gmm: on invalid RA id reject the MS with an implicit detach

As long the SGSN doesn't support PS handover treat unknown RA as invalid
and do an implicit detach.

Fixes ttcn3 crash when an RAU happen within an Attach Request

Change-Id: I6a0b335d51f58c26349f7e0a62b2107d7d351d07

1 files changed, 20 insertions, 10 deletions

diff --git a/src/sgsn/gprs_gmm.c b/src/sgsn/gprs_gmm.c
index 182276cfa..86545f856 100644
--- a/src/sgsn/gprs_gmm.c
+++ b/src/sgsn/gprs_gmm.c
@@ -1663,16 +1663,26 @@ static int gsm48_rx_gmm_ra_upd_req(struct sgsn_mm_ctx *mmctx, struct msgb *msg,
 	} else if (!gprs_ra_id_equals(&mmctx->ra, &old_ra_id) ||
 		mmctx->gmm_fsm->state == ST_GMM_DEREGISTERED)
 	{
-		/* We cannot use the mmctx */
-		LOGMMCTXP(LOGL_INFO, mmctx,
-			"The MM context cannot be used, RA: %s\n",
-			osmo_rai_name(&mmctx->ra));
-		/* mmctx is set to NULL and gprs_llgmm_unassign(llme) will be
-		   called below, let's make sure we don't keep dangling llme
-		   pointers in mmctx (OS#3957, OS#4245). */
-		if (mmctx->ran_type == MM_CTX_T_GERAN_Gb)
-			mmctx->gb.llme = NULL;
-		mmctx = NULL;
+		/* We've received either a RAU for a MS which isn't registered
+		 * or a RAU with an unknown RA ID. As long the SGSN doesn't support
+		 * PS handover we treat this as invalid RAU */
+		struct gprs_ra_id new_ra_id;
+		char new_ra[32];
+
+		bssgp_parse_cell_id(&new_ra_id, msgb_bcid(msg));
+		osmo_rai_name_buf(new_ra, sizeof(new_ra), &new_ra_id);
+
+		if (mmctx->gmm_fsm->state == ST_GMM_DEREGISTERED)
+			LOGMMCTXP(LOGL_INFO, mmctx,
+				  "Rejecting RAU - GMM state is deregistered. Old RA: %s New RA: %s\n",
+				  osmo_rai_name(&old_ra_id), new_ra);
+		else
+			LOGMMCTXP(LOGL_INFO, mmctx,
+				  "Rejecting RAU - Old RA doesn't match MM. Old RA: %s New RA: %s\n",
+				  osmo_rai_name(&old_ra_id), new_ra);
+
+		reject_cause = GMM_CAUSE_IMPL_DETACHED;
+		goto rejected;
 	}
 
 	if (!mmctx) {