In some handover scenarios, `sgwc_sxa_build_bearer_to_modify_list()` could
be invoked when there were no bearers to modify. This led to an assertion
failure:
Assertion `num_of_remove_pdr + num_of_remove_far + ...` failed
This patch adds explicit checks on `sess->bearer_list` before building or
sending PFCP Session Modification Requests. If no bearers are present, the
request is skipped and an error is logged with IMSI/APN/TEID context
instead of aborting the process.
Changes include:
- Added `ogs_list_count(&sess->bearer_list)` checks in
`pfcp-path.c`, `s11-handler.c`, `s5c-handler.c`, and `sxa-handler.c`.
- Gracefully skip SMR when bearer list is empty in
Delete Indirect Data Forwarding Tunnel Request handling.
- Log diagnostic information (IMSI, APN, TEIDs) when no bearer is found.
This prevents SGWC from crashing under DEBUG logging and concurrent HO
scenarios, and allows multiple handover sessions to proceed more stably.
When the UE context was removed (e.g. after implicit detach or Delete
Session response), ongoing paging procedures were not finalized. This
caused the MME to skip sending the appropriate paging outcome (e.g.
Downlink Data Notification ACK, Create Bearer Response, Update Bearer
Response, Delete Bearer Response, SGSAP Paging Reject, etc.) depending
on the paging type.
As a result, the SGW or MSC/VLR could continue retransmitting, and the
MME produced spurious "Unknown timer[T3413]" errors.
This patch introduces `MME_UE_REMOVE_WITH_PAGING_FAIL`, which:
- Checks if paging is ongoing before removing the UE context
- Calls `mme_send_after_paging()` to send the correct outcome message
(Unable to page UE or equivalent cause) according to paging type
- Removes the UE context afterwards
This change ensures that all paging procedures are completed with a
proper response as required by 3GPP specifications, improving network
interoperability and eliminating misleading timer errors.
When the AMF receives a DELETE request for the registration API while in
the gmm_state_authentication state, it currently crashes because the
HTTP method is not handled. This appears to be a race condition.
To fix this, explicitly handle OGS_SBI_HTTP_METHOD_DELETE by ignoring the
message and logging an error, similar to the handling of other
unexpected SBI messages.
When the AMF receives a PATCH request for the registration API while in
the gmm_state_authentication state, it currently crashes because the
HTTP method is not handled. This appears to be a race condition.
To fix this, explicitly handle OGS_SBI_HTTP_METHOD_PATCH by ignoring the
message and logging an error, similar to the handling of other
unexpected SBI messages.
- Use ogs_pool_id_calloc() / ogs_pool_id_free() instead of ogs_pool_alloc() / ogs_pool_free()
to assign stable pool IDs to connection_t and ogs_sbi_session_t.
- Pass pool ID to ogs_timer_add() instead of raw pointer.
- In connection_timer_expired() and session_timer_expired(), resolve object via
ogs_pool_find_by_id() and safely return if the object has already been freed.
- Add safety checks and error logs for invalid IDs and missing objects.
This prevents use-after-free or double-free crashes when timer callbacks
are triggered after the object has been freed under heavy load.
Previously, the code asserted the existence of a bearer when handling
Create Indirect Data Forwarding Tunnel Request. If the bearer was not
found, this caused a crash.
This patch adds a null check for the bearer. If no bearer is found,
it now logs an error and sends a GTP error response with
CAUSE_CONTEXT_NOT_FOUND, then returns gracefully.
Previously, sgwc_bearer_add() and sgwc_tunnel_add() relied on ogs_assert()
for allocation failures (bearer, tunnel, PDR, FAR). Under heavy handover
(ViLTE ping-pong HO) conditions, pool exhaustion could trigger assertions
and crash the SGW-C.
This patch:
- Adds NULL checks for ogs_pool_id_calloc() in bearer/tunnel creation
- Adds NULL checks for ogs_pfcp_pdr_add() and ogs_pfcp_far_add()
- Cleans up partially created objects on failure
- Returns System Failure for S11 CIDFT requests if tunnel creation fails
- Adds NULL checks before removing PDR/FAR in sgwc_tunnel_remove()
- Fixes log message for PDR allocation failure
These changes improve stability during repeated HO scenarios by preventing
assertion crashes when resource pools are exhausted.
During integration tests with a third-party SCP, SMF crashed after
processing the UDM response to a PUT request during UE attachment.
This issue was traced to a missing NULL-check on the `stream` pointer
inside smf_state_operational().
Previously, the code asserted `stream` unconditionally when sending
the HTTP response or PDU session created data. If the SBI stream had
already been removed, the assertion failed, causing SMF to abort.
This patch adds a NULL-check for `stream`. When `stream` is NULL,
an error log is printed instead of asserting. This prevents SMF from
crashing and allows it to continue processing.
Tested with:
- Open5GS v2.7.6-21-g0516e01
- SCP from another vendor (crash reproduced and fixed)
- Open5GS SCP (no crash observed)
Fixes: smf_state_operational() assertion failure at smf-sm.c:1075
Answer ALERT-REQUEST with either ALERT-ACK or ALERT-REJECT.
This commit leaves unimplemented (to be implemented in the future)
the part regarding setting of internal NEAF flag for UE inside MME
and then triggering SGsAP-UE-ACTIVITY-INDICATION towards VLR.
See 3GPP TS 23.272 and 3GPP TS 29.118 (grep for "Alert" and "Activity")
for further information.
PFCP PDR precedence is a uint32_t. In Open5GS the default
OGS_PFCP_DEFAULT_PDR_PRECEDENCE is 65535. The previous assert enforced
(0,255), which is incorrect and causes valid configurations to abort.
Remove the assert and pass the precedence through as-is.
Fixes assertion failures seen in TC_pdu_sess_modification in
osmo-ttcn3-hacks.
The older version of the code was wrong (or at least not exactly
correct) in many (corner) cases.
* Split the parsing of Packet Filter List into its own helper function
to simplify the code
* Improve error logging to provide more info on which QoS rule failed.
* Add some extra logic checking match between 'Length of QoS rule' and
existance of m+1 and m+2 bytes.
* Correct logic checking expected/unexpected presence of m+1 and m+2
octets based on Rule Operation Code according to specs.
Home-Routed roaming: during Xn/N2 handover the source gNB may forward
remaining DL data to the core using UL PDU Session Information (PSC).
On the V-UPF the PSC was lost on the indirect path because OHR+OHC
removed the incoming GTP-U header (and its extensions) and we did not
recreate PSC when no QER/QFI was provisioned by the V-SMF.
This change makes the V-UPF rebuild a DL PSC for the target gNB even
when QER is absent, limited to the Access->Access indirect path
(source gNB -> V-UPF -> target gNB).
Why this is needed in HR:
- In HR deployments the V-SMF typically does not provision QER/QFI for
the temporary indirect path. Without recreating PSC from recvhdr, the
extension header disappears after OHR+OHC and the target gNB cannot
see the QFI during handover buffering/forwarding.
Previously, Outer Header Removal was set according to PDU session type.
However, outer header IP version is independent of inner packet IP version or
PDU session type. It typically depends on UPF and gNB configuration. Set it to
GTP-U/UDP/IP to handle both IPv4 and IPv6 cases, according to TS 29.244, Table
8.2.64-1, Note 4: "The CP function shall use this value to instruct UP function
to remove the GTP-U/UDP/IP header regardless it is IPv4 or IPv6."
No changes at UPF are necessary because it already ignores Outer Header Removal
Description type and Kernel correctly decapsulates the outer IP header at
socket level.
This change moves the call to fd_msg_new_answer_from_req so that the answer
header is created immediately after the incoming request is received,
ensuring that the ans pointer is initialized before any message‐specific
allocations or parsing take place.
This refactoring guarantees that the answer message is set up once and early,
which improves readability and ensures that proper cleanup can occur
without repeated steps.
Refer to:
- Issues #4012
- Pull Request #4034
- Commit f23d7a5
Add robust error checks and logging to MME, SMF, PCRF, and HSS
Diameter callback functions. Prevent assertion failures by
handling unexpected or late messages gracefully.
Instead of aborting the AMF when an SM context release is requested during the
security-mode state, log an error and allow the system to continue operating.
This avoids a fatal assertion failure and improves overall availability. The
error message "Invalid state transition: cannot release SM Context during
security-mode state" provides a clear debug trace for issue #4012.
This change revises the existing ogs_addaddrinfo() function to handle
partial failures without aborting the process, ensure proper cleanup
of any nodes allocated before an error, and emit more informative logs
(including getaddrinfo() errors and situations where no usable addresses
are returned).
By introducing “tail” and “first_new” pointers, new entries can be appended
to an existing list and safely detached if memory allocation fails mid‐stream.
On top of that, a new helper API, ogs_sockaddr_from_ip_or_fqdn(), was added.
It automatically detects whether its input is a numeric IPv4/IPv6 literal
or a hostname (using AI_NUMERICHOST when appropriate), then delegates
resolution to ogs_addaddrinfo().
Errors are logged at the error level but do not trigger a fatal exit,
and any partial lists are cleaned up before returning.
Finally, the SMF configuration parser in context.c was updated to use
this new API for “p-cscf” entries, allowing both raw IP addresses
and DNS names in smf.yaml.
Corresponding adjustments were made in context.h (to change the p_cscf
and p_cscf6 arrays to mutable char pointers) and in the cleanup routine
smf_context_final() to free any dynamically allocated strings.
Together, these improvements eliminate duplicate parsing logic,
streamline configuration handling, and increase the overall resilience
of address resolution across Open5GS.
This change revises the existing ogs_addaddrinfo() function to handle
partial failures without aborting the process, ensure proper cleanup
of any nodes allocated before an error, and emit more informative logs
(including getaddrinfo() errors and situations where no usable addresses
are returned).
By introducing “tail” and “first_new” pointers, new entries can be appended
to an existing list and safely detached if memory allocation fails mid‐stream.
On top of that, a new helper API, ogs_sockaddr_from_ip_or_fqdn(), was added.
It automatically detects whether its input is a numeric IPv4/IPv6 literal
or a hostname (using AI_NUMERICHOST when appropriate), then delegates
resolution to ogs_addaddrinfo().
Errors are logged at the error level but do not trigger a fatal exit,
and any partial lists are cleaned up before returning.
Finally, the SMF configuration parser in context.c was updated to use
this new API for “p-cscf” entries, allowing both raw IP addresses
and DNS names in smf.yaml.
Corresponding adjustments were made in context.h (to change the p_cscf
and p_cscf6 arrays to mutable char pointers) and in the cleanup routine
smf_context_final() to free any dynamically allocated strings.
Together, these improvements eliminate duplicate parsing logic,
streamline configuration handling, and increase the overall resilience
of address resolution across Open5GS.
This commit fixes compilation errors in the SMF GSM state handlers
by declaring and initializing the n2smbuf variable at the top of
both smf_gsm_state_operational and smf_gsm_state_wait_pfcp_deletion,
and removes the redundant type specifiers from the switch‐case assignments.
Added a handler to catch invalid NAMF_COMM API messages
and prevent assertion failures, and upgraded related SBI log statements
from warnings to errors.
This update adds a comprehensive description of the Home Routed Roaming
functionality, enhances the architecture section and message
flow diagrams to illustrate the new routing process, and provides
clear configuration examples and command‑line snippets to assist
users with setup.
This commit adds Xn and N2 handover procedures to the Home-Routed Roaming code.
Direct forwarding is now fully operational.
Indirect forwarding for N2 handovers is not yet supported.
To preserve the GTP-U header and extension header (even without QER)
along the source gNB -> V-UPF -> target gNB path, future work will create
PDRs without Outer Header Removal IE and FARs without Outer Header Creation IE
and implement the necessary UPF logic.
If gsm_build_pdu_session_establishment_accept() fails due to invalid PCO,
the SMF previously hit an assertion and crashed. This patch adds a proper
error check and transitions to the reject state to prevent the crash.
This was originally reported in issue #3969.
A missing error handling path in 'smf_gsm_state_wait_pfcp_establishment'
led to an assertion failure.
Problem:
During inter-eNB/RAN handover scenarios, such as S1/N2 handover followed by X2/Xn handover cancellation,
the UE context may end up partially moved or duplicated across multiple eNBs. If the handover
is canceled by the target eNB and followed by subsequent UE Context Release or PathSwitchRequest
procedures, the MME can crash due to inconsistent context state. Specifically, when deassociating
the mme_ue <-> enb_ue (or amf_ue <-> ran_ue) pair, the code unconditionally resets the association
fields (`mme_ue->enb_ue_id`, `enb_ue->mme_ue_id`, etc.), even if they no longer reflect an actual
association due to the earlier handover cancellation.
Root Cause:
The MME or AMF state machine incorrectly assumes that the associated context IDs are still valid
and proceeds to unlink the context. When the PathSwitchRequest arrives after the UE context has
been (partially or fully) released, the assertion `enb_ue != NULL` or the mismatch in expected ID
(e.g., `mme_ue->enb_ue_id != enb_ue->id`) leads to a crash.
Solution:
This patch introduces stricter association validation before unlinking UE contexts. Specifically:
- The unlinking functions such as `enb_ue_unlink()` and `amf_ue_deassociate()` were replaced with
more explicit versions: `enb_ue_deassociate_mme_ue()` and `amf_ue_deassociate_ran_ue()`, which
compare the current context ID with the expected one.
- If the ID mismatch is detected, the deassociation is skipped and a detailed error is logged
(rather than crashing with an assertion).
- This approach prevents crashes during handover cancellation cases and avoids incorrectly
cleaning up a context that is already associated with a new peer.
Additionally:
- The same pattern was applied consistently across MME and AMF modules including:
- `s1ap-handler.c`, `mme-context.c`, `mme-s11-handler.c`, `mme-gtp-path.c`
- `ngap-handler.c`, `nsmf-handler.c`, `sbi-path.c`
- All previously direct field resets (`xxx_ue->xxx_ue_id = OGS_INVALID_POOL_ID`) are now guarded
with validation logic.
- Logging was improved to aid in debugging unexpected deassociation cases.
This change improves robustness of the MME/AMF against abnormal handover procedures and
ensures graceful handling of late context release requests or race conditions during
handover cancel and re-establishment.
Fixes: assertion failure in `sgw_ue_check_if_relocated()` during PathSwitchRequest
Add a check to ensure only IPv4, IPv6, or IPv4v6 PDN types are allowed.
For any other (unknown) PDN type, send a PDN Connectivity Reject with cause
Unknown PDN Type instead of proceeding to a fatal assertion.
This prevents the MME from crashing when it receives a malformed NAS message.
In certain race conditions, the AMF could receive an SBI response
after the RAN UE context has already been removed.
The ran_ue_find_by_id assertions in
both amf_npcf_am_policy_control_build_create and
amf_nsmf_pdusession_build_create_sm_context would
trigger a fatal abort.
This change removes those assertions so that late SBI client events are
safely ignored and do not crash the AMF.
