diff options
author | Vadim Yanitskiy <axilirator@gmail.com> | 2019-12-28 17:45:34 +0100 |
---|---|---|
committer | fixeria <axilirator@gmail.com> | 2020-01-04 11:50:15 +0000 |
commit | eddebaad92516009a82dbe016ffeaa8b17e6ec0a (patch) | |
tree | 853a0dba0095729e835e99613cd281ede4c32415 | |
parent | 322c79367b5d38e43c15c3238b18b5f24b9191ee (diff) |
MSC_Tests.ttcn: introduce TC_mm_id_resp_no_identity
While investigating OS#4340, it was discovered that a malformed
MM Identity Request with MI Type '111'B crashes OsmoMSC.
Unfortunately, I could not find a way to encode such an invalid
message in TITAN (because value '111'B is reserved), so I
figured out that '000'B also crashes OsmoMSC.
MM Identity Request is triggered by initiating an Update Location
Request with reserved TMSI value 'FFFFFFFF'O (unknown to the MSC).
Change-Id: I62f23355eb91df2edf9dc837c928cb86b530b743
Related: OS#4340
-rw-r--r-- | msc/MSC_Tests.ttcn | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/msc/MSC_Tests.ttcn b/msc/MSC_Tests.ttcn index e0d9c7ff..c2a5bbb9 100644 --- a/msc/MSC_Tests.ttcn +++ b/msc/MSC_Tests.ttcn @@ -5778,6 +5778,43 @@ testcase TC_invalid_mgcp_crash() runs on MTC_CT { vc_conn.done; } +friend function f_tc_mm_id_resp_no_identity(charstring id, BSC_ConnHdlrPars pars) +runs on BSC_ConnHdlr { + pars.tmsi := 'FFFFFFFF'O; + f_init_handler(pars); + + f_create_gsup_expect(hex2str(g_pars.imsi)); + + /* Initiate Location Updating using an unknown TMSI */ + f_bssap_compl_l3(f_build_lu_tmsi(pars.tmsi)); + + /* Expect an Identity Request, send response with no identity */ + BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_MM_ID_Req(CM_ID_TYPE_IMSI))); + BSSAP.send(ts_PDU_DTAP_MO(ts_ML3_MO_MM_ID_Rsp({ + lengthIndicator := 1, + mobileIdentityV := { + typeOfIdentity := '000'B, + oddEvenInd_identity := { + no_identity := { + oddevenIndicator := '0'B, + fillerDigits := '00000'H + } + } + } + }))); + + f_expect_lu_reject(); + f_expect_clear(); +} +testcase TC_mm_id_resp_no_identity() runs on MTC_CT { + var BSC_ConnHdlr vc_conn; + + f_init(); + + vc_conn := f_start_handler(refers(f_tc_mm_id_resp_no_identity), 7); + vc_conn.done; +} + control { execute( TC_cr_before_reset() ); execute( TC_lu_imsi_noauth_tmsi() ); @@ -5910,6 +5947,7 @@ control { execute( TC_lu_and_mt_call_osmux() ); } execute( TC_invalid_mgcp_crash() ); + execute( TC_mm_id_resp_no_identity() ); } |