- Added functionality to parse and validate the plmnList JSON array
during a PATCH request.
- Updated the nf_instance structure with new PLMN data from the request.
- Ensured robust error handling for invalid PLMN entries
and excessive PLMN counts.
- Responded with appropriate HTTP status codes for success and error scenarios.
- Removed `create_sctp_socket_from_addr_list` function.
- Introduced direct use of `sctp_socket_family_from_addr_list` in
`ogs_sctp_server` and `ogs_sctp_client`.
- Ensured proper handling of address family selection for SCTP sockets,
defaulting to `AF_INET` or `AF_INET6` based on the address list.
- Added error handling for cases where no suitable address family is found.
Addressed feedback on commit 33532a5 by switching SGsAP's SCTP socket
from SOCK_SEQPACKET to SOCK_STREAM. This change eliminates the need
for the 'addr' field, as SOCK_STREAM does not require specifying the address
in sctp_sendmsg.
All references to the 'addr' field have been removed from the VLR structure
and related functions, simplifying SCTP message handling and ensuring better
compatibility with multiple addresses.
Updated `sgsap-sctp.c` accordingly to reflect these changes
and improve the reliability of SCTP connections.
Added checks to validate the SUPI ID in the ogs_dbi_auth_info function
before calling ogs_assert. This prevents a crash when the SUPI ID is malformed,
such as when it does not contain a hyphen.
The fix ensures that invalid SUPI values are logged and handled gracefully,
avoiding assertion failures and crashes in the UDR.
- Modified the `ogs_nas_qos_rule_s` structure to increase the size
of the `identifier` field from 4 bits to 6 bits in order to allow
for larger QoS Flow Identifiers (QFI).
- Adjusted the URR access logic in `upf_sess_urr_acc_add` to prevent
out-of-bounds access by ensuring the URR ID is within the valid range.
Refactored the SCTP socket creation logic to dynamically select
the address family based on the provided address list.
A new function, `create_sctp_socket_from_addr_list`, was introduced
to check for the presence of an IPv6 address in the address list and
create an SCTP socket accordingly.
If an IPv6 address is found, it uses AF_INET6; otherwise, it defaults
to AF_INET. This change was applied to both the `ogs_sctp_server` and
`ogs_sctp_client` functions.
Updated the VLR (mme_vlr_t) lookup mechanism to identify VLR instances
using socket pointers rather than IP addresses.
Replaced the `mme_vlr_find_by_addr` function with `mme_vlr_find_by_sock` across
relevant modules, including `mme-context.c`, `mme-context.h`, and `mme-sm.c`.
Adjusted memory management for the `addr` field within the VLR structure
to ensure proper allocation and deallocation. Removed address assignments
in `sgsap-sctp.c` for usrsctp and updated logging to reflect the new socket-based
identification.
Added support for binding to local IP addresses in ogs_sctp_client and
ogs_sctp_server, and correct SGsAP configuration
Implemented the ability to bind to one or multiple local IP addresses using
`sctp_bindx()` in both the `ogs_sctp_client()` and `ogs_sctp_server()` APIs.
Users can now specify local addresses in the configuration files under the new
`local_addresses` field, reducing unnecessary complexity and signaling caused
by binding to `ANY_ADDR`.
This update addresses issue https://osmocom.org/issues/6509 by ensuring
correct operation in multi-interface and complex networking setups.
Additionally, corrected the `sgsap` configuration by changing it
from `server` to `client`, and added support for specifying `local_addresses`
for local binding as follows:
```
sgsap:
client:
- address: msc.open5gs.org # SCTP server address configured on the MSC/VL
local_address: 127.0.0.2 # SCTP local IP addresses to be bound in the M
```
Modified the PCF logic to bypass the BSF dependency when it is not available.
This change ensures that the 5G Core can operate without requiring a BSF,
allowing PDU sessions to be established successfully in setups
where only a single PCF is used.
Resolved a heap-buffer-overflow issue
in the ogs_nas_5gs_decode_registration_request function caused
by improper handling of empty pkbuf.
Added validation checks to ensure pkbuf size is non-zero
before accessing its data.
Reviewed similar patterns in other decoding functions
to prevent similar vulnerabilities.
Added a handler in gmm_state_registered() to process SBI client events
for UE context transfer, preventing fatal errors and AMF crashes during
Initial Registration.
This commit resolves additional crashes in the AMF caused by improper handling
of UE registration requests in various states of the GMM state machine.
The issue occurs when the AMF receives multiple registration requests
from the same UE while the previous UE context is being released,
leading to outdated or invalid authentication vectors being processed.
Although a previous fix addressed this problem in the gmm_state_exception
function, similar crashes were identified in other states within gmm-sm.c.
To address this, the handling of multiple registration requests
from the same UE has been refined across all relevant states.
The fix ensures proper synchronization and validation of UE contexts,
preventing the AMF from processing outdated authentication data and
maintaining stability during such edge cases.
This prevents incorrect restoration behavior by ensuring the TEID is only
swapped when F-TEID.ch is false, indicating the TEID has already been assigned.
Added a check to ensure that TEID restoration via swap occurs only
when F-TEID.ch is false. In the restoration process, when F-TEID.ch is false,
it indicates that the TEID has already been assigned, and the swap operation is
necessary to restore the TEID. However, if F-TEID.ch is true, it means that
the UPF needs to assign a new TEID for the first time, and performing a swap
in this case would be incorrect.
This check ensures that the swap operation is only triggered
when the TEID is already assigned and prevents potential issues
during the TEID assignment process.
This commit addresses an issue in the AMF where it crashes
upon receiving the Nausf_UEAuthentication_Authenticate response
in the gmm_state_exception function.
The crash occurs when the same UE continuously sends registration requests
while the previous UE context is released before the AUSF response is received,
leading to incorrect states in the gmm state machine.
The root cause was a lack of proper handling in the gmm_state_exception function
for the scenario where multiple registration requests from the same UE cause
the AMF to process outdated authentication vectors.
This update introduces a fix to handle this edge case
and prevent the AMF from crashing.
- Added handling for empty NAS PDUs to prevent potential heap-buffer-overflow.
- Implemented safeguards to reject invalid NAS messages and mitigate DoS attacks
by removing S1/NG Context for affected UEs.
In case an external HSS is used, and the NAM field is set to 0 (PACKET_ONLY),
Open5GS MME will only respond with an "EPS_ONLY" attach accept. This behavior
causes a lot of UEs (mainly phones) to disconnect after 1-2 seconds without
further signalling.
To resolve this, a new flag is introduced:
```
global:
parameter:
fake_csfb: true
```
If this flag is set to 'ture', the MME will respond with a combined EPS/IMSI
attach accept even if the HSS NAM field is set to "PACKET_ONLY", or if the
MME has no SGs connection towards a CS core.
By default this flag is false, thus not modifying the original behavior.
Note: some commercial core network vendors do include the LAI part in a
"fake" combined EPS/IMSI attach accept message. As that field is optional, and
testing also indicates that it is not needed, this patch does not implement it.
According to TS 29.510, the NFProfile structure in the NFDiscovery API does not
include the nfProfileChangesSupportInd attribute. However, Open5GS NRF currently
includes this attribute in NFDiscovery API responses, which has led to
complaints from certain NF vendors.
This commit modifies the nrf_nnrf_handle_nf_discover function
in src/nrf/nnrf-handler.c to ensure that the nfProfileChangesSupportInd
attribute is excluded when constructing NFProfile for NFDiscovery responses.
This commit introduces a new parameter in the global configuration
to support UPG-VPP UPF. When the following setting is added:
```
global:
parameter:
use_upg_vpp: true
```
The SMF generates PFCP messages specifically tailored for UPG-VPP UPF.
This allows seamless integration and operation with UPG-VPP
by automatically adapting the message structure to its requirements.
- Added support for the N9 For Roaming interface type:
- Core interface act as V-UPF.
- Access interface act as H-UPF.
- Modified V-UPF behavior:
- V-UPF updates only the TEID and IP Address in the GTP-U header.
- The content following the Extension Header is passed through directly
between the UE and H-UPF.
This implementation ensures seamless data flow between the UE, V-UPF, and H-UPF
while maintaining integrity for Home Routed Roaming scenarios.
TS 29.571 - 5.5.2 Simple Data Types defines BitRate type as
String representing a bit rate that shall be formatted as follows:
Pattern: '^\d+(\.\d+)? (bps|Kbps|Mbps|Gbps|Tbps)$'
Examples: "125 Mbps", "0.125 Gbps", "125000 Kbps"
Taking the "0.125 Gbps" example, rather than round 0.125 down to 0, parse it as
a double-float first before multiplying by 10^9, resulting in 1.25e8 (bps).
Resolved an issue where Handover was failing when attempting to handover
from GNB-ID/eNB-ID 1 to GNB-ID/eNB-ID 0.
The problem occurred because the hash table managing GNB_ID values would
remove any entry with the default GNB-ID/eNB-ID of 0 before re-adding entries.
Consequently, any GNB/eNB configured with a GNB-ID/eNB-ID of 0
would be inadvertently deleted whenever another GNB was added.
This fix modifies the handling of the hash table to prevent the default
GNB-ID/eNB-ID (0) from being removed unintentionally, allowing handovers
between GNB-ID/eNB-ID 0 and other GNBs/eNBs to proceed without error.
```
TS36.413
8.7.3 S1 Setup
8.7.3.4 Abnormal Conditions
If the eNB initiates the procedure by sending a S1 SETUP REQUEST message
including the PLMN Identity IEs and none of the PLMNs provided by the eNB
is identified by the MME, then the MME shall reject the eNB S1 Setup Request
procedure with the appropriate cause value, e.g., “Unknown PLMN”
```
Modified code to address abnormal conditions where the eNB initiates
the S1 Setup Request with a PLMN Identity IE that is unrecognized by the MME.
In this case, the MME now properly rejects the S1 Setup Request
with the cause value "Unknown PLMN" in compliance with the 3GPP specification
(8.7.3.4).
In accordance with TS29.500 Section 5.2.2.2 on mandatory HTTP standard headers,
the User-Agent header in HTTP/2 requests is required to include the NF type
of the HTTP/2 client. Additionally, it is specified that the content
of the User-Agent header may be followed by a hyphen and custom information
when needed, providing greater flexibility for identifying the originating
NF type or adding other specific details.
To accommodate this requirement, I modified the code to allow for additional
information to be appended after the NF type in the User-Agent header,
separated by a hyphen.
This change ensures that the User-Agent header format can be customized
as needed for indirect communication scenarios and requests originating
from the SCP, improving compliance with the specification and enhancing
the adaptability of the header format for HTTP/2 communications.
While experimenting with CSFB, it was observed that when the UE returns
to E-UTRAN after a CS call, the UE performs a Tracking Area Update
with a combined Tracking Area/Location Area update and IMSI attach.
Currently, Open5GS's MME simply responds with a TAU Accept message
but does not inform the MSC/VLR.
As a result, no further MT (Mobile Terminated) CS/SMS services are possible
in cases where the MSC/VLR only attempts paging on GERAN.
However, some MSC/VLR implementations with fast fallback may still attempt
paging on E-UTRAN, allowing MT CS/SMS services to function intermittently.
According to 3GPP TS 29.118 Section 5.2.2 Procedures in the MME,
specifically Section 5.2.2.2.1, if the timer Ts6-1 is not running,
the MME shall start the location update for non-EPS services procedure
upon receiving a combined Tracking Area Update Request indicating
combined TA/LA updating with IMSI attach. However, SGs timers are not
implemented in Open5GS, which is a separate issue.
To comply with the specification and ensure that the MSC/VLR is informed
when the UE becomes reachable via SGs, the following changes have been
implemented:
1. Delay UEContextReleaseCommand:
When the active_flag is set to 0, the UEContextReleaseCommand is now delayed
until the MME receives the TAU Complete message from the UE. This ensures
that the UE has acknowledged the new P-TMSI before the network releases
the context, maintaining proper synchronization between the UE and the network.
2. Include Mobile Identity Only When P-TMSI Changes:
The Mobile Identity is now included in the Attach/TAU Accept messages
only when the MSC/VLR updates the P-TMSI. This ensures that the UE receives
the Mobile Identity information solely when there is an actual change
in the P-TMSI, preventing unnecessary or incorrect handling
of TAU Complete messages.
3. Send SGsAP-REALLOCATION-COMPLETE Conditionally:
The SGsAP-REALLOCATION-COMPLETE message is now sent to the MSC/VLR
only upon receiving a Attach/TAU Complete message from the UE.
This confirmation indicates that the UE has successfully updated its P-TMSI,
ensuring that the MSC/VLR is accurately informed of the change.
4. Handle P-TMSI Confirmation:
When the MSC/VLR updates the P-TMSI, Open5GS stores the new P-TMSI
in the next field of the mme_ue structure. Upon receiving the TAU Complete
message from the UE, indicating acknowledgment of the new P-TMSI,
Open5GS confirms the update by transferring the P-TMSI from the next field
to the current field. This ensures that the MME maintains an accurate and
up-to-date record of the P-TMSI as confirmed by the UE.
Fixed an issue in SCP TLS communication for Open5GS where omitted port numbers
in HTTP/HTTPS URIs (e.g., "https://scp.localdomain" implying port 443) were not
handled correctly.
Updated the code to ensure that during FQDN and port comparisons,
cases where the port number is set to 0 are accounted for.
This fix resolves the problem with indirect SBI communication over SCP using TLS
allowing proper connectivity between network functions like BSF and NRF.
Previously, the global configuration section was required for NF to start,
which differed from earlier versions where it was optional. This commit modifies
the implementation to make the global section optional again,
allowing NF to start without explicitly defining global settings.
This change restores the previous behavior and improves usability for users
who do not need to customize global settings.
The memory leaks occurring in specific exception handling scenarios have been
resolved. For instance, when an HTTP2 connection closes, memory associated
with objects like response messages was not being freed properly.
This update addresses and fixes these issues.
Implement support for Node-Identifier IE in GTPv2 S2b Create-Session-Request
to SMF for Diameter S6b integration
This patch adds support for processing the Node-Identifier IE within GTPv2
Create-Session-Request messages sent via the S2b interface to the SMF.
When the ePDG includes the Node-Identifier IE containing both host and realm
of the AAA-Server, the SMF now uses this information to populate
the Destination-Realm and Destination-Host AVPs in the Diameter S6b AAR message.
This enables seamless integration and allows the SMF to route requests directly
to the appropriate AAA-Server, enhancing interoperability in setups
where the host and realm data are required by the Diameter network.
This field was previously omitted, which could lead to
improper handling of interface-specific logic in certain scenarios.
The addition of the 3GPP Interface Type ensures correct behavior
in compliance with the 3GPP standards for PFCP message handling.
1. Fix SGW-U/UPF bug by comparing QFI only when PDI's QFI is present
Resolved an issue where the QoS Flow Identifier in the GTP-U Extension Header
was incorrectly compared regardless of the presence of PDI's QFI.
Updated the implementation to perform the comparison
only when PDI's QFI is present.
2. Add Outer Header Removal settings to SGW's PDR where necessary
Addressed the absence of Outer Header Removal in the SGW's PDR
by adding it to all required locations, ensuring proper header handling.
3. Remove unnecessary GTP-U Extension Header Removals
Eliminated all instances of GTP-U Extension Header Removal
since they should only be used during handover from 5GS to EPS.
This cleanup prevents improper header removals in other scenarios.
4. Delete unnecessary usage of Network Interface and UE IP Address
Removed all redundant references to Network Interface and UE IP Address,
streamlining the codebase and reducing potential confusion.
5. Change precedence so that Control has higher priority than Data
Adjusted the precedence settings to ensure that Control messages
are given higher priority over Data, enhancing the system's efficiency
and responsiveness.
