQ gets lost, the
gbproxy will not act on its own. In this case, the MS will time out
and eventually resend the Attach Request on which the gbproxy will
act exactly like before (thus having two Attach Req messages in its
queue, which will both be sent after the Ident Resp arrives).
This has been tested successfully with an E71, needing one
retransmission by the SGSN due to an N(U) collision.
Ticket: OW#1261
Sponsored-by: On-Waves ehf
|
|
Currently when patching is enabled and an error happens when
receiving a message from the SGSN, the patched message is sent back
with the PDU_IN_ERROR IE.
This patch modifies gbprox_rx_sig_from_sgsn() to copy the message
before it is patched, so that the original message can be used with
the STATUS message. gbprox_rx_ptp_from_sgsn() does all checks before
the message is patched, so copying is not necessary.
Since gbprox_rx_sig_from_sgsn() is not called for BSSGP UNITDATA
messages and the msgb is already been copied in the gbprox_relay2peer
function, the relative performance impact is expected to be low.
Note that the PDU IE of STATUS messages received from an MS and
forwarded to the SGSN will not be patched. STATUS messages from the
SGSN are only logged and not forwarded to the MS.
Sponsored-by: On-Waves ehf
|
|
This patch adds gbprox_rx_data_from_sgsn() and
gbprox_rx_ptp_from_bss() which contain the PTP message processing
of gbprox_rcvmsg(). The calls to gbprox_process_bssgp_ul() are moved
from gbprox_relay2sgsn() to gbprox_rx_ptp_from_bss() and
gbprox_rx_sig_from_bss().
The goal is, to do all patching (and calls to gbprox_process_bssgp_*)
from within the gbprox_rx_* functions. Doing the patching from within
gbprox_relay2sgsn has the drawback, that the patching code cannot
call gbprox_relay2sgsn() which is needed if a single message shall
trigger a sequence of messages.
Sponsored-by: On-Waves ehf
|
|
|
|
gbproxy_patch_bssgp: Move a check for tlli_info in front of the first
conditional that depends on it, and return immediately if it is NULL.
gbproxy_register_tlli: Initialize tlli_already_known to 0.
Fixes: Coverity CID 1232691
Fixes: Coverity CID 1232692
Sponsored-by: On-Waves ehf
|
|
On older GNU libc systems we need to link to this library to
use the clock_gettime symbol.
|
|
.. as defined in libosmocore
|
|
The gb_proxy shouldn't start to open the box of pandora by including the
gsm_data_shared.h file, particularly not without defining the BSC role.
In any case, as the reserved TMSI is something that's part of the GSM
specs, and not specific to the OpenBSC implementation, it should be part
of libosmocore.
|
|
This patch moves the peer related definitions from gb_proxy.c to
gb_proxy_peer.c and adjusts the prefix of each global symbol to
gbproxy_:
Peer definitions (prefix adjusted to gbproxy_):
peer_ctr_description -> gprs/gb_proxy_peer.c (static)
peer_ctrg_desc -> gprs/gb_proxy_peer.c (static)
*peer_by_* -> gprs/gb_proxy_peer.c
gbproxy_peer_alloc -> gprs/gb_proxy_peer.c
gbproxy_peer_free -> gprs/gb_proxy_peer.c
gbprox_cleanup_peers -> gprs/gb_proxy_peer.c
Sponsored-by: On-Waves ehf
|
|
This patch moves several functions and declarations out of gb_proxy.c
to make them reusable by other components and to separate them by
context and task.
Counter enums (prefix is changed to gbproxy_):
enum gbprox_global_ctr -> gprs/gb_proxy.h
enum gbprox_peer_ctr -> gprs/gb_proxy.h
Generic Gb parsing (prefix is changed to gprs_gb_):
struct gbproxy_parse_context -> openbsc/gprs_gb_parse.h
gbprox_parse_dtap() -> gprs/gprs_gb_parse.c
gbprox_parse_llc() -> gprs/gprs_gb_parse.c
gbprox_parse_bssgp() -> gprs/gprs_gb_parse.c
gbprox_log_parse_context() -> gprs/gprs_gb_parse.c
*_shift(), *_match() -> gprs/gprs_gb_parse.c (no prefix)
gbprox_parse_gmm_* -> gprs/gprs_gb_parse.c (static)
gbprox_parse_gsm_* -> gprs/gprs_gb_parse.c (static)
MI testing/parsing (prefix gprs_ added):
is_mi_tmsi() -> gprs/gprs_utils.c
is_mi_imsi() -> gprs/gprs_utils.c
parse_mi_tmsi() -> gprs/gprs_utils.c
TLLI state handling (prefix is changed to gbproxy_):
gbprox_*tlli* -> gprs/gb_proxy_tlli.c
(except gbprox_patch_tlli, gbproxy_make_sgsn_tlli)
Message patching (prefix is changed to gbproxy_):
gbprox_*patch* -> gprs/gb_proxy_patch.c
gbprox_check_imsi -> gprs/gb_proxy_patch.c
Sponsored-by: On-Waves ehf
|
|
This patch modifies gbprox_make_bss_ptmsi() to generate a new P-TMSI
when patch_ptmsi is set in the configuration instead of using the
P-TMSI assigned by the SGSN. It modifies gbprox_make_sgsn_tlli() to
either use a foreign TLLI based on the SGSN side P-TMSI or (if there
is none) generate a random TLLI if patch_ptmsi is set. Otherwise, the
TLLI used by the BSS is used.
The seeds for the pseudo-random sequences sre set based on time
initially. Note that these are neither cryptographically safe nor
protected against collisions.
Ticket: OW#1259
Sponsored-by: On-Waves ehf
|
|
This mainly adds the NSEI to the messages, similar to log messages
ogf the existing gbproxy code.
Sponsored-by: On-Waves ehf
|
|
This patch adds code to modify TLLIs and P-TMSIs. Related counters
are also added.
Sponsored-by: On-Waves ehf
|
|
This patch contains fixes for the TLLI tracking and handling.
It adds and uses gbprox_map_tlli() the map the source TLLI to the
destination TLLI while respecting whether it is current or assigned.
It removes gbprox_register_tlli() from the downlink path. It fixes
TLLI validation and disables the use of the BSSGP TLLI IE.
Sponsored-by: On-Waves ehf
|
|
Currently, these messages lead to a parsing error which prevents them
from being processed any further.
This patch sets the return value of gbprox_parse_llc to 1 in these
cases and fixes a segfault which is triggered by any non-04.08
message.
Sponsored-by: On-Waves ehf
|
|
Currently gbprox_patch_raid() updates the local MCC/MNC with every
BSS originated message, even if the RAI is an 'old' one.
This patch separates state updating and patching into 2 functions
gbprox_update_current_raid and gbprox_patch_raid. In addition, a
field named old_raid_enc is added to gbproxy_parse_context, which is
used for 'old RAI' IEs in Attach Requests and RA Update Requests.
Only the bssg_raid_enc in BSS originated message is used to update
the BSS side 'local' MCC/MNC.
Sponsored-by: On-Waves ehf
|