Instead of aborting the AMF when an SM context release is requested during the
security-mode state, log an error and allow the system to continue operating.
This avoids a fatal assertion failure and improves overall availability. The
error message "Invalid state transition: cannot release SM Context during
security-mode state" provides a clear debug trace for issue #4012.
This change revises the existing ogs_addaddrinfo() function to handle
partial failures without aborting the process, ensure proper cleanup
of any nodes allocated before an error, and emit more informative logs
(including getaddrinfo() errors and situations where no usable addresses
are returned).
By introducing “tail” and “first_new” pointers, new entries can be appended
to an existing list and safely detached if memory allocation fails mid‐stream.
On top of that, a new helper API, ogs_sockaddr_from_ip_or_fqdn(), was added.
It automatically detects whether its input is a numeric IPv4/IPv6 literal
or a hostname (using AI_NUMERICHOST when appropriate), then delegates
resolution to ogs_addaddrinfo().
Errors are logged at the error level but do not trigger a fatal exit,
and any partial lists are cleaned up before returning.
Finally, the SMF configuration parser in context.c was updated to use
this new API for “p-cscf” entries, allowing both raw IP addresses
and DNS names in smf.yaml.
Corresponding adjustments were made in context.h (to change the p_cscf
and p_cscf6 arrays to mutable char pointers) and in the cleanup routine
smf_context_final() to free any dynamically allocated strings.
Together, these improvements eliminate duplicate parsing logic,
streamline configuration handling, and increase the overall resilience
of address resolution across Open5GS.
This change revises the existing ogs_addaddrinfo() function to handle
partial failures without aborting the process, ensure proper cleanup
of any nodes allocated before an error, and emit more informative logs
(including getaddrinfo() errors and situations where no usable addresses
are returned).
By introducing “tail” and “first_new” pointers, new entries can be appended
to an existing list and safely detached if memory allocation fails mid‐stream.
On top of that, a new helper API, ogs_sockaddr_from_ip_or_fqdn(), was added.
It automatically detects whether its input is a numeric IPv4/IPv6 literal
or a hostname (using AI_NUMERICHOST when appropriate), then delegates
resolution to ogs_addaddrinfo().
Errors are logged at the error level but do not trigger a fatal exit,
and any partial lists are cleaned up before returning.
Finally, the SMF configuration parser in context.c was updated to use
this new API for “p-cscf” entries, allowing both raw IP addresses
and DNS names in smf.yaml.
Corresponding adjustments were made in context.h (to change the p_cscf
and p_cscf6 arrays to mutable char pointers) and in the cleanup routine
smf_context_final() to free any dynamically allocated strings.
Together, these improvements eliminate duplicate parsing logic,
streamline configuration handling, and increase the overall resilience
of address resolution across Open5GS.
This commit fixes compilation errors in the SMF GSM state handlers
by declaring and initializing the n2smbuf variable at the top of
both smf_gsm_state_operational and smf_gsm_state_wait_pfcp_deletion,
and removes the redundant type specifiers from the switch‐case assignments.
Added a handler to catch invalid NAMF_COMM API messages
and prevent assertion failures, and upgraded related SBI log statements
from warnings to errors.
This update adds a comprehensive description of the Home Routed Roaming
functionality, enhances the architecture section and message
flow diagrams to illustrate the new routing process, and provides
clear configuration examples and command‑line snippets to assist
users with setup.
This commit adds Xn and N2 handover procedures to the Home-Routed Roaming code.
Direct forwarding is now fully operational.
Indirect forwarding for N2 handovers is not yet supported.
To preserve the GTP-U header and extension header (even without QER)
along the source gNB -> V-UPF -> target gNB path, future work will create
PDRs without Outer Header Removal IE and FARs without Outer Header Creation IE
and implement the necessary UPF logic.
If gsm_build_pdu_session_establishment_accept() fails due to invalid PCO,
the SMF previously hit an assertion and crashed. This patch adds a proper
error check and transitions to the reject state to prevent the crash.
This was originally reported in issue #3969.
A missing error handling path in 'smf_gsm_state_wait_pfcp_establishment'
led to an assertion failure.
Problem:
During inter-eNB/RAN handover scenarios, such as S1/N2 handover followed by X2/Xn handover cancellation,
the UE context may end up partially moved or duplicated across multiple eNBs. If the handover
is canceled by the target eNB and followed by subsequent UE Context Release or PathSwitchRequest
procedures, the MME can crash due to inconsistent context state. Specifically, when deassociating
the mme_ue <-> enb_ue (or amf_ue <-> ran_ue) pair, the code unconditionally resets the association
fields (`mme_ue->enb_ue_id`, `enb_ue->mme_ue_id`, etc.), even if they no longer reflect an actual
association due to the earlier handover cancellation.
Root Cause:
The MME or AMF state machine incorrectly assumes that the associated context IDs are still valid
and proceeds to unlink the context. When the PathSwitchRequest arrives after the UE context has
been (partially or fully) released, the assertion `enb_ue != NULL` or the mismatch in expected ID
(e.g., `mme_ue->enb_ue_id != enb_ue->id`) leads to a crash.
Solution:
This patch introduces stricter association validation before unlinking UE contexts. Specifically:
- The unlinking functions such as `enb_ue_unlink()` and `amf_ue_deassociate()` were replaced with
more explicit versions: `enb_ue_deassociate_mme_ue()` and `amf_ue_deassociate_ran_ue()`, which
compare the current context ID with the expected one.
- If the ID mismatch is detected, the deassociation is skipped and a detailed error is logged
(rather than crashing with an assertion).
- This approach prevents crashes during handover cancellation cases and avoids incorrectly
cleaning up a context that is already associated with a new peer.
Additionally:
- The same pattern was applied consistently across MME and AMF modules including:
- `s1ap-handler.c`, `mme-context.c`, `mme-s11-handler.c`, `mme-gtp-path.c`
- `ngap-handler.c`, `nsmf-handler.c`, `sbi-path.c`
- All previously direct field resets (`xxx_ue->xxx_ue_id = OGS_INVALID_POOL_ID`) are now guarded
with validation logic.
- Logging was improved to aid in debugging unexpected deassociation cases.
This change improves robustness of the MME/AMF against abnormal handover procedures and
ensures graceful handling of late context release requests or race conditions during
handover cancel and re-establishment.
Fixes: assertion failure in `sgw_ue_check_if_relocated()` during PathSwitchRequest
Add a check to ensure only IPv4, IPv6, or IPv4v6 PDN types are allowed.
For any other (unknown) PDN type, send a PDN Connectivity Reject with cause
Unknown PDN Type instead of proceeding to a fatal assertion.
This prevents the MME from crashing when it receives a malformed NAS message.
In certain race conditions, the AMF could receive an SBI response
after the RAN UE context has already been removed.
The ran_ue_find_by_id assertions in
both amf_npcf_am_policy_control_build_create and
amf_nsmf_pdusession_build_create_sm_context would
trigger a fatal abort.
This change removes those assertions so that late SBI client events are
safely ignored and do not crash the AMF.
During PDU Session release, under memory pressure or upon receiving
an RST_STREAM, the SMF could still attempt to process an already-closed
HTTP/2 stream. This led to a fatal assert(stream) in smf_state_operational(),
terminating the entire SMF process even though the error affected
only a single UE context.
This commit adds a null check for the stream before sending the HTTP status.
If the stream has already been removed, SMF now logs an error instead of
asserting.
Previously, if the AMF received an smf-select-data response (or related SBI
messages) from the NUDM-SDM after the UE context had been released, the GMM
state machine would hit an unhandled event and abort with a fatal assertion.
This commit adds a new case for OGS_SBI_SERVICE_NAME_NUDM_SDM
in gmm_state_exception(), explicitly ignoring SBI messages for AM_DATA,
SMF_SELECT_DATA, UE_CONTEXT_IN_SMF_DATA, and SDM_SUBSCRIPTIONS
(with a warning log).
Any truly unexpected resource names now emit an error log instead
of triggering assert_if_reached. As a result, the AMF will safely drop late
NUDM-SDM responses without crashing.
Previously, malformed S-NSSAI parameters could trigger a fatal assertion in
amf_update_allowed_nssai when the UE had zero slices in its subscription
database. This patch introduces an explicit check for amf_ue->num_of_slice == 0,
logs a clear error message including the UE’s SUPI, and returns false to
reject the registration.
The removed assertion prevents AMF crashes and ensures
that other UEs continue to be served normally.
Previously, malformed Protocol Configuration Options (PCO) data would trigger
ogs_assert failures in both the generic parser and SMF build routines,
causing the SMF process to abort unconditionally.
This commit replaces those fatal assertions with conditional checks:
In ogs_pco_parse(), switch from ogs_assert(size == data_len) to
ogs_expect(size == data_len), allowing the function to return gracefully.
In SMF's PCO build (smf_pco_build) and all downstream build paths
(including GN, GSM, S5C modules), replace ogs_assert(pco_len > 0)
with explicit if (pco_len <= 0) checks that:
Ensure that malformed or incomplete PCOs no longer crash the process,
but instead are handled cleanly so the network function can continue operating.
When SM Context creation fails (e.g. 504 from SMF) the AMF continued
to build and send a NAS downlink message by dynamically looking up
the AMF UE context from ran_ue->amf_ue_id inside ngap_build_downlink_nas_transport().
If ran_ue_deassociate() had already removed that mapping, the lookup
would return NULL, triggering a fatal assertion and crashing the AMF.
This patch changes:
1. nas_5gs_send_to_downlink_nas_transport() and
ngap_build_downlink_nas_transport() signatures to accept an
explicit amf_ue_t * parameter alongside ran_ue_t *.
2. All calls to nas_5gs_send_to_downlink_nas_transport() to pass
the correct amf_ue pointer (from sess->amf_ue_id).
3. Removal of the dynamic lookup and fatal assertion in
ngap_build_downlink_nas_transport(), replacing it with
ogs_assert(amf_ue) on the passed-in context.
By carrying the valid AMF UE context through the call chain, we
ensure that downlink NAS transport always has a correct pointer,
even when the ran_ue-to-amf_ue mapping has been cleared. This
prevents invalid internal state transitions and eliminates the
ngap_build_downlink_nas_transport() crash when handling SMF failures.
SM context release in initial‐context‐setup should not abort the AMF.
Use ogs_error instead of ogs_assert_if_reached to log
the invalid state transition and maintain process availability.
Any unexpected HTTP methods or resource names generate an error
and an assertion, ensuring that truly invalid cases are caught.
By adding these checks and early exits, we avoid fatal assertion failures
in scenarios where the AMF’s state machine would otherwise have no matching
transition for a late SBI callback.
In upf_sess_add, replace the unconditional assertion on sess with a check
that detects when the session pool is exhausted. If allocation fails,
log an error message (“Maximum number of Session reached”) and
return NULL instead of aborting the process.
This change prevents the UPF from crashing when the PFCP session limit (4096) is
exceeded and allows it to reject additional session establishment requests
cleanly.
In lib/sbi/message.c parse_multipart(), http->content may be NULL.
This occurs on empty-body multipart POSTs and causes a segfault.
Add guard to check http->content, log an error, and return OGS_ERROR.
In state_operational, guard against dispatching to NF instance FSMs whose
state has been reset to zero by ogs_fsm_fini() in event_termination(). Drop any
incoming SBI events for those instances and log an error, preventing assertion
failures when late HTTP callbacks arrive after an asynchronous SIGTERM shutdown.
In the previous implementation, the AMF would send a Partial-handover error
indication whenever it encountered a session not found in the subscriber DB,
even if valid sessions remained. This resulted in unexpected error responses
during NG handover.
To resolve this, we record the initial SMF transaction count before iterating
through the UE session list. Sessions without a valid SMF context now produce
a warning and are skipped, while continuing to send Handover Notify messages
for provisioned sessions. After processing, we compare the SMF transaction
count to the initial value. If no valid sessions were handled, we send a
Partial-handover error indication.
With this change, unprovisioned sessions no longer trigger a premature error
indication, allowing valid PDU sessions to complete NG handover successfully.
In lib/sbi/client.c, the conditional compilation for
CURLMOPT_MAX_CONCURRENT_STREAMS was using #ifdef, which does not
ensure the option is set when the symbol is undefined.
Replace the check with #if CURL_AT_LEAST_VERSION(7,67,0) so that the
client applies the max concurrent streams setting on supported
libcurl versions. This fixes pool.event always showing the default
value and enables dynamic adjustment according to pool.stream.
SMF constructs up2cp FAR's outer_header_creation with |ogs_gtp_self()->gtpu_ip|
as DST IP address. Therefore, set |ogs_gtp_self()->gtpu_ip| to GTPU advertise
address. If advertise addr is not set, fall back to socket address as usual.
According to 3GPP TS 29.272 Annex A, when the HSS/UDM responds with
DIAMETER_ERROR_USER_UNKNOWN (5001), the MME/AMF should respond to the UE with
NAS EMM cause #8 (EPS services and non-EPS services not allowed), rather than
cause #11 (PLMN not allowed).
Previously, Open5GS returned cause #11 by default. However, this behavior is
problematic for private LTE environments where multiple operators may use the
same PLMN (e.g., 999/99 as per ITU-T E.212). In such cases, a UE rejected
with cause #11 will add the PLMN to its Forbidden PLMN list (FPLMN), causing
the device to avoid that PLMN for an extended period—even if another
compatible private network using the same PLMN exists.
This patch restores compliance with TS 29.272 by changing the default mapping
from cause #11 to cause #8 in both the 4G MME (emm_cause_from_diameter) and
5G AMF (gmm_cause_from_sbi) when handling unknown subscriber cases.
This ensures:
- Standard-conformant behavior across networks
- Better UE behavior in roaming or private LTE scenarios
- Avoids unnecessary FPLMN blacklisting in UE
Reference Issues:
- #263
- #1281
- #1332
Prevent crashes when UE context is missing in AMF and MME by replacing direct
assertions with conditional checks and error logging.
Removed unconditional ogs_assert(ran_ue) in AMF's GMM handlers and
ogs_assert(enb_ue) in MME's EMM handlers.
Now, if the UE context lookup returns NULL, log an error (including SUPI/IMSI,
NAS message type, and IDs), dump the NAS packet in hex for debugging,
and exit the handler gracefully instead of aborting.
Fix missing N2 signaling when tunnel information is unchanged,
causing AMF crash on repeated PathSwitchRequest
When a second PathSwitchRequest arrives without any tunnel changes,
the handler previously returned HTTP 204 No Content and omitted N2 information.
This led to a fatal assertion in the AMF SM context, since it expected
to receive updated N2 data even when the tunnel remained the same.
This patch modifies ngap_handle_path_switch_request_transfer to build
and send the N2 SM buffer in the “else” branch.
It calls ngap_build_path_switch_request_ack_transfer to construct
the Path Switch Request Acknowledge N2 message and then delivers it
with smf_sbi_send_sm_context_updated_data_n2smbuf.
A new test case is also added to verify that N2 signaling is correctly
transmitted when tunnel parameters have not changed.
In src/smf/context.c:
- Wrap UPF selection logic in a conditional that checks if pfcp_node
is non-NULL.
- If no UPF is available (pfcp_node == NULL), log an error and assert
that sess->pfcp_node remains NULL, instead of crashing.
- Only call selected_upf_node() and set up the GTP session when a prior UPF
entry exists.
In src/smf/gn-handler.c:
- After invoking smf_sess_select_upf(), verify sess->pfcp_node.
- If no UPF was selected, log an error ("No UPF available for session") and
return OGS_GTP1_CAUSE_SYSTEM_FAILURE instead of asserting.
In src/smf/s5c-handler.c:
- Mirror the same check for sess->pfcp_node after smf_sess_select_upf().
- If no UPF is available, log an error and return
OGS_GTP2_CAUSE_SYSTEM_FAILURE.
- If the selected UPF is not yet PFCP-associated, log a specific error
message and return OGS_GTP2_CAUSE_REMOTE_PEER_NOT_RESPONDING.
These changes ensure that SMF does not abort when no UPF is configured or
associated; instead, it fails the session request with an appropriate GTP cause.
* [AMF] Fix UE context transfer when only NRF is client
If UE context transfer is initiated and the new AMF does not get the
old AMF from NRF or no UE context is retrieved from the old AMF,
we do not want to reject UE registration. Send identity request instead.
Test "transfer-error-case" is added into the commit.
* [tests] Unite tests for UE context transfer
All tests for UE context transfer with different configs are placed
into test folder transfer.
* [tests] Make two binaries for UE context transfer tests
For each test config a different test binary is created.
This commit adds support for processing network-initiated PDU Session
Modification in a home-routed roaming context, following section 4.3.3.3
of the specification.
