Numerous manual adjustments are included to make sense on the sysmocom/iu branch:
* gsm_04_08_gprs.h has moved to libosmocore on the master branch, but
sysmocom/iu has added some entries. Until it is clear whether to move the
additions to libosmocore as well, keep gsm_04_08_gprs.h on sysmocom/iu with
merely the additions.
* Thus, keep using the old gsm_04_08_gprs.[hc] from openbsc in the Makefiles,
but only where the sysmocom/iu additions are needed.
* In openbsc's gsm_04_08_gprs.h,
* include the libosmocore gsm_04_08_gprs.h,
* use '#pragma once' instead of #ifndef and
* add a TODO comment about moving the rest to libosmocore.
* Apply the addition of an osmo_auth_vector to gsm_auth_tuple: in the Iu auth
vector hacks, use the gsm_auth_tuple.vec instead of a local struct.
See iu_hack__get_hardcoded_auth_tuple() and gsm48_rx_gmm_att_req().
* In the si2q tests, pass NULL as ctx to gsm_network_init().
* In cscn_main.c, add a debug log that was originally added to osmo-nitb.
* openbsc/.gitignore: keep only one addition of 'writtenconfig'
Conflicts:
openbsc/include/openbsc/gprs_sgsn.h
openbsc/include/openbsc/gsm_04_08_gprs.h
openbsc/src/gprs/gsm_04_08_gprs.c
openbsc/src/libmsc/gsm_04_08.c
openbsc/src/osmo-cscn/cscn_main.c
openbsc/tests/gsm0408/Makefile.am
In commit 4adb136da6 we introduced
a new authentication state SGSN_AUTH_AUTHENTICATE, but we didn't
add that to auth_state_names[] resulting in log messages printing
it abut 'unknown 0x1' rather than something more useful.
The existing GSUP code expected the subscriber data to be piggy-backed
onto the location update response, rather than a separate (and nested)
insert subscriber data request/response phase.
With this patch we should now support both the nested as well as the
piggy-backed version.
The ranap_handle_* functions generate a msgb and pass it on to the receive
callback. After processing the message the msgb needs to be freed again.
iu_tx() takes a msgb and uses ranap_new_msg_dt() to generate a new msgb from
it. The old msgb needs to be freed.
Don't call msc_subscr_con_free() directly, instead use
gsm0408_clear_request(), which properly cleans up all pending operations
before freeing the connection.
By having conn->in_release == 1, calling msc_release_connection() has no
effect and thus never frees the conn. So, after all pending requests have
been discarded, also discard and free the unused connection.
In gsm04_08_clear_request(), in_release == 1 anyway and
msc_release_connection() would exit immediately without any effect. Don't
confuse the reader by passing release=1 arg.
Subscriber conn stuff doesn't really belong in gsm_subscriber.c.
(I moved because I thought it would call some static functions in gsm_04_08.c,
which ended up not being the case; anyway, it makes more sense to stay in
gsm_04_08.c.)
In NITB, the paging timeout would be handled from the BSC side. In IuCS, we
need to invalidate the paging request from libmsc alone, so add a paging timer
to gsm_subscriber.
Possibly, the HNB-GW should respond with a paging failure and libmsc could
trigger on that, nevertheless libmsc should not rely on a failure message to
expire pending pagings.
Make sure that subscr and conn are valid:
* a subscr must always be present.
* on success, a conn must be present and the subscr must match the conn's
subscr.
Also check the hooknum.
This reverts commit 6f4e83beb0, but note:
this is not a 1:1 revert since the subscr_paging_sec_cb() semantics have changed.
In subscr_paging_dispatch(), the separate subscr parameter is needed in cases
where paging expired and there is no conn available.
For subscr_paging_sec_cb(), a conn must always be available. Hence it avoids
any duplicity by only passing the conn and deriving the subscr from that.
Callers of subscr_paging_sec_cb() pass NULL as param, so pass conn->subscr when
calling subscr_paging_dispatch() from subscr_paging_sec_cb().
During peliminary paging response testing, I introduced some code duplication.
Remove that and instead call the code that was there before 63b99ced83
("add preliminary paging response handling, incomplete").
By calling the gsm_subscriber API, the connection is also secured and hence
Integrity Protection is enabled for IuCS.
Before this, any paging response would be accepted by the CN, without
checking the database whether the subscriber is in fact authorized.
The probability that a subscriber would be able to take unauthorized action
is slim, nevertheless checking authorization status with the database should
happen before we accept a connection.
Remove one layer of callback indirection in paging. When a paging response
arrives, we always want to first secure the connection, thus a fixed
subscr_rx_paging_response() function is more appropriate and avoids having
to store a cbfn. The actual actions to be taken upon successful paging are
of course still in callback functions stored with each subscriber.
It doesn't really hurt to see whether we have paging responses queued for
a given subscriber. Possibly a subscriber replied with a paging response
later than we assumed the paging to be valid.
Rename subscr_request_channel() to _conn() and remove the channel_type arg.
The "channel" is a term from closely tied MSC+BSC code, after separation we
shall call it a "connection", i.e. over IuCS or A.
The channel_type arg is already unused from a previous MSCSPLIT commit.
Add function subscr_authorized(), absorbing the guts of static
authorize_subscriber() from gsm_04_08.c, except the parts specific to Location
Updating.
subscr_authorized() is a check that is to be added to validation of a paging
response.
Remove legacy code from the original NITB version -- the SMPP init functions
have since been refactored in 1b0e5540db.
Add SMPP initialization in the refactored version: call the alloc_init
before reading config file, and call start with the global network struct
after config is read.
There are different Iu dialects in terms of encoding the
transport layer address inside RAB Assignment req + resp.
Let's be liberal in what we accept, and simply use the length
as an indicator of the format. Wireshark uses similar heuristics.
When the RNC confirms the RAB Assignment, it can each time indicate a
new TEID for the GTP-U endpoint on the RNC side. We need to update our
information about the PDP context and include that in the UPDATE PDP
CONTEXT that we're sending towards the GGSN. This is similar to
updating the RNC-side IP address of the GTP endpoint.
When we send the RAB Assignment Request to the RNC, we need
to tell it the GGSN-side TEI for data, not "our" (SGSN side)
TEID.
In the RAB-Assignment.req we inform the RNC of the TEID on the GGSN
side, and in the RAB-Assignment.resp the RNC informs us of the TEID
on the RNC side.
When receiving an RAB-Assignment response from the RNC,
we should use the RAB ID (=NSAPI) to resolve the PDP context.
We cannot use the TEID, as the TEID chosen by the RNC for this RAB has
no relationship to the TEID we were using for the RAB-Assignment
request. TEIDs are local to each of the peer, like UDP port numbers.
When starting with empty config file, saving it by 'write file',
and then re-starting osmo-cscn, it would complain:
Error occurred during reading below line:
long name Osmocom Circuit-Switched Core Network
The problem is that the vty parser is configured to expect a single
token and not a list of tokens here, but we initialize the default value
with multiple words (which are treated as separate token).
In general, if a function generates output data like a msgb (or in this
case filling an osmo_oap_message structure), the output argument
precedes the source. This is what we use all over libosmo*, and it is
modelled after memcpy(), where dst is the first argument, before src.
Let's align osmo_oap_decode(). Intestingly, osmo_oap_encode was already
correct, so the encode/decode functions used different conventions
before.
This rename is the first step of moving the associated functions into
libosmocore.
Also, rename gprs_match_* to osmo_match_shift_* to indicate that it is
not just matching the TLV, but also shifting the data portion.
This is a preparation to move the related code to libosmocore, whilst
at the same time generalizing it from GPRS Subscriber Update Protocol
to the Osmocom Generic Subscriber Update Protoco.
Rather than having a 'private' structure for kc, sres and rand, we
now finally (with 4 years delay) use osmo_auth_vector from libosmogsm,
which encapsulates authentication vectors that can be either GSM
triplets or UMTS quintuples or a combination of both.
gsm_auth_tuple becomes a wrapper around osmo_auth_vector, adding
use_count and key_seq to it.
key_seq is no longer initialized inside gprs_gsup_messages.c, as there
is no CKSN / key_seq inside the message anyway. If a usre of the code
needs key_seq, they need to manage it themselves.
In case both TCH/H and TCH/F or different codecs are configured and
internal MNCC handler is used we might end up in a situation where call
legs with incompatible channel types or codecs would be connected
resulting in a broken audio. Disconnect such calls with appropriate
error message.
Fixes: OS#1663
In handle_paging_response(), don't check conn against NULL after using it all
the time anyway.
To ensure beyond doubt that it is actually never NULL, assert conn further up
in the call stack, i.e. in gsm0408_dispatch(), the main entry point for
receiving data from the BSC/RNC level. Also assert msg while at it.
Fixes: CID#93769
In gsm_04_08.c, add a static handle_paging_resp() to take over from the libbsc
function gsm48_handle_paging_resp(). Use the subscr->requests listing to handle
a Paging Response and call the pending cbfn.
In NITB, this used to be done via BTS, and I haven't entirely resolved yet how
exactly to rewire this in standalone libmsc. So far, this "works for me", but
is worth another visit.
Still missing: enable Integrity Protection.
Factor out hardcoded-Ki and auth tuple creation into a static function.
Add generation of fresh random bytes and generate a valid auth tuple so that
the authentication token is different for every MM Auth.
Introduce struct gsm_rnc, stored in a global list, static to iu.c.
(This list is not part of gsm_network so that the code can be
used from both MSC and GPRS code, i.e. both for CS and PS.)
Parse RANAP Global RNC Id, add GSM flags to build for gsm48_mcc_mnc_from_bcd()
to decode the PLMN Id.
Upon every Initial UE message, record/verify RNC Id and LAC for that
connection. In case of mismatch, so far just log an error.
Introduce talloc_iu_ctx, setup during iu_init() as child of the talloc_ctx
passed in by the caller.
Allocate ue_conn_ctx from talloc_iu_ctx, used to be from NULL.
Allocate osmo_sua_user and talloc_asn1_ctx from talloc_iu_ctx, used to be from
the ctx passed in by iu_init() caller.
This adds a very basic, use once example in python on how to connect
and deal with the app specific payload and messages. The code is not
complete as the invokeId should be patched according to the initial
invoke. This excercise is left to future readers of that code.
* support for sending arbitrary static SI2quater.
* vty interface for neightbor EARFCNs specific to SI2quater.
* dynamic generation of SI2quater messages.
* unit test for SI2quater messages.
Fixes: OS#1630
Move define to header file.
Use inline functions where appropriate.
Change int variables which are used as boolean into actual bool to make
code easier to follow.
Use the simpler approach and just call encode('hex') on the str and
then convert it to lower case to keep the tests working.
reproduce:
Python 2.6.6 (r266:84292, Dec 27 2010, 00:02:40)
[GCC 4.4.5] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> d = '\0\0'
>>> d
'\x00\x00'
>>> "".join("{:02x}".format(ord(c)) for c in d)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "<stdin>", line 1, in <genexpr>
ValueError: zero length field name in format
fixes:
======================================================================
ERROR: testBSCreload (__main__.TestVTYNAT)
----------------------------------------------------------------------
Traceback (most recent call last):
File "./vty_test_runner.py", line 658, in testBSCreload
b0 = nat_bsc_sock_test(0, "lol")
File "./vty_test_runner.py", line 1150, in nat_bsc_sock_test
ipa_handle_small(bsc, verbose)
File "./vty_test_runner.py", line 1116, in ipa_handle_small
s = data2str(x.recv(4))
File "./vty_test_runner.py", line 1100, in data2str
return "".join("{:02x}".format(ord(c)) for c in d)
File "./vty_test_runner.py", line 1100, in <genexpr>
return "".join("{:02x}".format(ord(c)) for c in d)
ValueError: zero length field name in format
----------------------------------------------------------------------
If we want to separate the BSCs we should separate based on
the source port and not the source ip (at least in the current
test setup).
Fixes:
======================================================================
ERROR: testBSCreload (__main__.TestVTYNAT)
----------------------------------------------------------------------
Traceback (most recent call last):
File "./vty_test_runner.py", line 658, in testBSCreload
b0 = nat_bsc_sock_test(0, "lol")
File "./vty_test_runner.py", line 1145, in nat_bsc_sock_test
bsc.bind(('127.0.0.1' + str(nr), 0))
File "<string>", line 1, in bind
error: [Errno 99] Cannot assign requested address
----------------------------------------------------------------------
Update the comment to reflect that the NAT itself will bind to port
5000 and then the mock MSC will fail to bind to it. Try to move the
mock MSC to another port.
Could fix:
======================================================================
ERROR: testBSCreload (__main__.TestVTYNAT)
----------------------------------------------------------------------
Traceback (most recent call last):
File "./vty_test_runner.py", line 654, in testBSCreload
msc = nat_msc_test(self, ip)
File "./vty_test_runner.py", line 1101, in nat_msc_test
msc.bind((ip, 5000))
File "<string>", line 1, in bind
error: [Errno 98] Address already in use
----------------------------------------------------------------------
Don't assume that one can just bind to a local address that has
not been configured. Remove the unspecific comment as I don't know
to which other tests it is referred to.
This should fix:
======================================================================
ERROR: testBSCreload (__main__.TestVTYNAT)
----------------------------------------------------------------------
Traceback (most recent call last):
File "./vty_test_runner.py", line 655, in testBSCreload
msc = nat_msc_test(self, ip)
File "./vty_test_runner.py", line 1102, in nat_msc_test
msc.bind((ip, 5000))
File "<string>", line 1, in bind
error: [Errno 99] Cannot assign requested address
----------------------------------------------------------------------
Add vty tests for BSC configuration reloading.
Load BSCs configuration on bscs-config-file command:
* remove all runtime configured BSC not in the config file
* close connections to all BSC with updated token value
Fixes: OS#1670
Sponsored-by: On-Waves ehf
Introduce new configuration option bscs-config-file which includes BSC
configuration from the given file. Both absolute and relative (to the
main config file) paths are supported.
Add 'show bscs-config' command to display current BSC configuration.
Note: it is still possible to have BSC configuration in the main
file (provided proper index number is used) and in runtime but BSC
configuration is no longer saved automatically. The management of
included configuration file is left to external tools.
Update configuration examples.
Fixes: OS#1669
Sponsored-by: On-Waves ehf
Factor out 2, add 3 functions. Those functions are simple wrappers
around hex strings specific to IPA protocol. Not all of them are
utilized at the moment but they were checked with wireshark while
working on the tests. It might come in handy if we'd like to further
expand related test harness in future. The same goes for optional
verbosity argument which is not used right now but will be handy for
future debugging.
Add lac argument to gsm0408_rcvmsg_iucs(), to record the LAC in newly
allocated gsm_subscriber_connections.
In effect, fix the LAC sent to UE during Location Updating Accept message.
Before, 0 was stored as LAC and sent to the UE, regardless of the actual
LAC in use.
Extend the existing ctrl command to be able to specify the
algorithm and Ki. In contrast to the VTY no size check is
done. Together with the VTY this code only supports a small
part of what is supported by libosmocore.
The algorithm and ki are considered optional but if a valid
algorithm other than "none" is passed, a KI must be passed as
well.
Extend the test coverage by passing the potential values. It
is not verified that the KI/algorithm is stored.
We should not return a subscriber in case it was not written to
the database. Instead free the memory allocated and return NULL.
Callers in gsm_04_08.c are prepared to have the creation fail.
Related: OS Issue #1657
The issue of db_create_subscriber updating an already existing subscr
is that the same subscriber will then have two entries in the active
subscribers list. In general this will break assumptions that a subscr
can be compared by comparing the pointer.
In the case of the VTY this was not an issue as the created subscr
was immediately destroyed again but it is better to avoid this problem.
Change the VTY command to find the subscriber and then call sync to
have the updated time set. The side-effect is we will now have two
queries for the subscriber. Once through subscr_get_by_imsi and once
through db_create_subscriber.
Change the db_create_subscriber to fail if a subscriber already exists,
and add a testcase for this behavior and do not updated the 'updated'
timestamp of an already existing subscriber.
Add a testcase for this behavior.
Related: OS Issue #1657
Add testcase to issue the subscriber create twice. db_create_subscriber
in db.c will first try to find the subscriber and if it exists, it will
update the "updated" column in the database.
Related: OS Issue #1657
The ip.access nanoBTS seems to have severe issues with BSSGP when
changing the country code and/or network code. It is unlikely that
the proprietary code is getting fixed so we extend the parameter
for the apply-configuration command to carry the 'restart' param.
The nanoBTS continues to be buggy and seems to have broken BSSGP
when changing SIs across new OML connections. Add an easy command
to force the reboot of the system through OML.
Make sure a new auth tuple is initialized after
db_get_lastauthtuple_for_subscr() returns an error, i.e. if no tuple is present
for the subscriber yet.
Before this patch, the first key_seq depended on the typically uninitialized
value that was present in auth tuple's key_seq upon calling
auth_get_tuple_for_subscr().
The very first key_seq used for a new subscriber will now always be 0. Before,
it used to be mostly 1 ("(0 + 1) % 7"), but depended on whether the key_seq was
indeed initialized with 0, actually by random.
In auth_get_tuple_for_subscr(), add missing condition to match incoming
key_seq with stored key_seq, so that re-authentication is requested for
mismatching key_seqs.
Add test for this issue.
Instead of using hardcoded -1 for errors, include -1 in the enum auth_action
type; apply its use.
In the mm_auth test, the string output changes from '(internal error)' to
'AUTH_ERROR', since now the proper enum value is used in auth_action_names[].
Test two situations for AUTH_DO_AUTH_THEN_CIPH:
- when no auth tuple is available
- when the key sequence from LU is marked invalid
Add convenience auth tuple comparison function using stringification.
Add basic MM Authentication test setup, with fake DB access and RAND_bytes().
So far implement simple tests for IO error during DB access and missing auth
entry.
To print the auth action during tests, add struct auth_action_names and
auth_action_str() inline function in auth.[hc].
Don't store an MSC index number in the vty->index void* value. Instead,
store the osmo_msc_data struct directly. Thus avoid warnings about
differences in int vs void* sizes, and save some index lookups.
Upon authentication response, initiate integrity protection for Iu by sending a
Security Mode Command (IK), with hardcoded auth tuple so far.
Implement RANAP event handling to receive Security Mode Complete message,
adding stubs for the other events; in new files osmo-cscn/iucs_ranap.[hc] to
keep RANAP dependencies separate, and particularly out of libmsc.
Upon receiving Security Mode Complete, call the security operation callback
(conn->sec_operation->cb) to complete the Location Update.
Introduce enum integrity_protection_state constants to indicate integrity
protection, record in gsm_subscriber_conn.iu.integrity_protection.
Make subscr_conn_lookup_iu() non-static and declare in iu_cs.h to be able to
call from iucs_ranap.c's Security Mode Complete event.
Implement dummy iu_tx_sec_mode_cmd() to allow tests to build without RANAP
dependencies.
In cscn_main.c, call iucs_rx_ranap_event(), to populate the struct gsm_network
struct with cscn_network explicitly (don't share cscn_network across
compilation scopes because it's ugly).
sgsn_libgtp.c: missing include, for asn1str_to_u32()
iu_cs.c: missing include, for subscr_name()
osmo_bsc_vty.c: int/pointer conversions
(note: this was discussed on the list to be solved by passing a pointer
instead. Until then...)
iudummy.c: opaque struct declarations
Error was introduced in d04db9d907
'libiu: Replace RAB assignment response callback with a general one'
For iu_rab_act_ps(), the rab_id parameter was added in iu.h but not in the
implementation, nor for the callers. Make the iu.h signature match the
implementation, again.
In Iu mode the RA upd request can be called from a new Iu connection so we
might need to reauthenticate the connection as well as turn on integrity
protection.
gprs_transp_upd_key only sends a security mode command which is needed for CS
as well so change it.
Make sure it is called after the UE is authenticated in Iu mode.
In OpenBSC, we traditionally displayed a TMSI in its integer
representation, which is quite unusual in the telecom world. A TMSI is
normally printed as a series of 8 hex digits.
This patch aligns OpenBSC with the telecom industry standard.
Signed-off-by: Vadim Yanitskiy <axilirator@gmail.com>
mgcp_transcode.c: In function 'decode_audio':
mgcp_transcode.c:332:4: warning: format '%d' expects argument of type 'int', but argument 7 has type 'size_t' [-Wformat=]
LOGP(DMGCP, LOGL_ERROR,
^
mgcp_transcode.c:332:4: warning: format '%d' expects argument of type 'int', but argument 8 has type 'long unsigned int' [-Wformat=]
mgcp_transcode.c: In function 'encode_audio':
mgcp_transcode.c:390:4: warning: format '%d' expects argument of type 'int', but argument 7 has type 'size_t' [-Wformat=]
LOGP(DMGCP, LOGL_INFO,
^
mgcp_transcode.c:390:4: warning: format '%d' expects argument of type 'int', but argument 8 has type 'size_t' [-Wformat=]
mgcp_transcode.c: In function 'mgcp_transcoding_process_rtp':
mgcp_transcode.c:542:5: warning: format '%d' expects argument of type 'int', but argument 9 has type 'size_t' [-Wformat=]
LOGP(DMGCP, LOGL_NOTICE,
^
mgcp_transcode.c:571:4: warning: format '%d' expects argument of type 'int', but argument 7 has type 'size_t' [-Wformat=]
LOGP(DMGCP, LOGL_NOTICE,
^
There is no concurrency involved and if it failed the first time,
it will fail the second, third, ... time as well. Simply print that
we will leak the database instance.
libosmocore recently added inline functions to relieve callers from applying
bitmasks and bit shifts to access the transaction id of a GSM 04.08 header.
Apply these functions.
Replace hardcoded protocol discriminator and message type bitmasks with
function calls recently introduced in libosmocore.
Note that the release 98 bitmasks slightly differ from the release 99 bitmasks.
This patch uses the "default" gsm48_hdr_msg_type invocation, thus it depends on
libosmocore whether 98 or 99 bitmasks are used.
In some places, use of the bitmask was erratic. Fix these implicitly by
employing the bitmask functions:
* silent_call.c: silent_call_reroute(): add missing bitmask for MM.
* bsc_msg_filter.c: bsc_msg_filter_initial(): RR vs. MM messages.
* osmo_bsc_filter.c: bsc_find_msc() and bsc_scan_bts_msg(): RR vs. MM
messages.
* bsc_nat_rewrite.c: bsc_nat_rewrite_msg(): SMS vs. CC messages.
* bsc_ussd.c: no bitmask is applicable for the message types used here.
* gb_proxy.c: gbproxy_imsi_acquisition(): missing bit mask for pdisc.
In gprs_gb_parse.c: gprs_gb_parse_dtap(), add a log notice for unexpected
message types.
libosmocore recently added inline functions to relieve callers from applying
bitmasks and bit shifts to access the transaction id of a GSM 04.08 header.
Apply these functions.
Replace hardcoded protocol discriminator and message type bitmasks with
function calls recently introduced in libosmocore.
Note that the release 98 bitmasks slightly differ from the release 99 bitmasks.
This patch uses the "default" gsm48_hdr_msg_type invocation, thus it depends on
libosmocore whether 98 or 99 bitmasks are used.
In some places, use of the bitmask was erratic. Fix these implicitly by
employing the bitmask functions:
* silent_call.c: silent_call_reroute(): add missing bitmask for MM.
* bsc_msg_filter.c: bsc_msg_filter_initial(): RR vs. MM messages.
* osmo_bsc_filter.c: bsc_find_msc() and bsc_scan_bts_msg(): RR vs. MM
messages.
* bsc_nat_rewrite.c: bsc_nat_rewrite_msg(): SMS vs. CC messages.
* bsc_ussd.c: no bitmask is applicable for the message types used here.
* gb_proxy.c: gbproxy_imsi_acquisition(): missing bit mask for pdisc.
In gprs_gb_parse.c: gprs_gb_parse_dtap(), add a log notice for unexpected
message types.
Depending on conn->via_iface, fail upon missing auth for 3G.
Move the log notice saying "skipping auth" to gsm48_secure_channel() where
conn->via_iface is actually known.
As commented in the code, the GSM_SECURITY_AUTH_FAILED path is never invoked by
the gsm48_secure_channel() function as it is today.
Note that the upcoming Iu auth will probably add a GSM_SECURITY_AUTH_FAILED
status. In that case, sending a LU Reject immediately may be desirable, but
arguably a bit of timeout could make life harder for auth attackers.
The code removed by this patch doesn't send out a LU Reject ever, since a call
to release_loc_updating_req() only releases the connection. To reject, a call
to gsm0408_loc_upd_rej() would be necessary, as seen in loc_upd_rej_cb().
And finally, if _gsm0408_authorize_sec_cb() doesn't do anything about anything,
the same loc_upd_rej_cb() will be run by a timeout and send a LU Reject
properly (as commented in the code).
Have two separate gsm0480_send_ussdNotify() and gsm0480_send_releaseComplete()
for each of libbsc and libmsc. Move their core into libxsc as generator
functions returning a msgb.
Add src/libbsc/gsm_04_80_utils.c (note, not 04_08) to implement the libbsc
side of it.
The code is identical, but the linked structs and functions differ in each
case. There could be a common source file built for both, but I decided against
it, for more clarity I hope.
Disable ipacc_rtp_direct, Osmo SMPP TLVs, Ctrl interface and channel_test.
These need to be reimplemented with proper separation of libs.
Add some tall_* pointers the linker requires for osmo-cscn.
libbsc and libmsc have conflicting definitions of gsm_subscriber_connection
and do no longer belong together anyway.
Create libxsc, meaning 'lib[bm]sc', to hold all code used by both libmsc
and libbsc, and make sure gsm_subscriber_connection isn't used there.
In various binaries and tests, do not link libbsc and libmsc.
(Note: this commit was reshaped out of a large wip chunk, it may not
compile properly without the subsequent commits)
After rebasing onto 1b0e5540db, some changes need to be applied to
cscn_main.c, originally a copy of bsc_hack.c before the rebase. On master,
configurable MNCC socket path and Control interface bind address were added.
As described in a comment, for MSCSPLIT the tz data has been moved to network
level. To allow compiling osmo-bsc on the sysmocom-iu branch, move tz up to
network level in osmo-bsc as well.
This could be done better for osmo-bsc, rather easily too, still allowing
per-BTS timezone settings. But I'm trying to focus on IuCS and would like to
come back to this later.
To make the IuCS build work, disable the BSC-land access from MSC's SMPP code.
Some way shall be found to make the Osmocom vendor-specific SMPP TLVs work over
the A-interface (after the MSCSPLIT), but we're concentrating on IuCS for now.
There should be no need to silence this warning, the ranap_free_*
functions are declared in libranap headers. In any case this will only
obscure any real issue. Maybe osmo-iuh was not rebuilt completely
(including generation of the c files from the python script).
This reverts commit 05ae5b1245f95bf765b42e49af7b2596e013f0a0.
The sgsn uses other data structs so don't require them inside libiu.
Instead keep a private list of ue contexts and iterate through that.
This commit reverts the libui changes of commit
d03faa4bacd4d2a8b9155faf5219a948b73f481c
In the IU case the RNC and ggsn communicate directly on the user plane.
Since the IP address of the RNC is not known in our case (it sits behind
the hnbgw) we need to update the PDP context with the new IP address
after receiving the RAB assignment response (which includes the IP
address).
The RAB assignment response includes the gtp teid that we sent along in
the assignment request. Retrieve the correct pdp context from there and
activate it.
Bit 4 is reserved in 3GPP TS 04.08 so exclude it from the type.
In 3GPP TS 24.008 it indicates if a follow-on request is pending by the
MS, but only in Iu mode. According to the spec it is not required to
react to that request with a follow-on proceed so this field can be
ignored for now.
See 3GPP TS 24.008 Ch. 4.4:
"Unless it has specific permission from the network (follow-on proceed)
the mobile station side should await the release of the RR connection
used for a MM specific procedure before a new MM specific procedure or
MM connection establishment is started."
as well as Ch. 4.4.4.6:
"If the network wishes to prolong the RR connection to allow the mobile
station to initiate MM connection establishment (for example if the
mobile station has indicated in the LOCATION UPDATING REQUEST that it
has a follow-on request pending) the network shall send "follow on
proceed" in the LOCATION UPDATING ACCEPT and start timer T3255."
NITB is already gone from this branch. We may even resurrect it, but I prefer
to name the realms 'libmsc' and 'libbsc', hence the nitb graph is the BSC graph
now. Also add a libmsc graph.
The aim is to allow osmo-cscn to pass its own root talloc context and
global gsm_network struct instance cleanly. This may stir up some old and
dusty globals, but I hope it's for the better, since not all is a BSC.
To ensure that a global gsm_network pointer for the bsc_vty is set, have it as
argument to bsc_vty_init(). The vty configuration commands are added only after
bsc_vty_init(), which are needed to configure the network struct. So split up
the bsc_bootstrap_network() function into bsc_network_init() to allocate a
gsm_struct, and bsc_network_configure() to read the config file once the vty
commands are in place. In this way, no global bsc_gsmnet pointer is needed for
the bsc vty. The atomic super glue is dissolved and osmo-cscn will be allowed
to have a different name for it.
Admitted, it's still called the bsc_vty, but a split thereof is probably coming
soon, because the CSCN doesn't want any of the BSC nor BTS specific vty
commands.
The diff between this and master will probably need a lot of review and fixes.
The current state does compile, but I expect pretty much everything to be
broken now. Future development will reinstate proper functionality piecemeal.
The first goal is to get basic signalling to work, then SMS. The voice control
(RTP) is completely disabled now (see "#if BEFORE_MSCSPLIT") and will be fixed
last AFAICT.
Pubish msc_compl_l3() decl in new file libmsc/msc_api.h (but see comment).
Call msc_compl_l3() when establishing a subscriber connection for IuCS.
Remove bts from subscr_conn_allocate_iu() signature, use network, link_id and
conn_id instead.
Move subscr_conn_allocate_iu() to the top of the file, because it semantically
belongs before subscr_conn_lookup_iu().
Add libiu to contain the parts used by both Iu-CS (in osmo-cscn) and Iu-PS (in
gprs) into libiu. It's rather thin and may make sense to move to osmo-iuh
altogether, eventually.
iu.c is half moved to libiu/, and half to osmo-cscn/iu_cs.c.
Introduce enum interface_type and gsm_subscriber_connection.via_iface to
distinguish between A-interface and Iu-CS-interface connections.
Add gsm_subscriber_connection.iu.link_id and iu.conn_id.
CSCN means "Circuit Switched Core Network" (-in-the-box) and will become a
NITB-without-BSC, so that it talks Iu-cs to the HNBGW and talks 'A' to an
external BSC.
Copying NITB is debatable: on the one hand, we've agreed on the name Osmo-CSCN
for the end result (without internal BSC). On the other hand, I will probably
add Iu-cs into the NITB code incrementally, in such a way that theoretically,
both Iu-cs and the internal BSC functionality could be used at the same time.
So Osmo-CSCN will be a NITB plus Iu-cs for a while. Instead of adding to NITB,
I prefer to work on a copy, so that the original NITB remains more or less
unchanged.
Only a later step will clearly distinguish CSCN from NITB: when the BSC part is
split off for the benefit of a proper A-interface, and CSCN talks to an
external BSC.
the BSC-side of the API behind gsm0808_submit_dtap() is doing
this resolving again anyway. So let's avoid doing it twice, and avoid
having more dependency of the MSC down into the lchan details.
In AMR 12.2 (mode 7), the actual RTP payload is 33 bytes. Howeerver,
as we store the length of the (dynamically-sized) AMR payload in the
first byte, our buffer needs at least 33+1 byte in size.
subscr_name() was called from several places:
* either without a check for subscr being NULL, which for example
was causing a segfault if we hand-over a channel before identifying the
subscriber
* or with an explicit NULL check and the ternary operator (?).
We now simplify the code by checking for the NULL Subscriber in subscr_name()
itself.
In case the GMM message did not arrive over a Gb interface, there is no
LLME (and thus the associated pointer is NULL). Don't try to perform
operations on a NULL LLME.
Soem of the operations we perform in the GMM layer are specific to the
GPRS/EDGE radio access network and its Gb interface. Let's make them
conditional to that in preparation of supporting an Iu interface.
There was a comment in the code that certain GMM messages require a
valid mmctx pointer. However, nothing actually checked if that pointer
was in fact non-NULL. We plainly crashed if a MS would send us the
wrong message in the wrong state.
Make the SMPP bind address configurable (used to be harcoded as "0.0.0.0").
Add VTY command
smpp
local-tcp A.B.C.D <1-65535>
while keeping the old command 'local-tcp-port <1-65535>'. Both the old and the
new command immediately change the SMPP listening address and port.
Add a LOGL_NOTICE log when the SMPP listening address and/or port change.
However, to be useful, this patch has to go somewhat further: refactor the
initialization procedure, because it was impossible to run the VTY commands
without an already established connection.
The SMPP initialization procedure was weird. It would first open a connection
on the default port, and a subsequent VTY port reconfiguration while reading
the config file would try to re-establish a connection on a different port. If
that failed, smpp would switch back to the default port instead of failing the
program launch as the user would expect. If anything else ran on port 2775,
SMPP would thus refuse to launch despite the config file having a different
port: the first bind would always happen on 0.0.0.0:2775. Change that.
In the VTY commands, merely store address and port if no fd is established yet.
Introduce several SMPP initialization stages:
* allocate struct and initialize pointers,
* then read config file without immediately starting to listen,
* and once the main program is ready, start listening.
After that, the VTY command behaves as before: try to re-establish the old
connection if the newly supplied address and port don't work out. I'm not
actually sure why this switch-back behavior is needed, but fair enough.
In detail, replace the function
smpp_smsc_init()
with the various steps
smpp_smsc_alloc_init() -- prepare struct for VTY commands
smpp_smsc_conf() -- set addr an port only, for reading the config file
smpp_smsc_start() -- establish a first connection, for main()
smpp_smsc_restart() -- switch running connection, for telnet VTY
smpp_smsc_stop() -- tear down connection, used by _start() twice
And replace
smpp_openbsc_init()
smpp_openbsc_set_net()
with
smpp_openbsc_alloc_init()
smpp_openbsc_start()
I'd have picked function names like "_bind"/"_unbind", but in the SMPP protocol
there is also a bind/unbind process, so instead I chose the names "_start",
"_restart" and "_stop".
The smsc struct used to be talloc'd outside of smpp_smsc_init(). Since the smsc
code internally uses talloc anyway and employs the smsc struct as talloc
context, I decided to enforce talloc allocation within smpp_smsc_alloc_init().
Be stricter about osmo_signal_register_handler() return codes.
Add ctrl_vty_init() calls and feed the ctrl_vty_get_bind_addr() return value to
ctrl_interface_setup() in the following programs:
osmo-bsc
osmo-bsc_nat
osmo-nitb
osmo-sgsn
For osmo-sgsn, move the control interface setup invocation below the config
parsing, so that the ctrl_vty_get_bind_addr() can return the configured
address.
Abort upon unknown options and missing option arguments. This came to my
attention while rewiring the -m and -M options: passing -M without argument
would launch nitb with wrong configuration. So, rather exit immediately.
If there are legacy options that should be ignored, they deserve an own 'case:'
in the option switch. There are none that I'm aware of though.
Strictly speaking, the unix domain socket location is not a name but a path.
The MNCC socket is called path, so it is confusing to call the ctrl socket
a 'name'.
Following the 'line vty'/'bind A.B.C.D' command added in libosmocore, use the
configured address to set the telnet bind for the VTY line. It is now possible
to publish the VTY on a specific local interface (including 0.0.0.0 aka "any").
Implement in all of:
osmo-gbproxy
osmo-gtphub
osmo-sgsn
osmo-bsc
osmo-bsc_nat
osmo-bsc_mgcp
osmo-nitb
In some of these main programs, move the telnet initialization below the
configuration parsing.
Historically, this was not a good idea for programs using bsc_init.c (aka
bsc_bootstrap_network()), since they expected a gsm_network struct pointer in
((struct telnet_connection*)vty->priv)->priv, so that telnet had to be either
initialized or replaced by a dummy struct. In the meantime, the gsm_network
struct is not actually looked up in a priv pointer but in the static bsc_vty.c
scope (bsc_gsmnet), so this limitation is mere legacy (even though said legacy
is still there in an "#if 0" chunk).
In the other binaries I have briefly looked at the init sequence dependencies
and found no reason to initialize telnet above the config file parsing. In any
case, I have tested every single one of abovementioned binaries to verify that
they still parse the example config successfully and launch, allowing VTY
connections on the configured address(es). I hope this suffices.
In all of the above, log VTY address and port. LOGL_INFO is disabled by default
in some of the logging scopes, and since it is a single log message right at
program launch, I decided for the slightly more aggressive LOGL_NOTICE.
Remove unused talloc.h from bsc_vty.c.
In bsc_nat.c, use OSMO_CTRL_PORT_BSC_NAT instead of hardcoding port number, and
include ctrl/ports.h for that.
Fix comment typo "COMAMND"
Remove the assert in the llme by avoiding the usage of foreign to local
mappings of TLLIs. The asserts had been hit at 32C3 and the fixes were
created by Jacob and had been tested at the convention.
If an MM context cannot be found based on BBSGP info and a RA UPDATE
REQUEST is received, try to find an MM context with an P-TMSI from
which the TLLI could have been derived. This also checks, whether the
routing area matches.
This is similar to the old behaviour removed by the commits
"sgsn: Only look at TLLIs in sgsn_mm_ctx_by_tlli" and
"sgsn: Remove tlli_foreign2local", except that this will only
be done for RA UPDATE REQUESTs now.
Sponsored-by: On-Waves ehf
Currently the MM context is just overwritten by a call to
sgsn_mm_ctx_by_tlli(msgb_tlli(msg), &old_ra_id) even if it
has already been found by using the BSSGP info. With the changes
made to sgsn_mm_ctx_by_tlli this will never find a MM context if
the routing area has changed. If the routing area has not changed,
the mmctx has already been found if it exists.
This commit splits searching for an MM context (if it hasn't been
found already) from checking, whether a found one can really be
used. The actual search is removed, so that the MS will be forced to
restart the attach procedure, which is less efficient but safe.
Sponsored-by: On-Waves ehf
Currently the code also matches the TLLI against LOCAL and FOREIGN
mappings of the P-TMSI, thus eventually finding MM contexts not
consistent with the TLLI (both tlli and tlli_new differ). On
the other hand, tlli_new is not checked at all.
This commit changes the function to only look at mmctx->tlli,
mmctx->tlli_new, and the routing area.
Sponsored-by: On-Waves ehf
The BSSGP cell identifier is used to get the RA for the TLLI lookup.
The send_0408_message function used in the tests does not set this,
so the RA identifier is always 0-0-0-0.
This commit adds a parameters to pass the RAID and adds missing
dummy RAIDs.
Note that the CI can still not be set and thus is always 0.
Sponsored-by: On-Waves ehf
Currently foreign TLLI are sometimes mapped to local TLLI in the
hope that they will match. This seems to sometimes introduce
inconsisties, possibly leading to a failing assertion in
_bssgp_tx_dl_ud.
This mapping should probably reduce the allocation of additional
LLME during routing area changes.
This commit removes tlli_foreign2local.
Sponsored-by: On-Waves ehf
This patch lets the build script for openbsc find the libsmpp34 installation
with the help of pkg-config instead of assuming the header files are in
/usr/include.
In 'show running-config', timeslot appears as a sub-element of rsl, but it is a
direct child of trx. Fix the timeslot section in vty_out by removing one space
of idention.
Adjust various config examples.
Rationale: it's not relevant for function, but confuses human operators. Fixing
it will save the next hacker some time.
Even if fclose fails the stream is inaccessible and the second fclose
might cause memory violation.
Linux manpage says:
Upon successful completion 0 is returned. Otherwise, EOF is returned
and errno is set to indicate the error. In either case any further
access (including another call to fclose()) to the stream results in
undefined behavior.
Fixes: CID#57958
memcpy has both the source and destination marked as non-null and
we were still passing NULL (with a zero size) to it. While this
makes sense it violates the constraints of the function. Add the
check to see if these values are NULL or not.
+db.c:583:2: runtime error: null pointer passed as argument 2, which is declared to never be null
+ #0 0x40d7f7 in get_equipment_by_subscr (/home/builder/jenkins/workspace/Osmocom_Sanitizer/source/openbsc/openbsc/tests/db/db_test+0x40d7f7)
+ #1 0x40f6d2 in db_get_subscriber (/home/builder/jenkins/workspace/Osmocom_Sanitizer/source/openbsc/openbsc/tests/db/db_test+0x40f6d2)
+ #2 0x40bfaa in sms_from_result_v3 (/home/builder/jenkins/workspace/Osmocom_Sanitizer/source/openbsc/openbsc/tests/db/db_test+0x40bfaa)
+ #3 0x40c847 in update_db_revision_3 (/home/builder/jenkins/workspace/Osmocom_Sanitizer/source/openbsc/openbsc/tests/db/db_test+0x40c847)
+ #4 0x40cbc3 in check_db_revision (/home/builder/jenkins/workspace/Osmocom_Sanitizer/source/openbsc/openbsc/tests/db/db_test+0x40cbc3)
+ #5 0x40cf85 in db_prepare (/home/builder/jenkins/workspace/Osmocom_Sanitizer/source/openbsc/openbsc/tests/db/db_test+0x40cf85)
+ #6 0x406f18 in main /home/builder/jenkins/workspace/Osmocom_Sanitizer/source/openbsc/openbsc/tests/db/db_test.c:179
+ #7 0x7fd625638a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
+ #8 0x405598 in _start (/home/builder/jenkins/workspace/Osmocom_Sanitizer/source/openbsc/openbsc/tests/db/db_test+0x405598)
+
+db.c:590:2: runtime error: null pointer passed as argument 2, which is declared to never be null
+ #0 0x40da23 in get_equipment_by_subscr (/home/builder/jenkins/workspace/Osmocom_Sanitizer/source/openbsc/openbsc/tests/db/db_test+0x40da23)
+ #1 0x40f6d2 in db_get_subscriber (/home/builder/jenkins/workspace/Osmocom_Sanitizer/source/openbsc/openbsc/tests/db/db_test+0x40f6d2)
+ #2 0x40bfaa in sms_from_result_v3 (/home/builder/jenkins/workspace/Osmocom_Sanitizer/source/openbsc/openbsc/tests/db/db_test+0x40bfaa)
+ #3 0x40c847 in update_db_revision_3 (/home/builder/jenkins/workspace/Osmocom_Sanitizer/source/openbsc/openbsc/tests/db/db_test+0x40c847)
+ #4 0x40cbc3 in check_db_revision (/home/builder/jenkins/workspace/Osmocom_Sanitizer/source/openbsc/openbsc/tests/db/db_test+0x40cbc3)
+ #5 0x40cf85 in db_prepare (/home/builder/jenkins/workspace/Osmocom_Sanitizer/source/openbsc/openbsc/tests/db/db_test+0x40cf85)
+ #6 0x406f18 in main /home/builder/jenkins/workspace/Osmocom_Sanitizer/source/openbsc/openbsc/tests/db/db_test.c:179
+ #7 0x7fd625638a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
+ #8 0x405598 in _start (/home/builder/jenkins/workspace/Osmocom_Sanitizer/source/openbsc/openbsc/tests/db/db_test+0x405598)
When a MNCC handler wants to issue the MNCC_BRIDGE primitive
overt the MNCC interface, this was not possible so far via the
MNCC socket. This primitive was so far only available from the
internal MNCC handler, more or less by accident I suppose. The reason
for this is in the way the array of two call references had been passed
into mncc_tx_to_cc().
The debug log prints the received/sent bytes in hex. When this data surpasses
the buffer size available for the log string (4096), the log is truncated
and lacks a newline character. Limit the amount of dumped bytes to 1000.
Sponsored-by: On-Waves ehi
Handle peer restart earlier, so that all the tunnels are deleted by the restart
code path, instead of the first one being deleted due to reused TEI. That
caused confusing logging messages.
Also, when receiving Delete confirmations from the peer that didn't restart,
don't complain about unknown peer, but acknowledge and remove the half
invalidated tunnel. This means that the pending delete entry from the restart
code path is not needed / not used, so don't bother to add pending delete
entries upon peer restart.
The test test_peer_restarted_reusing_tei() hits the situation where a tunnel is
removed because of a reused TEI rather than the restart counter. Adjust the
test to expect the "out-of-band" delete request earlier on, and to still see
the half invalidated tunnel around. Enhance the test by adding the delete
response from the peer that didn't restart, and add a final tunnels_are()
verification.
Sponsored-by: On-Waves ehi
Because the sender is known, one unique TEI per tunnel suffices to map the TEIs
that the peers are sending to gtphub, instead of previously 4 (SGSN<->GGSN
interaction on User and Ctrl plane, where each had an own unique TEI).
Also, previously, a tunnel's endpoints should also have been checked against
each other for TEI reuse, not only against the endpoints of other tunnels. This
simplification fixes that problem for free.
Thus simplify TEI reuse detection and improve VTY show readability and
debugging.
Adjust log and VTY output for tunnels.
Adjust tests accordingly.
Suggested-by: Holger Hans Peter Freyther <holger@moiji-mobile.com>
Sponsored-by: On-Waves ehi
Some logging was multiline to ease human reading of debug output. However,
in the VTY output, these newlines lack a CR motion. Split multiline logs into
separate lines.
Also add one missing space.
Sponsored-by: On-Waves ehi
We now store the pre-printed lchan name in lchan->name to avoid having
to call sprintf every time there is a debug statement somewhere,
particularly as most of those debug statements are going to be inactive
most of the time.
Don't route User message back by sequence number, rather test that a
completely unrelated User message is routed back properly.
Sponsored-by: On-Waves ehi
If an SGSN is behind NAT, we cannot rely on the default ports. Specifically,
if a GGSN sends a message, the forwarding to the SGSN should go to whichever
port the SGSN last sent from (whether sequence nr is known or not).
Add sgsn_use_sender config and VTY command, and store the sender instead
of the GSN Address IE and default port if set.
Sponsored-by: On-Waves ehi
Rather than passing a tunnel pointer as function arguments, keep it in the
gtp_packet_desc struct passed around anyway.
Reason: in the next commit (will add sgsn_use_sender), I need the tunnel to be
passed back out to gtphub_handle_buf(), and besides simplifying existing code,
this also makes passing the tunnel back out trivial.
Sponsored-by: On-Waves ehi
During the peer review session with Holger, these things were deemed fixable.
No need to have a static gtp_packet_desc in gtphub_handle_buf.
No need to memcpy, direct assignment does the job.
Remove obsolete comments.
Fix a stray space.
Sponsored-by: On-Waves ehi
If a GSN indicates that it has reset, tear down each known tunnel for that GSN
individually (don't send the GSNs on the other side a different restart
counter, because they represent more than just this GSN).
Sponsored-by: On-Waves ehi
During resolution of the header TEI, also return the tunnel struct that
resolved the TEI, so the Delete PDP Ctx code does not need to look it up
again.
Upon Delete PDP Ctx Request, remember the IEs and that a request was made.
Upon Delete PDP Ctx Response, find the pending delete and remove the
corresponding tunnel, iff the response indicates success.
Add a context deletion to regression tests, rename the test appropriately.
Sponsored-by: On-Waves ehi
gsn_addr_from_str(): return error upon NULL string.
Add some debug logging.
With an empty config, no bind addresses were set, and the address parser
did not check for a NULL pointer, resulting in a segfault.
Sponsored-by: On-Waves ehi
This is a mostly cosmetic change. Instead of separate buffer handling
functions, reduce some code duplication by using a side_idx just like the
plane_idx, with arrays.
Sponsored-by: On-Waves ehi
This could be done way better, discussion is pending/ongoing. It is indeed
quite unlikely that any user will ever hit this situation, so there is no
strong drive to invest effort in a more comprehensive implementation.
Sponsored-by: On-Waves ehi
There's no need to keep two separate number pools when both can be fed
from the same pool. User and Ctrl plane TEIs can technically overlap without
colliding, but it doesn't hurt if they don't overlap, either.
Sponsored-by: On-Waves ehi
Force passing a restart counter, by adding such arg to gtphub_start() (test
suite is not affected by this).
In gtphub_main.c, add -r,--restart-file <path> and next_restart_count() to
maintain the counter file. While at it, tweak the cmdline help to unify the
formatting (mostly commas and a missing line break).
Send gtphub's own restart counter. So far, the sender's restart counter was
copied through, which would break as soon as more than one GSN would talk to
the same peer with differing restart counters.
Also fix the in-mem restart counter data type (one octet, not two).
Sponsored-by: On-Waves ehi
So far, gtphub worked perfectly by only tracking single TEIs ... for probably
most uses. But a Ctrl plane tunnel may have expired despite a still active
corresponding User plane tunnel. The User plane would continue to work
indefinitely, but if any Ctrl messages followed after more than six hours of
Ctrl silence, they would have been dropped due to an expired TEI mapping.
We want to
- combine expiry of a user TEI with its ctrl TEI. (done in this patch)
- upon delete PDP context, remove both user and ctrl TEI mappings. (future)
- when a peer indicates a restart counter bump, invalidate its tunnels.
(future)
To facilitate these, track tunnels, complete with both SGSN's and GGSN's
address, original and replaced TEIs, all for both user and ctrl plane, in a
single struct. A single expiry entry handles the entire tunnel, instead of
previously four separate expiries for each endpoint identifier.
Add the concept of a "side", being either GGSN or SGSN, to index tunnel
endpoint structs, and so on.
Track the originating side in the gtp_packet_desc.
Add header_tei_rx: set_tei() overwrites header_tei, but the originally received
header TEI is still needed to match a Create PDP Context Response up with its
Request (and for logging).
Adjust the test suite to expect tunnel listing strings instead of TEI mappings,
with a bonus of making it a lot easier to grok, and including the IP addresses.
Add regression test for refreshing tunnel expiry upon use.
Note: the current implementation is as slow as can possibly be, iterating all
the tunnels all the time. Optimizations are kept for a future commit, on
purpose.
BTW, the sequence number mapping/unmapping structures remain unchanged.
Sponsored-by: On-Waves ehi
The expiry queues are already used for resolved GGSN addresses, and will
soon enlist tunnel structs. Hence the naming should be more general.
Sponsored-by: On-Waves ehi
Make 100% sure the user adds expiring_items in chronological order by asserting
that a newly added expiry is >= the last expiry in the queue. Add llist_last()
to facilitate.
Sponsored-by: On-Waves ehi
Instead of passing the current time around in function arguments ('now'),
rather store the current time once upon decoding a GTP packet in the
gtp_packet_desc passed around anyway ('p->timestamp').
Sponsored-by: On-Waves ehi
Some gtphub_bind pointers point to an array of binds, some point directly at
instances. Make the distinction between the two more obvious by adding an
'_arr' suffix to the array ones.
Partly in preparation for upcoming rate counters.
Sponsored-by: On-Waves ehi
Clean up functionality is added for the test suite only, to be able to clean
out all allocations and test against memory leaks.
So far, it was sufficient to expire everything to free a gtphub. In preparation
for the upcoming rate counters, which will need to be freed explicitly, add
gtphub functions to clean up everything.
As added bonus, also close the sockets explicitly -- not really needed upon
program exit, neither by the test suite, but *if* we have a cleanup function,
it should clean up everything properly.
Closing the sockets is however kept separate, for the test suite.
gtphub_start() and gtphub_stop() are for normal use (published in gtphub.h),
and gtphub_init() and gtphub_free() are for the test suite, without sockets.
(gtphub_stop() will probably never be called by anyone, but its existence
completes the picture.)
In gtphub_test.c, have a function to clean up the testing gtphub struct. First,
expire everything by timeout, assert emptiness, then call the cleanup function.
Call from each test in the end.
Sponsored-by: On-Waves ehi
Upon calling gtphub_peer_del(), all addresses and ports should already have
expired (by force). Make sure the code heeds that with a so far missing
assertion.
Sponsored-by: On-Waves ehi
From sgsn_vty.c, copy the cfg_grx_ggsn_cmd to add an ares server to the static
sgsn_instance.
This is sort of preliminary. As described in comments, the sgsn_ares functions
should actually be separated from the static sgsn structure. gtphub keeps such
an sgsn structure just for the sgsn_ares functions.
Sponsored-by: On-Waves ehi
gtphub_ext.c's initial purpose was to wrap a specific function. The file
then turned into everything related to DNS, which fits pretty well. Rename
to gtphub_ares.c.
Tweak the header comment to reflect the new file name.
Sponsored-by: On-Waves ehi
Implement min/max bounds for nr_pool, adjust nr_pool_init() and current tests,
and create unit tests for nr_map wrapping.
Sequence numbers range from 0 to 65535, while TEIs range from 1 to 0xffffffff.
Both cause problems when the nr_pool surpasses the range: seq exit their valid
range, causing unmappings to fail, and a TEI would be mapped as zero (invalid).
Add a comment about TEI wrapping, and lose the comment about random TEIs (not
really important).
Sponsored-by: On-Waves ehi
Use unsigned int for nr_map, just large enough to fit the TEI space.
Adjust log output formats and casts accordingly.
Fixes: TEIs are uint32_t, but the nr_map so far used int. This would cause TEIs
from 0x80000000 on to be handled and printed as a negative value.
Sponsored-by: On-Waves ehi
The del_cb is now also used for ares (GGSN resolution) timeouts, and expiry is
anyway separated from nr_map, so this comment is void.
Sponsored-by: On-Waves ehi
This fixes a bug in the following circumstances:
* BSIC is set to 0 in the config file
* No TSC is explicitly specified at the BST level in the config file
In this case, we ended up using BSIC=0 and TSC=7, as TSC=7 is our
default initialization value.
The TSC of the CCCH/BCCH must always be the BCC, which is the lower 3
bits of the BSIC. Having configuration options for both the BSIC _and_
the TSC at the BTS level therefore makes no sense, as it only adds ways
in which users can configure non-oprational configurations. So we
remove the bts->tsc member, and keep only the ts->tsc members that allow
us to configure a timeslot-specific TSC that's different from the BTS
TSC (= BCC).
s_db.c: In function ‘_insert_ud’:
meas_db.c:65:6: warning: implicit declaration of function ‘rxlev2dbm’ [-Wimplicit-function-declaration]
rxlev2dbm(ud->full.rx_lev)));
^
- an unnecessary if-not-NULL check (1339764);
- a missing nul termination safety net (1339768);
- a typo resulting in the wrong proxy being logged (1339767).
Sponsored-by: On-Waves ehi
gtphub always wants to know the sender, hence make the from_addr pointer
mandatory.
Fixes two coverity complaints (1339766, 1339764).
Sponsored-by: On-Waves ehi
Fit most of the code in 80 chars width. Some instances still leak past 80
characters because of long function names, inline comments or the like, "the
exception proves the rule."
Sponsored-by: On-Waves ehi
For maintenance, it is convenient to have the log level explicit at each
log statement.
Tweak some log levels / message formatting while at it.
Sponsored-by: On-Waves ehi
Allow logging the plane (Ctrl/User) and side (SGSN/GGSN) in functions that only
have a gtphub_bind* to work with, by adding a constant label to each bind.
Sponsored-by: On-Waves ehi
If a GGSN is already known from unmapping, don't invoke a host resolution.
In a live working environment, it wouldn't hurt, because the lookups would
mostly return from the cache. But in a testing environment without a name
server, it barfs on every packet.
Sponsored-by: On-Waves ehi
Initialize llist_heads to empty (2 were missing). Move those for struct gtphub
instances to gtphub_zero() (one moved, one added).
In from_[gs]gsns_read_cb(), use a return type that can actually reflect
negative return values.
resolved_addr.buf: no need to take the address of a byte array var
(cosmetic).
Pass the proper user data address to sgsn_ares_query(), not the address of
the pointer holding the user data address.
Initialize ggsn_lookup->expiry_entry (was missing). Publish the function for that
in gtphub.h so gtphub_ext.c can use it.
Sponsored-by: On-Waves ehi
Looking for a segfault, I added a lot of logging. This may be useful for
live testing ares, leaving it in there for now.
Note: I still want to clean up the logging concerning log levels etc. once
we're out of alpha.
Sponsored-by: On-Waves ehi
Allow a peer sending from an unknown port but a known address, and just
create the port (and unmap the seq nr back to this port later to return
the response to the sender).
Only an SGSN on the Ctrl plane is allowed to make the very first contact
from an unknown address.
Sponsored-by: On-Waves ehi
Split decoding return code GTP_RC_PDU in GTP_RC_PDU_C and GTP_RC_PDU_U.
Don't do IEs in GTP_RC_PDU_U.
Add a unit test for User plane data, expected to fail (nonstandard port case).
In gtphub_test.c, tweak logging so that it is easily visible which test
produced which output. Also add the global resolved_sgsn_addr and ggsn_sender,
symmetrically to resolved_ggsn_add and sgsn_sender.
Sponsored-by: On-Waves ehi
Generalize to make the PDP ctx message definitions and "sending" of messages
from SGSN->gtphub->GGSN and back reusable in future tests.
Publish gsn_addr_from_sockaddr() in gtphub.h for use in gtphub_test.c.
Use an osmo_sockaddr for resolved_ggsn_addr, because one is needed for
comparison in probably every future test.
Add LVL2_ASSERT() to print assertion message and return instead of abort,
so that functions can be called from several tests without losing the
info of which test caused it from which line.
Use globals for struct gtphub and time_t now, to reduce nr of args that need to
be passed around when writing tests. Add a default test setup function.
Sponsored-by: On-Waves ehi
Up to now I used the Echo as a test for sequence nr mappings. But Echos
should be handled differently: they are scoped on the link and an Echo
response should be sent right back to the requester.
Sponsored-by: On-Waves ehi
For the resolving function, change the function signature to return a
gtphub_peer_port. In consequence, publish two functions concerned with
gtphub_peer_port instances for use in test and gtphub_ext.c.
Add GGSN resolution queue, callback and cache. Simple implementation: if an
SGSN asks for a GGSN, it will first get no answer, and I hope it will ask again
once the GGSN is in the cache.
Within gtphub_ext.c, have a dummy sgsn struct, as the sgsn_ares code currently
depends on it (half the functions pass an sgsn instance pointer around, but the
other half use the global one).
In the unit tests, wrap away the ares initialization so that they can work
without a DNS server around. The netcat test breaks because of this, will
remove it.
Using sgsn_ares, implement the gtphub_resolve_ggsn_addr() function, I hope:
untested.
Minor cosmetics just to see if you're paying attention... ;)
Sponsored-by: On-Waves ehi
First steps towards a new GTP hub. The aim is to mux GTP connections, so that
multiple SGSN <--> GGSN links can pass through a single point. Background:
allow having more than one SGSN, possibly in various remote locations.
The recent addition of OAP to GSUP is related to the same background idea.
(This is a collapsed patch of various changes that do not make sense to review
in chronological order anymore, since a lot of it has thorougly transmorphed
after it was first committed.)
Sponsored-by: On-Waves ehf
Extend the ul/dl counting to count the usual messages on the
Gb interface. Add counters for the attach, routing area update,
pdp context activation and deactivation procedures. Update the
test result with the new counters.
RPM post-build-checks found some issue and marks these as error:
[ 38s] I: Program returns random data in a function
[ 38s] E: openbsc no-return-in-nonvoid-function meas_vis.c:118
Holger reports that the bitmap that accounts for available Osmux circuit
IDs is limited to 128, when the maximum number of circuit IDs are
determined by the uint8_t field in the header (ie. 256 circuits).
[hfreyther: Update the testcase now that we have more ids to allocate]
Trigger an OAP registration upon IPA connect. Feed incoming OAP messages to
oap_handle() and send replies returned by it.
Add oap_config to sgsn_config (todo: vty).
Sponsored-by: On-Waves ehf
[hfreyther: Fix coding style]
Add new kitchen sink openbsc/utils.h and libcommon/utils.c to make three so far
static functions public (so I can use them in the upcoming OAP code).
A place to put them could have been the gprs_utils.h, but all general functions
in there have a gprs_ prefix, and todo markings to move them away. All other
libcommon headers are too specific, so I opened up this kitchen sink header.
Replace the implementation of encode_big_endian() with a call to
osmo_store64be_ext(). See comments.
Apply the change in Makefiles and C files.
This change has some implications for the test case. It manipulated
bss_ptmsi_state and sgsn_tlli_state variables to make the output of
rand_r() and thus the TLLI/TMSI used predictable.
This possibility is gone when using RAND_bytes() so instead it is
overridden by a function that returns a deterministic sequence of values
(0x00dead00, 0x00dead01, ...). The test cases are adapted to expect
these values instead of the pseudo random values before.
The gbproxy_test stdout file changes as well, but only where the
TLLI/TMSI is displayed (in the hex dumps as well as the TLLI cache
entries). All other output is the same.
This (currently empty) function is meant to contain code that cleans
up the left-overs of the test functions. This is needed by the next
commit to reset the RAND_bytes sequence.
Currently just the number of intercepted downlink messages is counted
and eventually checked. The contents of the messages is lost. The
PTMSI contained in ATTACH/RAU Accept messages is just 'guessed' by
resetting the random number generator after reference PTMSIs have
been generated. While this works with rand_r, RAND_bytes cannot be
forced to recreate a certain number sequence this way (unless the
backend is replaced).
This commit changes that behaviour so that the last received msgb is
kept and decoded. The PTMSI that has been assigned by the SGSN is
then taken in the affected test cases and used instead of a 'guessed'
one. This is similar to how a real MS would react to the Accept
message.
Sponsored-by: On-Waves ehf
This (currently empty) function is meant to contain code that cleans
up the left-overs of the test functions. This will be needed by the
next commit that will store the last received msgb for later inspection.
Sponsored-by: On-Waves ehf
This API is a bit unfortunate as the caller will also
access the endpoint directly. E.g. like this:
output = bsc_mgcp_rewrite(...,
mgcp_net_src_addr(endp),
endp->net_end.local_port, -1,
In terms of "terminology" the "net" was meant to be bad
internet and the "bts" is the local and trusted network
segment. With this terminology the "bts" would be the
call-agent/MGW and "net" where the BSCs will send data
to but that is not the case and terminology actuallys
refers to:
* net: The addresses exposed to the entity that
made the MGCP call
* bts: The system where we get our data for the
local audio flow.
Fix the method but leave the API as it is. Use the net_end
in the net_src method and the bts_end in the bts_src method.
We put a signed integer into this string but did not account
for the newline and for the terminating NUL of the string. Add
the newline to the string and add one for NUL. Spotted while
accidently having a CID of 255.
There appears to be a leak of CIDs:
<000b> mgcp_osmux.c:544 All Osmux circuits are in use!
There are paths that a CID had been requested and never released
of the NAT. Remember the allocated CID inside the endpoint so it
can always be released. It is using a new variable as the behavior
for the NAT and MGCP MGW is different.
The allocated_cid must be signed so that we can assign outside
of the 0-255 range of it.
Fixes: OW#1493
Extend the osmux only setting from the MGCP MGW to the NAT. This
is applied when an endpoint is allocated and/or when the allocation
is confirmed by the remote system.
Not tested. The impact should only be when the new option is
being used.
Fixes: OW#1492
Some systems only want to use Osmux. In case only Osmux
should be used fail if it has not be offered/acked.
Client:
Verified On, Off and Only with X-Osmux: 3 and without this field.
<000b> mgcp_protocol.c:823 Osmux only and no osmux offered on 0x14
<000b> mgcp_protocol.c:884 Resource error on 0x14
NAT:
Not tested and implemented
Fixes: OW#1492
sizeof(uint8_t) == 1 and there is no need to create an array
with 16 bytes and then only use the first two of them. This
means the CID range is from 0 to 127 and we should be able
to extend this to 256 by changing the array size to 32. Update
the testcase now that we can have more than 16 calls with Osmux.
* Test that one can get an id
* That they are assigned predicatble right now
* That returning them will make the number of used ones go down
* That allocating more will fail
The log message does not help and says where the data is
being sent to. This is because we have both a RTP and RTCP
port. Remember if we failed with RTCP or RTP and improve
the log message.
I was searching a case where the port was bound to a local
address (e.g. 127.0.0.1) and tried to send the data to a
public one (e.g. 8.8.8.8).
The signature of mr_config and the BSC implementation didn't
match and the compiler was warning about it:
osmo_bsc_api.c:530:2: warning: initialization from incompatible pointer type
.mr_config = bsc_mr_config,
^
osmo_bsc_api.c:530:2: warning: (near initialization for ‘bsc_handler.mr_config’)
Change the mr_config again and provide an implementation
that will set the ms and bts data structure. It would be
better to put the size outside of the IE but I am not going
to change it right now. It would also be nice to either move
the AMR setting into the "nitb" structure or have the msc
data be used _after_ the bts settings. This needs to be
cleaned up in the next step.
Manually verified by placing a MO call and checking that
both the channel mode modify and the mode modify request
contain the multi rate config with the rate mr config
(length two bytes, version 1, icmi==1, no start mode being
set).
This way a lot of if/else can just be killed by the caller deciding
which of the two instances to use.
I have copied both branches to new files, replace bts for ms in one
of them and ran diff on it. There is no difference.
Merge two copies into a local static helper function. The format
of the message will change and then it is easier to modify it in
one place than in two.
Sadly the original patch was merged before this clean-up so do
the clean-up as second step.
Conflicts:
openbsc/src/libbsc/abis_rsl.c
openbsc/src/libbsc/gsm_04_08_utils.c
The pre-release didn't add a newline after the apn and the patching
pattern command. Create a quirk command that combines both. The
pre-release didn't include a differentation between routing and
patching.
The TLLI handling has a different and more generic name now. Make
it handle the old one that is actively used.
Add a file with the broken format and the standard config file
test should pick it up.
* Implement the rtp-bridge mode for MNCC
* Audio doesn't flow through the NITB at all
* It only works with IPv4 BTSes right now
* We need to select an audio codec way too early
* No tandem free operation
* Early assignment always equals TCH/F
In case of the RTP bridge mode we need to select the codec
ourselves. Rely on the same (incomplete) codec selection that
can be done using the mncc-int configuration node. This might
gain bearer capabilities support.
In case of a SDCCH a TCH/F will be attempted to be assigned.
This is an open issue for both modes and there should be a
preference for full or half-rate channels somewhere.
Implement sending MDCX on the newly allocated channel and send
the data to the same destination as the currently connected one.
This way the receiver can implement RTP RFC Appendix A.1 and
deal with the new source.
For the LCR rtp-bridge audio should directly flow to the
remote system. In contrast to the original patch audio
will now flow directly from the BTS to the remote system.
This assumes that BTS and the remote system are in the
same network segment and can directly communicate.
There are various limitations in the first iteration of
the implementation:
We could (and in the future) should delay the assignment
but currently we are forced to pick the channel and move
it to the audio state. In case we are located on a SDCCH
we always need to change but if we are on a TCH we could
send the ipa.CRCX and change the audio state a lot later.
The net effect is that the audio codec selection needs to
be done in the NITB code and not in the system connected
to it.
This only works with ip based systems. For E1 systems one
could still use the RTP socket or even try to move this
out of the process.
There is no code for handover handling and it relies on
the remote system dealing with the SSRC change of the
system.
This adds the protocol definition for the RTP bridge extension
of Andreas Eversberg and bumps the protocol version.
I added the missing mncc mappings from value to string.
[ 5cf8fb10ea3addcae74d37f4dbf1c1be664df53e protocol extension
5dac90de38990b188f499c602bf18a4f232070e8 payload extension]
Mike's patch included clean-ups I want to apply separately and
change them a bit. If we return from an else we don't need to
put the else.
* Try the E1 trunk first
* Then try a local virtual trunk
* Fail if none of the above returned
Remove the host portion of the endpoint Id. This requires less
configuration and we are probably fine to trust that MGCP only
received messages designated for it.
When using multiple interfaces on a system one can now configure
which will be served for the BTS ports and which will be served
for the network. The direct usage of source_addr is now only to
initialize the MGCP receiving port itself.
Make it possible to bind the call-agent to a specific IP address
and the network and bts end to different ip addresses. Begin by
clarifying which source ip address we want to have.
Use the existing ulaw encode/decode to support PCMU as well.
The MERA VoIP switch has some severe issues with the GSM codec
and it appears easier to enable transcoding for it.
The mera switch doesn't appear to cope with codec change
between a SIP 180 trying and the 200 ok connection result.
Inserting the codec is touching too many places. Ideally we
should have the transcoding function as pointer in the struct
as well but the arguments differ.. so it is not a direct way
forward.
Iridium is a satellite network which operates a GPRS-like that allows you to
get speeds up to 128kbit/s. However, it takes from 5 to 6 secs to get the
bandwidth allocated, so the conversation is garbled during the time.
This patch uses the new dummy padding support in libosmo-netif that is
controlled through the osmux osmux_xfrm_input_open_circuit().
This includes a new VTY option for osmux.
I guess none of our users knows what a mi_type=0x02 is, but most would
know what an IMSI or a TMSI is. So let's use the newly introduced
gsm48_mi_type_name() function to fix this.
For some odd reasons the XID is not a separate SAPI but has been kludged into
the GMM SAPI. This means we ahve to be careful not to dispatch XID frames into
GMM. We do this by introducing an explicit check for UI frames before the
dispatch to GMM.
The previous code already was doing "the right thing" but printed occasional
messages like "gprs_gmm.c:2082 Unknown GSM 04.08 discriminator 0x01: 01 00 0e
00 32 11 03 16 01 90 63 28 0b". Those should be gone after this patch.
Traffic cannot sent to BTS, if there is (currently) no logical channel
associated with the transaction.
This happens, if TCH traffic is received from upper layer, but there is
no lchan available before completing immediate assignment, handover or
assignment process.
[hfreyther: The code has not been moved to tch_frame_down
but the issue looks similiar]
The NAT sends an incomplete SDP file for the purpose of informing
the BSC about the remote IP/PORT early. The case of an incomplete
SDP file was not considered. Check if there is a codec and if not
skip it.
TODO: We need to have a better end-point life cycle test.
Move forward while preserving the legacy handling. Beging to
extract SDP rtpmap information and select codecs atfer this.
It is a foundation we can now build further and better check
ons.
We have a lot of legacy that I am afraid to break. We have
everything in place to make a good codec selection (e.g. if
we can avoid transcoding, pick the one with best quality or
the lowest speed). Right now I have a specific case where
from all options I want to pick GSM. Guard the codec compat
check behind the disallow transcoding option to make sure
to not break legacy application.
First collect everything we know and the mapping. E.g. a genuis
could remap "3" to "AMR" so we only know the codecs once we are
at the end of the SDP file. Once we have collected everything we
can select the audio codecs. The current code is compatible in
that two codecs will be selected regardless of if they make any
sense or not.
mgcp_set_audio_info could re-use some of our codec information
but then the caller in the MGCP protocol needs to be updated as
well as we use the "I: GSM" information to derive the codec from
there.
The SDP file handling will get more complicated in terms of
codec selection so let's remove it from the protocol handling
before we start blowing it up in size.
The parsing code assumed that there will be a single payload
type and this assumption is clearly wrong. Forward all of the
payload types. The code is still only extracting the first
type from the list. The variable name has been renamed to
reflect this.
Using the talloc leak report we see that there are some msgb's
that are allocated for SMS but we don't have transactions or
SMS around. We need to improve the name of the messages to
uniquely dscribe where they are from but the obvious leak does
occur in this routine.
The no available transaction id is most likely the case where
we leak memory. This should not occur and shows another issue
with the smsqueue/smpp handling. It doesn't explain the subscr
reference count issue either.
Extract of the leak report:
GSM 04.11 contains 1160 bytes in 1 blocks (ref 0) 0x2517dc0
GSM 04.11 contains 1160 bytes in 1 blocks (ref 0) 0x24b56e0
GSM 04.11 contains 1160 bytes in 1 blocks (ref 0) 0x23e7930
At the rhizomatica sites some unauthorized subscribers have a
last used from long time ago but a bigger reference count. This
means that we have an unbalanced subscr_get/subscr_put that we
need to investigate. These two fixes are genuine fixes but are
unlikely to fix the issue I am not understanding yet.
In case the subscriber is currently busy we would omit the
subscr_put. This seems to be very hard to hit as the subscr
need to be active and at the same time be selected for the
purge operation.
Various paging clean-ups. I couldn't re-produce the assert that
was hit by Rhizomatica in the subscriber code. Let's clean things
up a bit to avoid some of the potential issues this code had.
Always stop paging regardless of where the subscriber is at the
time of the cancellation.
As the comment says we should not rely that the paging
occurs on the current LAC. We might page at more BTS.
Walk all the BTS to stop paging. No callbacks will be
issued by this stop operation.
In case we can't page on a BTS then stop it everywhere. The
callers of paging_request assume that this is kind of an
atomic operation and we should help with that.
Coordinate with the normal subscriber channel requests instead
of going to page ourselves. This might lead to getting a channel
that is of a different type though.
vty_interface_layer3.c:584:4: warning: format '%d' expects argument of type 'int', but argument 3 has type 'long unsigned int' [-Wformat=]
sizeof(subscr->extension)-1, VTY_NEWLINE);
When two phones use the same TMSI and no A3A8 is possible
we could end in a hard to detect issue. Assume that the IMSI
will not clash and we have issues for foreign simcards.
In case foreign simcards are used we can not do authentication
and ciphering. In case a TMSI is re-used too early and we do
page using TMSI we can't know which of the two MS is responding
to us. We could change the "secure channel" routine to ask for
the IMSI and only then stop the paging.
As we don't have ciphering there is not much use in using the
TMSI. Add a mode "no assign-tmsi" that will not assign the TMSI
during LU. Now CM Service Request and Paging Response will
work using the IMSI. There can't be a clash with that.
[ciaby fixed the vty write to use the right name]
When we can't find the TMSI then the subscriber is not in our
VLR. We have not consulted with the HLR and it is better to not
use such a severe error code.
in_address is not 'accidently' included by FreeBSD when we include
the osmocom/core/select.h header file. We need to include a bit
more.
In file included from mgcp_protocol.c:38:
../../include/openbsc/mgcp_internal.h:134:21: error: field has incomplete type 'struct sockaddr_in'
struct sockaddr_in forward;
List needs to be executed from within the right configuration
node to see if it is available or not. list on the toplevel
will uncoditionally show "smpp" as part of the logging config.
Struct osmo_msc_data contains int core_ncc, which is actually the
MNC part of the PLMN, not to be confused with the Network Colour
Code.
The following patch renames this field for clarity and consistency
with the standards.
If we have tried SMPP first and it was not routable, and then
tried the local delivery there is no point in trying SMPP with
the same parameters again. Leave early and return unknown sub
to the caller.
default-route would only be looked at after there has been
no subscriber in the local database. Depending on the setup
this is not what one wants. This has been discussed at the
OsmoDevCon and there have been hacks in some branches. Let's
introduce a VTY command to select if SMPP should be consulted
first and then fallback to the current behavior.
Even if it is using BSC/NITB types let's put it in the header
file than just declaring it at a place that could bitrot in a
way that doesn't lead a warning.
The "default-route" for SMPP will be used after a local
subscriber look-up. Sometimes we want to route everything
to SMPP. Make this possible by changing this routine.
We just link to libosmovty and if it requires crypt internally it
needs to link to that (and not us). This looks like a left-over
from when we moved the VTY code out of OpenBSC
We don't need to consume all the entropy of the kernel but can
use libcrypto (OpenSSL) to generate random data. It is not clear
if we need to call RAND_load_file but I think we can assume that
our Unices have a /dev/urandom.
This takes less CPU time, provides good enough entropy (in theory)
and leaves some in the kernel entropy pool.
We are using the token to find the right bsc_config and
then we can use the last_rand of the bsc_connection to
calculate the expected result and try to compare it with
a time constant(???) memcmp.
Check if the NAT has sent 16 bytes of RAND and if a key
has been configured in the system and then generate a
result using milenage. The milenage res will be sent and
noth the four byte GSM SRES derivation.
Generate 16 byte of random data to be used for A3A8 by
the BSC in the response. We can't know which BSC it is
at this point and I don't want to send another message
once the token has been received so always send the data
with an undefined code. The old BSCs don't parse the
message and will happily ignore the RAND.
/dev/urandom can give short reads on Linux so loop
around it until the bytes have been read from the kernel.
Instead of doing open/read/close all the time, open the
FD in the beginning and keep it open. To scare me even
more I have seen /dev/urandom actually providing a short
read and then blocking but it seems to be the best way
to get the random byes we need for authentication.
So one should/could run the cheap random generator on
the system (e.g. haveged) or deal with the NAT process
to block.
Unfortunately the basic structure of the response is broken.
There is a two byte length followed by data. The concept of
a 'tag' happens to be the first byte of the data.
This means we want to write strlen of the token, then we
want to write the NUL and then we need to account for the
tag in front.
Introduce a flag if the new or old format should be used.
This will allow to have new BSCs talk to old NATs without
an additional change. In the long run we can clean that up.
In case the token was not correct, just close the connection.
It is not clear that forcing a new TCP connection is going to
give us any extra security here. But with the upcoming auth
handling it does make sense to have both case look similar.
In the libfilter source code, which is built regardless of --enable-nat,
headers from libosmo-sccp were used, thus causing a build failure (see
below) when building without --enable-nat, and libosmo-sccp not being
installed (or being installed in a prefix not otherwise included in the
build).
The build fails like this:
In file included from ../../../src/libfilter/bsc_msg_filter.c:27:0:
../../../include/openbsc/bsc_nat_sccp.h:27:37: fatal error: osmocom/sccp/sccp_types.h: No such file or directory
As the includes seem not to be actually needed, this change fixes the
issue by just omitting them.
Running "make distcheck" failed trying to generate ".version" into the
read-only unpacked source directory. Actually shipping ".version" in the
tarball fixes that.
There was no context for the SCCP CREF message and this means
that the msc_con was a plain NULL pointer that was dereferenced
and the application would crash.
Use the new API to pass the incoming MSC Connection which sould
be used for the SCCP CREF message as context. The code has not
been fed with an actual SCCP CR message.
The loop was used to print all returned addresses but we can
simply pick the first one. This is fixing a coverity issue that
the loop will be executed eaxactly once (and that was on
purpose).
Simplify the code and just take the first element (which might
be NULL).
Fixes: Coverity CID#1302852
We can't do much in case the fd is failing to be registered.
There should be a timeout that is catching this and it might
be able to repair it self.
Fixes: Coverity CID#1302854
The code to do that doesn't belong to the control interface, so
abstract it out to a separate function gsm_bts_set_system_infos().
[hfreyther: Fix the coding style...]
In case the query for "hostname" will fail c-ares will append the
domain name of /etc/resolv.conf and query again. We don't want that
so claim we provide a list of domain names and then don't provide
any.
I didn't intend to have pushed the c-ares code to master yet.
For real networks we need to check if the requested APN string
is allowed and then resolve the GGSN address through DNS. There
are countries with two or three digit MNCs and one could either
try to keep a list of countries that have two/three digits or
just try both of them. I have opted for the later for the ease
of the implementation.
C-Ares doesn't allow to cancel a request so we will need to
have the MMCTX and the Lookup have different lifetimes. We simply
set ->mmctx to NULL in case the MMCTX dies more early.
The selected and verified apn_str will be copied into the out
parameter. In case no static APN/GGSN config is present and the
dynamic mode is enabled a request will be made.
c-ares is an asynchronous DNS resolver and we need it to
resolve the GGSN address. This is integrating the library
into our infrastructure. We will create and maintain a list
of registered FDs (c-ares is currently only using one of
them) and (re-)schedule the timer after events occurred.
When needing to do an asynchronous DNS query we need
to keep the TLV data around. So create a wrapper that
takes a copy of it and frees it after the call. I can
change the code to add an out parameter to decide if
the msgb should be freed or not.
Pick network failure in case the msgb could not be
cloned in the hope the MS will retry then.
A real SGSN will dynamically resolve the APN name into the
GGSN IP Address. This means that after we have collected all
information we need to start to resolve the GGSN and then
can continue.
This is a left-over from the initial system where no PDP
was provided by the system. For now if there is a subscr
attached and no PDP context provisioned. He is not allowed
to have a data connection.
Update the testcase to create the pdp list entry more
early with a wildcard and then change it to a specific
match.
Include the hlr-Number of the subscriber in the CDR. This is useful
for debugging and understanding which equipment was used during the
test. In contrast to the MSISDN the '+' is emitted as the number
must be in international format already.
Copy the hlr-Number into the sgsn_data and use it during
the purgeMS. There is no unit test that looks at the data
we send so I manually verified this by looking at the output.
Below is the output of the test that purges the subscriber.
<000f> gprs_subscriber.c:170 SUBSCR(123456789012345) Sending GSUP, will send: 0c 01 08 21 43 65 87 09 21 43 f5 09 07 91 83 61 26 31 23 f3
We have verified/selected the APN. Either based on the subscriber
data, a global APN match. But at least this SGSN has looked at
what the MS has asked for and then selected a matching GGSN.
Clear LAC/RAC with pre-defined value in the RAI.
3GPP 29.060 v7.17.0 section 7.3.1 page 23:
"The SGSN may include the Routeing Area Identity (RAI) of the
SGSN where the MS is registered. The MCC and MNC components shall
be populated with the MCC and MNC, respectively, of the SGSN
where the MS is registered. The LAC and RAC components shall be
populated by the SGSN with the value of 'FFFE' and 'FF',
respectively.”
Most SGSNs pass the IMEI(SV). We currently only enquire about
the IMEI and then pad the 'SV' with 1111b (thanks to the encoding
routine). Sadly it insists on always writing the length which
means we have to memmove the data around by a single octet.
Manually verified using the pcu-emu and looking at the trace
using wireshark.
Give the GGSN another opportunity to determine which tarif
to apply for the SGSN/subscriber. This code assumes tha the
RAN is a GERAN system but the assumption has been made in
other places as well.
For PDP context creation we always want to include the RAI
for the current mmctx. This might help commercial GGSNs to
determine which charging to apply.
The charging_id is provided by the GGSN. Copy it into the CDR
part of the data structure so it will remain present until after
the pdp context has been deleted.
Make it possible to set a filename to use for the CDR. By
default no CDR will be generated. Forbid to set the interval
of 0 seconds as this will cause a lot of work. Add a very
basic VTY test.
This is consuming the new signals and allows to install several
different CDR/observing/event/audit modules in the future. For
getting the bytes in/out the code would have had to undo what the
rate counter is doing and at the same time adding a "total" to
the ratecounter didn't look like a good idea, the same went for
making it a plain counter.
Begin writing the values one by one and open/closing a new FILE
for every log messages. This is not efficient but easily deals
with external truncation/rotation of the file (no fstat for and
checking the links and size). As usual we will wait and see if
this is an issue.
Add some new members to our PDP context structure to see what it
is about.
In case there is a subscr attached to the MM context and there
is an encoded MSISDN we will attempt to decode it and in case
of an international number prepend a '+'. Assume that the array
size of gsm_mmcc_called->number is as big as ctx->msisdn for the
strncpy.
When communicating with a GGSN that is not the OpenGGSN
the PDP context activation does fail. This is because on
the activation of the first PDP context we need to supply
a MSISDN. Extend the protocol, parse the MSISDN and then
send it to the GGSN. The second item is that we have only
forwarded the requested QoS of the subscriber. In most
cases this is 0x0, 0x0, ... which means one requests a
rate 0 byte/sec which the GGSN will not allow. Make it
possible to receive, store and use the subscribed QoS of
the Subscriber.
If QoS is only three bytes it does not include the allocation/
retention policy. Otherwise it does. Copy it depending on that.
We should have a macro for the clamping to reduce code duplication.
The insanity does come from the MAP data and this seems to be
the easiest in terms of complexity. It is an array of bytes that
is transported from MAPProxy to the SGSN and then simply forwarded.
The case of more than three bytes is neither unit nor manually
tested so far.
sgsn_create_pdp_ctx should use the subscribed QoS. When selecting
the PDP context we inject the QoS to be used into the TLV structure
and use it during the request. Assume a "qos-Subscribed" structure
only with three bytes and prepend the Allocation/Retention policy
to the request.
The MSISDN should be present for "security" reasons in the first
activation of a PDP context. Take the encoded MSISDN, store it for
future use and then put it into the PDP activation request.
The MM Context contains a field for a decoded MSISDN already. As
we need to forward the data to the GGSN I want to avoid having to
store TON and NPI in another place. Simply store the data in the
encoded form.
QoS is a mess. In MAP there is qos-Subscribed which is then extended
using ext-QoS-Subscribed, ext2-QoS-Subscribed, ext3-QoS-Subscribed
and maybe even ext4-QoS-Subscribed by now. The MAP ASN1 files defined
how these need to be "linearized". Instead of copying this I have
decided to include the two semantics with/without the Allocation/Retention
policy using the size of the data.
It is a bit arbitary to decide which one is the global
and which one is the local one. We might change it around.
I don't think we want to introduce it based on BTS.
For the BSC we will have the gsm48_hdr and don't need to
find data within SCCP. For legacy reasons we need to
initialize con_type, imsi, reject causes early on and
need to do the same in the filter method.
This means we need to require a talloc context and
simply operate on the list. I had considered creating
a structure to hold the list head but I didn't find
any other members so omitted it for now.
Move the filter methods to the filter module. This is
still only usable for the NAT and the _dt/_cr filter
routines need to move back to the bsc_nat in the long
run.
For customer requirements we want to be able to do
filtering on the BSC as well. The same messages need
to be scanned and the same access-lists will be looked
at. In the future we might even split traffic based
on the IMSI. Begin with moving the code to a new top
level directory and then renaming and removing the
nat dependency.
ENDPOINT_NUMBER takes the difference of two pointers. On 64bit
builds the difference is a long and the compiler then complains
about the usage of abs. We will never have thousands of endpoints
so silence the warning by casting the ENDPOINT_NUMBER to int.
mgcp_vty.c:1381:34: warning: absolute value function 'abs' given an argument of type 'long' but has parameter of
type 'int' which may cause truncation of value [-Wabsolute-value]
rtp_port = rtp_calculate_port(ENDPOINT_NUMBER(endp),
^
../../include/openbsc/mgcp_internal.h:206:31: note: expanded from macro 'ENDPOINT_NUMBER'
#define ENDPOINT_NUMBER(endp) abs(endp - endp->tcfg->endpoints)
^
mgcp_vty.c:1381:34: note: use function 'labs' instead
The idea of "subscriber_get_channel" was that different
requests would be coordinated. At the same time we have
seen that the "queue" can get stuck at both 31C3 and the
rhizomatica installations.
Voice calls and SMS do not need coordination. We should
be able to send SMS on a voice channel and switch the MS
from a SDCCH to a TCH in case we establish a voice call.
The SMS code itself needs to coordinate to obey the limit
of one SMS per direction but this should be enforced in
the sms layer and not on the subscriber.
Modify the code to have a simple paging coordination. The
subscriber code will schedule the paging and register who
would like to know about success/failure.
This allowed to greatly simplify the paging response
handling for the transaction code (and in fact we could
move the transaction list into the subscriber structure
now). The code gained to support to cancel the notification
of a request (but not the paging itself yet).
TODO: Cancel paging request in case no one cares about it
anymore.
In case the default TCH/F codec is "EFR" and we do an early
assignment from SDCCH to a TCH we would assign the TCH/H
codec. This is because the lchan_type will be neither a
TCH/H nor a TCH/F.
At the same time the _gsm48_lchan_modify code to check for
half vs. full-rate is the other way around. Align both.
It is full-rate if it is not a TCH_H. This will have some
other complications down the way (early assignment on
cells with only TCH/H). So the mode should not depend on
the _current_ channel but the kind of channel we want.
The debian shlibs:depends macro will add the depends
according to the needed libraries for us. We only need
this for the sqlite3 plugin of libdbi-drivers as there
is no direct linkage.
In test_rtp_seq_state an assignment is accidently done within an
assertion.
This commit changes that into a comparison as it was intended.
Fixes: Coverity CID 1295457, 1295458
Sponsored-by: On-Waves ehf
Currently the src_codec const variable is set to &src_end->codec
before src_end is checked against NULL. Since the assigment is just
an address operation and the memory where it points to is only
accessed after the NULL check, this does not harm technically.
Nevertheless this is potential source for errors if that code is
changed.
This commit moves the definition below the NULL check. This does not
comply with the coding style, but it cannot be split into definition
and a later assignment due to the const qualifier.
Sponsored-by: On-Waves ehf
We might have compiled transcoding into the MGW but
we don't want to enable it for a given user. Add a new
switch that should allow that.
I had manually tested the allow-transcoding/no allow
VTY interface for the primary interface and a new trunk
using show running-config.
It is unlikely that GSM, gsm and GsM refer to different codecs.
The mera mvts does send the audio codecs in lower case even if
RFC 3551 has them in upper case (but copy and paste is sometimes
too hard).
Currently the handling of the buffers is not done consistently. Some
code assumes that the whole buffer may be used to store the string
while at other places, the last buffer byte is left untouched in the
assumption that it contains a terminating NUL-character. The latter
is the correct behaviour.
This commit changes to code to not touch the last byte in the buffers
and to rely on the last byte being NUL. So the maximum IMSI/IMEI
length is GSM_IMSI_LENGTH-1/GSM_IMEI_LENGTH-1.
For information: We assume that we allocate the structure with
talloc_zero. This means we have NULed the entire imsi array and then
only write sizeof - 1 characters to it. So the last byte remains NUL.
Fixes: Coverity CID 1206568, 1206567
Sponsored-by: On-Waves ehf
Currently some VTY command do neither check the length of the source
string before calling strncpy nor ensure NUL-termination afterwards.
This can to destination string buffers whose contents are not
NUL-teminated.
This commit adds checks and corresponding warnings to the VTY
commands 'subscriber TYPE ID name .NAME" and "subscriber TYPE ID
extension EXTENSION".
Fixes: Coverity CID 1206570, 1206569
Sponsored-by: On-Waves ehf
When handling an incoming GSUP cancellation request, the cancel_type
if effectively ignored, such that is always handled as
GPRS_GSUP_CANCEL_TYPE_UPDATE and never as WITHDRAW.
This commit fixes the expression used to set the variable
is_update_procedure.
Fixes: Coverity CID 1267739
Sponsored-by: On-Waves ehf
Currently the inner loop in show_bsc_mgcp iterates of the timeslot
interval [0, 31]. Timeslot 0 is not valid, which causes
mgcp_timeslot_to_endpoint to generate a corresponding warning and to
return an invalid endp value. That value causes an out-of-bound
read access, possibly hitting unallocated memory.
This patch fixes the loop range by starting with timeslot 1.
Note that this does not prevent mgcp_timeslot_to_endpoint from
returning an invalid endpoint index when called with arguments not
within its domain.
Addresses:
<000b> ../../include/openbsc/mgcp.h:250 Timeslot should not be 0
[...]
vty=0xb4203db0, argc=1, argv=0xbfffebb0) at bsc_nat_vty.c:256
max = 1
con = 0xb4a004f0
i = 0
j = 0
[...]
==15700== ERROR: AddressSanitizer: heap-use-after-free on address
0xb520be4f at pc 0x8062a42 bp 0xbfffeb18 sp 0xbfffeb0c
Sponsored-by: On-Waves ehf
I omitted the check as this was already done by the verify
function for this command. Please Coverity and do the check
again even if it is not necessary. I begin to doubt the
usage of a "dedicated" verify method as well.
Silences: Coverity CID 1293150
On DT messages we directly write into the tracked SCCP
connection. This means "imsi" will always be NULL at
this check. Change the code to use con->imsi
Fixes: Coverity CID 1293151
We want to have a program add entries to the allow list
this can be done using:
$ bsc_control.py -d localhost -p 4250 -s net.0.add.allow.access-list.NAME "^IMSI$"
bsc_stat_reject is treating -1 as parsing failure but for the
global barring. Change it to another return value so it is
not counted as parsing failure.
We had issues with odd behavior on the nanoBTS which lead
to the introduction of the "broken" state. On busy multi
BTS cells (e.g. rhizomatica) with wifi backhaul the timeout
we set to wait for a RF Channe Release ACK is sometimes too
little and channels are marked broken that look to be okay
(besides the still to be determined delay).
In case of a sysmoBTS we now know that we can change the
state of a broken channel back to normal in case we do
receive the right response.
Manually verified using the Smalltalk BTS code
PackageLoader fileInPackage: 'FakeBTS'
bts := FakeBTS.BTS new.
bts btsId: '1903/0/0'.
bts connect: 'localhost'.
bts waitForBTSReady.
test := FakeBTS.OpenBSCTest new.
test bts: bts.
test requireAnyChannel
... wait for NITB output
<0004> abis_rsl.c:223 (bts=0,trx=0,ts=0,ss=0) Timeout during deactivation! Marked as broken.
... process pending messages
stdin next
<0004> abis_rsl.c:735 (bts=0,trx=0,ts=0,ss=0) CHAN REL ACK for broken channel. Releasing it.
So the channel went from broken to unallocated.
Change the paging strategy based on on if a LAC override
is in place or not. In case we had changed the LAC we need
to page on all the BTS. Change the "grace" handling to
iterate over the BTS and filter out all non matching ones
LAC in case no LAC handling is active.
Manually verified all four cases with a single BTS:
* No LAC handling and grace period
* LAC handling and grace period
* No LAC handling and not lock
* LAC handling and lock.
Related: SYS#1398
For MT we can't page per lac as we don't know which BTS was
the original one. Split the grace period and normal mode into
two methods so we can bloat both of them later.
We need to use different LAC/CI towards the core network.
It is a bit problematic as LAC/CI is a per BTS attribute
so this feature only works if a BSC manages everything in
the same LAC.
Related: SYS#1398
The write_queue is designed to have a maximum amount of pending
messages and will refuse to take new messages when it has been
reached. The caller can decide if it wants to flush the queue
and add the message again, create a log. But in all cases the
ownership of the msgb has not been transferred. Fix the potential
memory leak in the failure situation.
When reading from RTP socket, the first read() may fail right after
connecting to remote socket. Subsequent read() will work as it should.
If the remote socket does not open fast enough, the transmitted RTP
payload can cause an ICMP (connection refused) packet reply. This causes
the read to fail with errno=111. In all other error cases, the errno is
logged at debug level. In all error cases, reading is not disabled.
Conflicts:
openbsc/src/libtrau/rtp_proxy.c
[hfreyther: Fix typo, stop reading in all cases but ECONNREFUSED]
If a bad TRAU frame is received, it is forwarded to MNCC application
as GSM_BAD_FRAME. The application can now handle the GAP of missing
audio. (e.g. by extrapolation)
If TRAU frames are forwarded via RTP, bad frames are dropped, but frame
counter and timestamp of RTP sender state is incremented.
Conflicts:
openbsc/src/libtrau/rtp_proxy.c
[hfreyther: Merge without testcase, fix typo]
In case:
* No message_payload and a 0 sm_length was used
* esm_class indicates UDH being present
* 7bit encoding was requested
The code would execute:
ud_len = *sms_msg + 1;
Which is a NULL pointer dereference and would lead
to a crash of the NITB. Enforce the limits of the
sm_length parameter and reject the messae otherwise.
Fixes: Coverity CID 1042373
I used strdup in case the data would not be valid from after
the call to getopt and this creates a potential leak if a user
is specifying multiple configuration files. If I depend on the
fact that the string is a pointer into the argv[] array I can
kill the strdup and fix the unlikely leak.
Fixes: Coverity CID 1206578
We are deferencing conn earlier in this function without doing
a null check. At the time deliver_to_esme is called the conn
will always exist and even the lchan is likely to be present.
Remove the null check for conn right now.
Fixes: Coverity CID 1210594
For most configurations we don't address multiple GGSNs but
only want to enforce a list of APNs. In the future we might
add a special global GGSN context but not right now.
Fixes: SYS#593
This reverts commit f81cacc681.
Since the PURGE MS retry mechanism had been removed, this feature
is not used anymore. It just makes the code more complex.
Conflicts:
openbsc/include/openbsc/gprs_sgsn.h
openbsc/src/gprs/gprs_subscriber.c
openbsc/tests/sgsn/sgsn_test.c
Currently the APN IE in the Activate PDP Contex Request and the PDP
data that is stored with the subscriber is ignored completely.
This commit adds the sgsn_mm_ctx_find_ggsn_ctx that checks the APN IE
against the subscriber's PDP data entries if both are present. If
there is no match, the request is rejected.
If an APN IE has not been included but PDP data entries are present,
the function checks all of these entries against the static 'apn'
configuration to find a suitable entry.
If an APN has not been determined so far and any APN is allowed, the
configuration is checked with an empty APN string, to allow for
default configurations based on the IMSI prefix only.
If nothing of this succeeded but the request wasn't rejected either,
and there is no 'apn' configuration at all or if any APN is allowed
but a default configuration ist not present, the GGSN with id 0 is
used (if present).
Otherwise the request is rejected ('missing APN').
Ticket: OW#1334
Sponsored-by: On-Waves ehf
This commit adds the exported functions apn_ctx_find_alloc,
apn_ctx_free, apn_ctx_by_name, and apn_ctx_match to manage and
retrieve APN to GGSN mappings.
The following VTY commands are added to 'config-sgsn':
- apn APN ggsn <0-255>
- apn APN imsi-prefix PREFIX ggsn <0-255>
which maps an APN gateway string to an SGSN id. The SGSN must be
configured in advance. When matching an APN string, entries with a
leading '*' are used for suffix matching, otherwise an exact match is
done. When a prefix is given, it is matched against the IMSI. If
several entries match, a longer matching IMSI prefix has precedence.
If there are several matching entries with the same PREFIX, the entry
with longest matching APN is returned.
Ticket: OW#1334
Sponsored-by: On-Waves ehf
Currently the PDP info that is transmitted via GSUP is just parsed
and then discarded.
This commit adds a new data structure sgsn_subscriber_pdp_data and
maintains a list of those in sgsn_subscriber_data. The PDP data is
copied from an incoming GSUP UpdateLocationResult message. If that
message contains the PDPInfoComplete flag, the list is cleared before
new entries are added. The 'show subscriber cache' output now also
shows the PDP data entries.
Note that the InsertSubscriberData message is still not supported.
[hfreyther: Added talloc_free in gprs_subscr_pdp_data_clear]
Sponsored-by: On-Waves ehf
Keep track if the power level has been "fixed" by the BSC,
otherwise keep track of the currently ordered one. The ms_power
is the initial value set by the BSC and continues to be used.
Create a control command to read and modify the gprs mode. Use
the get_string_value to indicate if the value was found or not.
This is useful for the ctrl interface where I didn't want to
replicate "none", "gprs" and "egprs". Share code to verify that
a BTS supports the mode.
Related: SYS#591
30f1f37638 introduced new channel
combinations but had a copy and paste error in the description.
The jenkins system didn't run the external tests so this issue
and others were not noticed until now.
Fix the copy and paste and update the test result.
Currently the MM context is not deleted when a GSUP location
cancellation message is processed, because the real
sgsn_update_subscriber_data function has been wrapped to a dummy
implementation.
This commit adds an explicit call to sgsn_mm_ctx_cleanup_free which
also unassigns the LLME, so the call to gprs_llgmm_assign is removed.
It also adds an assertion to check that there are no talloc'ed blocks
left in tall_bsc_ctx.
Addresses:
== 372 bytes in 1 blocks are possibly lost in loss record 7 of 9
== at 0x402A17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
== by 0x4059FB8: _talloc_zero (talloc.c:354)
== by 0x8055B82: sgsn_mm_ctx_alloc (gprs_sgsn.c:167)
== by 0x804A336: alloc_mm_ctx (sgsn_test.c:140)
== by 0x804B24D: test_subscriber_gsup (sgsn_test.c:503)
== by 0x804EC99: main (sgsn_test.c:1853)
Sponsored-by: On-Waves ehf
This commit adds a check after a GSUP message has been decoded
whether it is an error message and does not contain a cause value.
If his is the case, the cause value is set to 'Network failure', so
that this cause if effectively the default value for error messages.
Sponsored-by: On-Waves ehf
Currently there are not any test cases for PurgeMS GSUP messages in
test_subscriber_gsup.
This commit adds tests for incoming PurgeMSResult and -Error
messages.
Sponsored-by: On-Waves ehf
Currently gprs_subscr_rx_gsup_message returns immediately after it
detects that an IMSI has not been given in the received GSUP message.
While this is ok for responses (result or error), a request should
always be answered.
This commit adds code to reply with a corresponding error message
("Invalid mandatory information") when it receives a request without
an IMSI.
Note that the generated error message will not contain an IMSI either.
Sponsored-by: On-Waves ehf
The cancellation type that is part of the UpdateCancellation message
is currently ignored.
This patch adds the missing glue between the existing GSUP and GMM
support. If the type is not present or has the value updateProcedure
the subcriber and MM context are siliently removed. Otherwise, a
message with cause 'implicitly detached' is sent to the MS. Since the
real cause is not known (the specification neither added a cause IE
nor defined a static cause value), the MS may get the real cause in
the following AttachRej.
Added VTY commands:
- update-subscriber imsi IMSI cancel update-procedure
- update-subscriber imsi IMSI cancel subscription-withdraw
the old form without the cause is no longer supported.
Sponsored-by: On-Waves ehf
Currently the subscr entry is no longer present, when PURGE MS
ERROR/RESULT arrives. In this case, an unspecific notice is logged
('unknown IMSI'). This clutters up the logfile with notices even in
perfectly normal operation.
This commit changes the code path that is used when a subscr cannot
be found for an incoming GSUP message. A check for PURGE MS RESULT
and ERROR is added and gprs_subscr_handle_gsup_purge_no_subscr is
called for these messages instead of gprs_subscr_handle_unknown_imsi.
Sponsored-by: On-Waves ehf
Currently the keep_in_ram flag is explicitely reset in
gprs_subscr_cleanup to cover the case, that the VTY 'create'
sub-command has been used to create the subscriber entry.
This commit completely removes keep_in_ram handling from
gprs_subscriber.c and adds a VTY 'destroy' sub-command to reset the
flag and remove the entry. So 'create' and 'destroy' can be used to
manager sticky entries that are kept even when a location
cancellation is done.
Added VTY command:
- update-subscriber imsi IMSI destroy
Sponsored-by: On-Waves ehf
Currently the MM context cleanup code is distributed over several
functions. sgsn_mm_ctx_free not only frees data structure but also
eventually stops the timer and does the subscriber clean-up.
mm_ctx_cleanup_free (gprs_gmm.c) cleans up the PDP contexts and
unassign the TLLI.
This commit moves the cleanup code from both functions into a new
unifying function sgsn_mm_ctx_cleanup_free that cares about the
clean-up of all related sub-systems.
Sponsored-by: On-Waves ehf
Currently, sgsn_update_subscriber_data can be called with mmctx ==
NULL and will find and associate the right context (if present) based
on the subscriber's IMSI. This will not happen in regular use
any more, since sgsn_update_subscriber_data will only be called when
subscribers are used (auth mode 'remote') and in this case
gprs_subscr_get_or_create_by_mmctx will already be called by
sgsn_auth_request. Therefore, MM context and subscriber are always
associated except for some test cases and experimental VTY usage.
The current implementation of sgsn_update_subscriber_data also causes
additional complexity for the deletion on MM contexts to avoid a
ipossible double-free MM contexts.
This commit removes the MM context <-> subscriber association code
from sgsn_update_subscriber_data. That function must always be called
with mmctx != NULL, now. To avoid problems with VTY and test usage,
the calling subscriber function now only call
sgsn_update_subscriber_data when mmctx != NULL, since the purpose of
that function is to update that state of an existing MM context after
subscriber data has been changed.
Sponsored-by: On-Waves ehf
The definition of subscr_put in gb_proxy_main.c will break linking if
symbols from libcommon are used. Since subscr_put is in libcommon,
there is no need for this dummy definition anymore.
This patch removes the dummy definition.
Adresses:
../../src/libcommon/libcommon.a(gsm_subscriber_base.o): In function `subscr_put':
/home/jerlbeck/git/build/openbsc/openbsc/src/libcommon/gsm_subscriber_base.c:90: multiple definition of `subscr_put'
gb_proxy_main.o:/home/jerlbeck/git/build/openbsc/openbsc/src/gprs/gb_proxy_main.c:56: first defined here
Sponsored-by: On-Waves ehf
Currently the sgsn_mm_ctx_free contains code to reset the mm->subscr
field that is also present in gprs_subscr_cleanup, which is called
directly afterwards.
This commit modifies the code path, so that the cleanup is done by
the gprs_subscr_cleanup function. The additional reference counter
increment is needed, since mm->subscr->mm->subscr (which is the same
like mm->subscr) will be reset (and unref'd) within
gprs_subscr_cleanup. Because the local variable subscr in
sgsn_mm_ctx_free is an additional pointer to the subscriber object,
it is consequent to adjust the reference counter when the assignment
is done.
Sponsored-by: On-Waves ehf
The old name is somewhat misleading. The function is rather preparing
the subscriber for a subsequent subscr_free, that is possibly invoked
by a subscr_put. It detaches the subscriber from the MM context and
optionally invokes a PURGE_MS procedure. Therefore the _cleanup
suffix is chosen (see mm_ctx_cleanup_free).
Sponsored-by: On-Waves ehf
Currently, the return value of gsup_client_connect is checked whether
it is < 0 and != -EINPROGESS. Since gsup_client_connect will only
return a negative value on a few permanent errors (not including
EINPROGRESS), rc is always != EINPROGRESS.
This patch removes the explicit check againt -EINPROGRESS and just
leaves the check rc < 0.
Sponsored-by: On-Waves ehf
Currently the size argument of strncpy is set to sizeof(mm->imsi) in
some places. If the source IMSI string is too long, the terminating
NUL byte in the static mm->imsi field gets overwritten.
This patch limits the size to sizeof(mm->imsi)-1, so that the last
byte of the buffer (that has been initialized to 0) is not
overwritten.
Fixes: Coverity CID 12065751, 12065754, 1206575
Sponsored-by: On-Waves ehf
Currently gprs_subscr_delete implicitely calls subscr_put, which
makes the code more complex than necessary (additional subscr_get) in
a few places. It also makes it more difficult to see, whether get/put
are balanced within a function. In addition, the functions are not
named consistently (gprs_subscr_delete vs.
gprs_subscr_put_and_cancel).
This commit changes the semantics of gprs_subscr_delete and
indirectly of gprs_subscr_put_and_cancel to not call subscr_put on
their argument, but to leave that for the caller to do it
explicitely.
It renames gprs_subscr_put_and_cancel to gprs_subscr_cancel to
reflect that change in the name, too.
Sponsored-by: On-Waves ehf
The subscriber cache would help in case:
* GPRS DETACH, GPRS ATTACH. In that case we might still
have some cached authentication tuples we avoid another
sendAuthenticationInfo request.
* After a detach the cache expiry would make sure to
eventually send a purgeMS to the HLR (which might be
ignored).
At the same time to make the cache work we will need to
make sure to start and stop timers. In case we don't
start we might accumulate subscribers. I am afraid that
the above two benefits do not outweight the complexity
of this implementation.
Currently old LLMEs and MM contexts that haven't been explicitly
detached or cancelled are not removed until another request with the
same IMSI is made. These stale entries may accumulate over time and
severely compromise the operation of the SGSN.
This patch implements age based LLME expiry, when the maximum age has
been reached, the corresponding MM context is cancelled. If such an MM
context doesn't exist, the LLME is unassigned directly.
The implementation works as follows.
- llme->age_timestamp is reset on each received PTP LLC message
- sgsn_llme_check_cb is invoked periodically (each 30s)
- sgsn_llme_check_cb sets the age_timestamp to the current time if
it has been reset
- sgsn_llme_check_cb computes the age and expires the LLME if
it exceeds gprs_max_time_to_idle()
Ticket: OW#1364
Sponsored-by: On-Waves ehf
[hfreyther: Fix typo in comment LMME -> LLME]
Currently the T3312 timer is directly set as encoded value when
generating the Attach/RAU Accept messages.
This patch adds GSM0408_T3312_SECS and uses it to set the
information element's value.
Sponsored-by: On-Waves ehf
Currently this optional IE is omitted, so that the optional
'Requested READY timer value' of the corresponding Request message
is used by the MS (or the default value if this IE is not used).
This patch extends gsm48_tx_gmm_att_ack and gsm48_tx_gmm_ra_upd_ack
to always include the IE set to the default value of T3312 (44s,
see GSM 04.08, table 11.4a).
Ticket: OW#1364
Sponsored-by: On-Waves ehf
Currently, all GPRS timer values are hard-coded. To make these values
configurable in seconds and to show them, conversion functions from
and to seconds are needed.
This patch adds gprs_tmr_to_secs and gprs_secs_to_tmr_floor. Due to
the limited number of bits used to encode GPRS timer values, only a
few durations can be represented. gprs_secs_to_tmr_floor therefore
always returns the timer value that represents either the exact
number (if an exact representation exists) or the next lower number
for that an exact representation exists.
Sponsored-by: On-Waves ehf
Currently the gsup_client_connect return 0 if the call to
ipa_client_conn_open was successful and -errno otherwise. This makes
it difficult for the caller to determine, whether the the whole
operation has been cancelled (currently on EBADF, ENOTSOCK,
EAFNOSUPPORT, EINVAL) or whether the GSUP client will retry to
connect after a timeout. This will cause gprs_gsup_client_create to
destroy the GSUP client object, even if the error might be temporary.
This patch changes the function to return 0 if (and only if)
ipa_client_conn_open was successful or the retry timer has been
started. Since the return value 0 doesn't guarantee, that a
subsequent call to gprs_gsup_client_send will succeed, this shouldn't
break anything.
Sponsored-by: On-Waves ehf
The per BSC code didn't guard against the init already having
been executed. This lead to:
Adding a osmo_fd that is already in the list.
<000b> bsc_nat_vty.c:1200 Setting up OSMUX socket
So a new socket got created and the old one leaked. Luckily
Linux appears to allow to bind multiple times so we were able
to just read from the new one. Use the same guard that is used
on the MGCP MGW. Re-order the log message to say "Setting up"
before we actually do that. I manually verified that osmux_init
is called at most once.
The log message was spotted by Roch
The dependecies do not match the current package names or are
missing:
Build-Depends:
- renamed libgtp-dev -> libgtp0-dev
- added libosmo-netif-dev
Depends:
- renamed libgtp -> libgtp0
Other run time dependencies might still be missing and have to be
installed manually.
This is taken from Holger's e744ebd17c3761b5cad81d718d0349f2f820ec66.
In addition, the build-dependency on libgtp-dev is replaced by
libgtp0-dev.
This patch drops the following commands:
- update-subscriber imsi IMSI insert authorized <0-1>
- update-subscriber imsi IMSI commit
since they are already covered by the 'update-location-result'
sub-command, except that this command doesn't create an new entry if
none is found with the given IMSI.
It adds the following command:
- update-subscriber imsi IMSI create
which can be used to create a new entry.
Sponsored-by: On-Waves ehf
Currently '\n' is used to end lines in the VTY output string
constants instead of inserting VTY_NEWLINE. This leads to incorrect
line starts in error messages.
This patch fixes that accordingly.
Sponsored-by: On-Waves ehf
Currently an error_cause of 0 is being used to indicate normal
operation. Albeit this is not a defined GMM cause, the value is not
explicitly reserved.
This commit adds the macro SGSN_ERROR_CAUSE_NONE and uses it for
initialisation (instead of relying on talloc_zero) and comparisons.
The value is set to -1 to be on the safe side. The VTY code is
updated to set the error_cause when using the
'update-subscriber imsi IMSI update-location-result CAUSE' command.
Sponsored-by: On-Waves ehf
Currently the access to subscr->sgsn_data->error_cause is not
protected against subscr == NULL like it is done in other code paths
of sgsn_auth_update.
This commit adds a conditional to avoid a NULL-dereference.
Fixes: Coverity CID 1264589
Sponsored-by: On-Waves ehf
Currently, if assert_subscr were called with subscr == NULL, the
later call to subscr_put might fail, as Coverity has complained. In
addition, the call to subscr_put would free the subscr object if it
were in the cache with a refcount of 0 at the time assert_substr was
called.
This patch adds a check for the subscr being non-NULL and reorders
the checks, so that the subscr_put comes last.
Fixes: Coverity CID 1264590
Sponsored-by: On-Waves ehf
Currently sgsn_alloc_ptmsi uses rand() to get a new P-TMSI and then
sets to upper 2 MSB. Therefore there is no lower limit of the
distance between 2 identical P-TMSI.
This patch changes the implementation to discard any random value
above 2^30 and to generate a new random number in that case until a
fitting number is found (or a repetition limit is reached). This way,
all number below 2^30 within the PRNG's period are used.
Ticket: OW#1362
Sponsored-by: On-Waves ehf
Currently no GSUP LocationCancellationResult message is sent back to
the peer (HLR), if the procedure succeeded at the SGSN's side.
This patch adds the missing message and put the whole request
handling of this procedure into a separate function.
Ticket: OW#1338
Sponsored-by: On-Waves ehf
Currently gprs_subscr_rx_gsup_message creates a subscriber entry if
such an entry doesn't exist for the IMSI within an
InsertSubscriberData GSUP message. This behaviour is not compliant to
GSM 09.02, 20.3.3.2 (Subscriber data management/SGSN) where it is
defined, that an error ("Unidentified subscriber") shall be returned.
This patch removes the case distinction, so that an existing
subscriber entry is required for all incoming GSUP messages.
Sponsored-by: On-Waves ehf
Currently, an incoming GSUP request message isn't answered at all if
it is not handled due to an error or missing implementation.
This patch adds GSUP error replies for these requests (and only for
requests). It also adds tests for these cases.
Note that several of these tests check for
GMM_CAUSE_MSGT_NOTEXIST_NOTIMPL, which will have to be changed, when
the features are implemented.
Sponsored-by: On-Waves ehf
GSM 09.02, 19.4.1.4 mandates that no other MAP procedures shall be
started until the PURGE_MS procedure has been completed.
This patch implements this by adding corresponding state and checks
to gprs_subscr_purge, gprs_subscr_location_update, and
gprs_subscr_update_auth_info. If an Update Location or a Send Auth
Info Req procedure is not started because of blocking, the retry
mechanism is aborted to shorten the blocking time. The outstanding
Purge MS procedure itself is not aborted.
Sponsored-by: On-Waves ehf
Currently, when the PURGE_MS_REQ to the HLR gets lost (e.g. by a
connection or peer failure), the expired subscriber entry will not get
deleted.
This commit adds a retry mechanism then restarts the procedure after
a timeout (currently 10s). The maximum number of retries is limited
(currently to 3 PURGE_MS messages). If none of these procedures is
completed (either with success or error), the subscriber data is
deleted.
Sponsored-by: On-Waves ehf
When a subscriber entry is going to be deleted by SGSN and when the
subscriber info has been obtained from a remote peer via GSUP, the
peer should be informed before the entry is really deleted. For this
purpose, MAP defines the PURGE MS procedure (see GSM 09.02, 19.1.4).
This patch adds support for the PURGE_MS_REQ/_ERR/_RES messages and
invokes the procedure when the subscriber entry is going to be
removed. This only applies if GSUP is being used, the Update
Location procedure has been completed successfully, and the
subscriber has not been cancelled. The removal of the entry is
delayed until a PURGE_MS_RES or PURGE_MS_ERR message is received.
Note that GSM 09.02, 19.1.4.4 implies that the subscriber data is not
to be removed when the procedure fails which is not the way the
feature has been implemented.
Note that handling 'P-TMSI freezing' is not implemented.
Ticket: OW#1338
Sponsored-by: On-Waves ehf
This commit implements the encoding and decoding of the messages
- Purge MS Request
- Purge MS Error
- Purge MS Result
and adds corresponding tests.
Sponsored-by: On-Waves ehf
Currently the definitions of the message PURGE_MS_RES and
PURGE_MS_ERR are missing in the specification.
This patch adds those definitions.
Sponsored-by: On-Waves ehf
This commit adds talloc reports to log remaining NULL chunks after the
terminates. It also adds explicit checks for empty subscriber lists.
Sponsored-by: On-Waves ehf
This test replaces gprs_gsup_client_send by a custom function, that
emulates a GSUP remote peer by calling gprs_subscr_rx_gsup_message
with responses for all requests. It then executes a full
Attach/Detach cycle.
Sponsored-by: On-Waves ehf
Set the expiry delay after the subscriber has been deleted (e.g. by
freeing the MM context). If cancelled, the subscriber will be deleted
immediately and no timeout will be set. If the expiry time is set to
SGSN_TIMEOUT_NEVER, no timer will be started and the subscriber entry
will be kept until it is cancelled.
The following VTY command is added to the sgsn node:
- subscriber-expiry-time <0-999999> set expiry time in seconds
- no subscriber-expiry-time set to SGSN_TIMEOUT_NEVER
The default is an expiry time of 0 seconds, which means that the
subscriber entries are wiped out immediately after an MM context is
destroyed.
Note that unused MM contexts are not expired yet. Therefore the
subscriber will only be expired after a successful MM detach.
Sponsored-by: On-Waves ehf
The code sequence that checks, whether a subscriber is still
reachable for a given IMSI, is repeated several times.
This patch puts this code sequence into a single function and adds a
check for the IMSI after the entry has been found. In addition,
some comments are extended.
Sponsored-by: On-Waves ehf
Currently the subscribers are not really deleted by
cleanup_subscr_by_imsi, but kept in RAM instead.
This patch fixes this and adds a test to verify, that the subscriber
is really deleted afterwards.
Sponsored-by: On-Waves ehf
Currently the error causes MSC_TEMP_NOTREACH, NET_FAIL, and
CONGESTION are silently dropped to force the MS to continue. On the
other hand, GSM 04.08/24.008, 4.7.3.1.4 in combination with 4.7.3.1.5,
require the MS to retry the attachment procedure for cause codes
above 15 instead of disabling GPRS. All of the mentioned GMM causes
have codes above 15, so using a REJECT message including the cause
code is a better choice. This way, the retry algorithm based on T3311
(15s, 5 times) and T3302 (default 12min) could be used.
This patch modifies gprs_subscr_handle_gsup_auth_err and
gprs_subscr_handle_gsup_upd_loc_err to proceed like when the access
has beed denied, except that the corresponding subscriber's
information fields are not cleared.
This has been successfully tested which an iphone which enters a
retry loop as it is being described in the specification.
Sponsored-by: On-Waves ehf
To unify the layout of the logging messages in gprs_subscriber.c,
this patch replaces each LOGP by LOGGSUBSCRP, unless a non-NULL
pointer to a subscr is not available. In those cases, it uses
LOGMMCTXP if a pointer to an MM context is available or LOGP
otherwise.
Sponsored-by: On-Waves ehf
This patch adds a new logging macro, that logs to DGPRS and provides
a uniform prefix containing the IMSI without using the mm reference.
This is an improvement over using LOGMMCTXP, since the new macro also
provides an IMSI if no MM context is attached.
Sponsored-by: On-Waves ehf
Currently the GSUP message handling function in gprs_subscriber.c and
the functions in gprs_gsup_messages.c are not consistent with respect
to the return codes if an error happens. Albeit all error return
codes are negative, the semantics of the absolute value are not
clearly defined. In addition, some return codes are not passed to the
calling function.
This path changes these functions to always return a negated GMM
cause value in case of errors. Return values of called parser
functions are not longer ignored.
Sponsored-by: On-Waves ehf
Currently always a cause with the meaning of 'access denied' is
assumed. gprs_subscr_handle_gsup_auth_err just clears the auth
triplets and the authorized flag before calling the update function.
gprs_subscr_handle_gsup_upd_loc_err only clears the authorized flag
and calls the update function. This means, that an MS will not retry
to attach even on temporary network errors.
This patch changes these functions to use the GSUP error cause value
to decide, whether to clear the corresponding subscriber fields, to
just continue with the corresponding update function, or to log,
ignore and not pass the cause to the MS in case the error is directly
related to the GSUP protocol. The subscriber's error_cause field is
updated, if the update function is going to be called. The
error_cause fielt is reset on non-error GSUP messages.
Sponsored-by: On-Waves ehf
This patch extends gsm0408_gprs_access_denied and
gsm0408_gprs_access_cancelled to accept GMM cause codes. These are
then passed to the MS, unless gsm0408_gprs_access_cancelled is called
with cause 0 (no error -> updateProcedure).
Since gsm0408_gprs_access_denied uses GMM_CAUSE_GPRS_NOTALLOWED if
the cause is not set, and the subscriber's error_cause is never set
(and thus always 0), the SGSN's behaviour does not change with this
patch.
Sponsored-by: On-Waves ehf
Conflicts:
openbsc/include/openbsc/gprs_sgsn.h
[hfreyther: Conflict due the removal of the unused
authenticate flag]
Currently the mapping between GSM 04.08 (GPRS) protocol specific
numbers and their textual description was put into gprs_gmm.c and not
exported.
This commit moves the mappings to a new file gsm_04_08_gprs.c,
renames some of them, and exports them via gsm_04_08_gprs.h.
The following identifiers are renamed to match the corresponding type
names:
- gmm_cause_names -> gsm48_gmm_cause_names
- gsm_cause_names -> gsm48_gsm_cause_names
Sponsored-by: On-Waves ehf
This commit adds a line to the output of 'show sgsn' if the GSUP
client has been initialized:
- Remote authorization: [not] connected to HOST:PORT via GSUP
Sponsored-by: On-Waves ehf
Currently, the reconnect mechanism relies on gsup_client_updown_cb
which in turn gets called based on the OS' view of connection state.
This patch adds a timer based PING mechanism that regularly sends
PING messages and forces a reconnect if a PONG message won't be
received until the next PING message is scheduled. The current ping
interval is 20s.
Sponsored-by: On-Waves ehf
Conflicts:
openbsc/src/gprs/gprs_gsup_client.c
[hfreyther: Conflicts due the potential memleak fix by me. Removed
another TODO from the code as we stop the ping/pong timer]
Currently the IPA CCM messages are not handled by the GSUP client.
This means, that the client doesn't answer to PING and ID_GET and
logs notices when receiving PONG or ID_ACK. At least the PING
functionality (remotely originated PING) shall be supported.
This patch extends gsup_client_read_cb by a call to
ipaccess_bts_handle_ccm. Only when the return code is 0, the message
is processed further and checked for an OSMO/GSUP message. ID_GET
messages are answered by a dummy description, where only the
unit_name is set to 'SGSN'.
Sponsored-by: On-Waves ehf
The ipa_client_conn_open function does not distinguish between a
connection being already established or waiting for establishment.
In either case, the application gets informed about the connection
state via the updown_cb. The 'up' parameter is only set, if
poll/select consider the socket as writable.
This patch handles both cases equally and fully relies on the
updown_cb to adjust the gsupc obejct state.
Sponsored-by: On-Waves ehf
Currently, messages are added to the tx queue even if the connection
is down for some reason and all of these messages are eventually sent
after a re-connect. The MS has probably sent several Attach Requests
while the connection was down and will continue doing so. Therefore
these stored messages could be dropped.
This patch clears the queue before re-connecting and also extends
gprs_gsup_client_send to return immediately, when the connection is
not established instead of calling ipa_client_conn_send.
Sponsored-by: On-Waves ehf
[hfreyther: Replaced
while (!llist_empty(&gsupc->link->tx_queue))
llist_del(gsupc->link->tx_queue.next);
with new libosmo-abis API]
Currently the GSUP connection to a server is not restarted if the
connection cannot be established or is terminated during operation.
This commit adds a timer based connection mechanism, basically
consisting of a timer callback that calls gsup_client_connect. The
timer is eventually triggered (up == 0) or cleared (up != 0) by
gsup_client_updown_cb. It adds calls to osmo_timer_del() to
gsup_client_connect and gprs_gsup_client_destroy. The latter is now
called instead of talloc_free in gprs_gsup_client_create on error to
be on the safe side.
Sponsored-by: On-Waves ehf
This patch extends test_gmm_attach to optionally resend Attach
Requests until the SGSN responds to it instead of calling
OSMO_ASSERT at a few places. The test_gmm_attach_subscr_gsup_auth
test optionally uses this feature. It is called once in either mode.
Sponsored-by: On-Waves ehf
This test calls test_gmm_attach() where the mocked subscriber
functions insert GSUP messages instead of manipulating the
subscriber structure directly.
Sponsored-by: On-Waves ehf
Currently, several lines of boiler plate are needed around a call to
gprs_subscr_rx_gsup_message.
This patch puts all of this (including the call to
gprs_subscr_rx_gsup_message) into a separate function.
Sponsored-by: On-Waves ehf
This flag is used to determine, whether the Update Location procedure
shall be invoked. This is currently only set, when the 'remote'
authorization policy is set. When the flag is set, sgsn_auth_update
will not never be called directly by sgsn_auth_request, if an Attach
Request procedure is pending, even if the remote connection fails for
some reason.
Sponsored-by: On-Waves ehf
Currently the flag 'authenticate' is managed per subscriber.
This patch replaces that flag by a global cfg.require_authentication
flag that enables/disables the use of the Auth & Ciph procedure for
every subscriber. The flag is set by the VTY, if and only if the
authorization policy is 'remote'.
The VTY command
- update-subscriber imsi IMSI insert authenticate <0-1>
is removed.
Sponsored-by: On-Waves ehf
This commit adds GSUP client configuration (via VTY), connection set
up, and real message sending.
The following configuration commands are added:
- gsup remote-ip A.B.C.D set server IP address
- gsup remote-port PORT set server TCP port
Ticket: OW#1338
Sponsored-by: On-Waves ehf
This commit adds the client code to get subscriber information from a
remote server. It provides an IPA over TCP connection to transmit and
receive GSUP messages.
Sponsored-by: On-Waves ehf
Currently the message structure is not cleared before the message is
parsed which can cause information leaking between messages if the
same gprs_gsup_message object is used. Especially list elements (auth
tuples and pdp info) are not replaced by an IE, but the IE is
appended.
This patch uses the assignment operator to clear gprs_gsup_message,
gsm_auth_tuple, and gprs_gsup_pdp_info before using them. This also
replaces the use of memcpy of the latter.
Sponsored-by: On-Waves ehf
Currently auth tuples are always appended to the lists when
gprs_gsup_decode is called with a gsup_msg structure. This makes a
test case fail, where the same gsup_msg is used again and again
without clearing it after each use.
Sponsored-by: On-Waves ehf
Currently, the gprs_gsup_decode function doesn't check the return
value of gprs_shift_v_fixed before using the value pointer. The
function fails, if the GSUP message length (not including IPA
headers) is 0. In this case, a segfault can happen, depending on the
value of the uninitialized 'value' pointer. The test case doesn't
trigger a segfault, but valgrind complains about reading
uninitialized data.
This patch adds a check for the return value that would return with
an error code if the shift function failed.
Sponsored-by: On-Waves ehf
Currently, the tests only use valid GSUP messages. This does not
check the robustness of the parser.
This commit adds a test for truncated messages and another for
modified messages.
Thanks to Holger for the basic truncation test.
Sponsored-by: On-Waves ehf
Currently the mocked bssgp_tx_dl_ud function used for testing in
sgsn_test.c does not free the msg as it is done by the original
function. This leads to a msgb leak in the test.
This patch fixes the test code accordingly and uncomments the
assertion that checks for left-over msgbs.
Sponsored-by: On-Waves ehf
This commit adds talloc reports to log remaining chunks after the
testing has been finished. It also adds a (currently disabled) check,
that no msgbs are allocated after running the tests.
Sponsored-by: On-Waves ehf
This patch extends gprs_subscr_query_auth_info and
gprs_subscr_location_update to create GSUP messages with the help of
a static gprs_subscr_tx_gsup_message function. A corresponding
gprs_subscr_rx_gsup_message is added which takes a messages, gets the
subscr, and updates it accordingly.
Sponsored-by: On-Waves ehf
[hfreyther: Added a msgb_free gprs_subscr_tx_gsup_message]
This patch adds functions to encode and decode GSUP messages. This
does not include the layer 1 framing (IPA). The messages so far
supported are: send_auth_info_*, update_location_*,
location_cancellation_*.
Sponsored-by: On-Waves ehf
Currently the result of the osmo_hexparse function in
update_subscr_insert_auth_triplet is not handled correctly. There is
a misplaced leading exclamation mark in a few conditional
expressions. This effectively disables the error checks, as it is
noticed by Coverity ("Missing parentheses" followed by "Logically
dead code").
This patch removes the exclamation marks.
Fixes: Coverity CID 1260435 and CID 1260434
Sponsored-by: On-Waves ehf
The code assumes that sqlite3.h is in the standard include
path. Maybe sqlite3 wasn't installed or resides in a non
standard (/usr/local) location? Fix the build as it has been
broken since 1st of January.
This is a normal situation under high load: The BTS is out of resources
and the BSC cannot allocate any dedicated channel. We may send an IMM
ASS REJECT back to the MS. All well within normal parameters, not an
error that needs to be reported back to the caller, who propagates it
all the way up to libosmo-abis.
Move the "logging filter imsi IMSI" into the BTS/NITB code to
allow to set the gsm_subscriber and only compare it. This way
we simply compare the subscriber address and don't have to care
if the subscriber data is still valid.
Most of the "fixes" have nothing to do with gcc-4.9.2 but are a
question of ABI/Architecture (e.g. x86 vs. AMD64). Revert these
for now.
This partially reverts commit 7b1d25a11e.
abis_test.c: In function ‘test_simple_sw_config’:
abis_test.c:68:2: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘int’ [-Wformat=]
printf("Start: %ld len: %zu\n", descr[0].start - simple_config, descr[0].len);
^
abis_test.c: In function ‘test_dual_sw_config’:
abis_test.c:111:2: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘int’ [-Wformat=]
printf("Start: %ld len: %zu\n", descr[0].start - dual_config, descr[0].len);
^
abis_test.c:115:2: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘int’ [-Wformat=]
printf("Start: %ld len: %zu\n", descr[1].start - dual_config, descr[1].len);
^
abis_test.c: In function ‘test_sw_selection’:
abis_test.c:132:2: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘int’ [-Wformat=]
printf("Start: %ld len: %zu\n", descr[0].start - load_config, descr[0].len);
^
abis_test.c:136:2: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘int’ [-Wformat=]
printf("Start: %ld len: %zu\n", descr[1].start - load_config, descr[1].len);
I'm merging this code, as it is proven to be very useful. The only
reason to keep it out of master was the fact that the UDP data
structures it sends are non-portable, so you can only run it reliably on
localhost or between identical systems (hardware/compiler/os).
As this hasn't been fixed in the past >= 2 years, I am merging the code
now anyway. We can still introduce a portable protocol by increasing
the protocol version at a later point.
There are two options:
a) we make 'struct gsm_meas_rep' portable. This requires an ABI
change with libosmocore, as it contains struct gsm_meas_rep_unidir :(
b) we introduce a completely separate wire format with corresponding
encoding and decoding functions.
In fact, the DB write code has been split out so we could later also
have a binary that would listen to realtime meas_feed packets and stuff
them into a database without any intermediate PCAP step.
The database schema contains a couple of convenience wrapper views, most
notably the "overview" view.
This extends osmo_nitb to offer a UDP feed of real-time measurement
reports, which can be used by (a variety of) external tools for
visualization or other processing.
We also add a small ncurses based tool (meas_vis) which shows a
baragraph display of the last few mobile stations that were active,
indicating their uplink/downlink receive level and quality.
<WARNING>
This sends non-portable structures like gsm_meas_rep over UDP
and assumes the receiver has identical alignment and endianness! Before
this feature is merged, it either needs to be converted to a unix domain
socket (but they don't do multicast, which would be nice) or the wire
format needs to change into something portable with defined alignment
and encoding
</WARNING>
The idea of ts_alloc()/ts_free() dates back to the very early days of
OpenBSC, where we didn't yet have a fixed PCHAN type assigned for every
lchan in a BTS. However, ever since, PCHAN types (channel combinations)
are configured by OML in a certain way, and we only allocate LCHANs
inside PCHANs of a matching type. There should be no PCHANs with
type GSM_PCHAN_NONE, unless those that you don't want to use for
administraive reasons or the like.
show net with an CCCH+SDCCH/4+CBCH channel active caused bts_chan_load to read
from invalid memory. Fix this by making sure the pchan array is large enough.
==30346==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff9bdc5dc8 at pc 0x5aeece bp 0x7fff9bdc5350 sp 0x7fff9bdc5348
READ of size 4 at 0x7fff9bdc5dc8 thread T0
#0 0x5aeecd in bts_chan_load /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/chan_alloc.c:490
#1 0x5af706 in network_chan_load /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/chan_alloc.c:511
#2 0x4b7410 in net_dump_vty /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/bsc_vty.c:208
#3 0x4b5f23 in show_net /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/bsc_vty.c:227
#4 0x7fdabaa425bd in cmd_execute_command_real /home/alphaone/scm/osmo/libosmocore/src/vty/command.c:2042
#5 0x7fdabaa3f124 in cmd_execute_command /home/alphaone/scm/osmo/libosmocore/src/vty/command.c:2077
#6 0x7fdabaa850e9 in vty_command /home/alphaone/scm/osmo/libosmocore/src/vty/vty.c:402
#7 0x7fdabaa75962 in vty_execute /home/alphaone/scm/osmo/libosmocore/src/vty/vty.c:666
#8 0x7fdabaa6d947 in vty_read /home/alphaone/scm/osmo/libosmocore/src/vty/vty.c:1408
#9 0x7fdabaa9165f in client_data /home/alphaone/scm/osmo/libosmocore/src/vty/telnet_interface.c:119
#10 0x7fdaba7860b6 in osmo_select_main /home/alphaone/scm/osmo/libosmocore/src/select.c:160
#11 0x43c656 in main /home/alphaone/scm/osmo/openbsc/openbsc/src/osmo-nitb/bsc_hack.c:355
#12 0x7fdab92604bc (/lib64/libc.so.6+0x224bc)
#13 0x43b6cc (/home/alphaone/local/osmo-asan/bin/osmo-nitb+0x43b6cc)
Address 0x7fff9bdc5dc8 is located in stack of thread T0 at offset 232 in frame
#0 0x4b5faf in net_dump_vty /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/bsc_vty.c:182
This frame has 3 object(s):
[32, 40) ''
[96, 104) ''
[160, 224) 'pl'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/chan_alloc.c:490 bts_chan_load
==25637==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff3f587c43 at pc 0x5bf591 bp 0x7fff3f587630 sp 0x7fff3f587628
READ of size 4 at 0x7fff3f587c43 thread T0
#0 0x5bf590 in tv_fixed_put /home/alphaone/local/osmo-asan/include/osmocom/gsm/tlv.h:237
#1 0x5b7e14 in generate_si4 /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/system_information.c:607
#2 0x5b488b in gsm_generate_si /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/system_information.c:882
#3 0x4cb247 in gsm_bts_trx_set_system_infos /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/bsc_init.c:166
#4 0x4d3c26 in bootstrap_rsl /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/bsc_init.c:272
#5 0x4ced44 in inp_sig_cb /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/bsc_init.c:316
#6 0x7f4f15b563d7 in osmo_signal_dispatch /home/alphaone/scm/osmo/libosmocore/src/signal.c:105
#7 0x7f4f156c0e3f in e1inp_int_snd_event (/home/alphaone/local/osmo-asan/lib/libosmoabis.so.4+0x17e3f)
#8 0x7f4f156be7e5 in e1inp_event (/home/alphaone/local/osmo-asan/lib/libosmoabis.so.4+0x157e5)
#9 0x583a6a in ipaccess_sign_link /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/bts_ipaccess_nanobts.c:675
#10 0x7f4f156e63b0 in handle_ts1_read (/home/alphaone/local/osmo-asan/lib/libosmoabis.so.4+0x3d3b0)
#11 0x7f4f156e4f4e in ipaccess_fd_cb (/home/alphaone/local/osmo-asan/lib/libosmoabis.so.4+0x3bf4e)
#12 0x7f4f15b540b6 in osmo_select_main /home/alphaone/scm/osmo/libosmocore/src/select.c:160
#13 0x43c656 in main /home/alphaone/scm/osmo/openbsc/openbsc/src/osmo-nitb/bsc_hack.c:355
#14 0x7f4f1462e4bc (/lib64/libc.so.6+0x224bc)
#15 0x43b6cc (/home/alphaone/local/osmo-asan/bin/osmo-nitb+0x43b6cc)
Address 0x7fff3f587c43 is located in stack of thread T0 at offset 483 in frame
#0 0x5b712f in generate_si4 /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/system_information.c:580
This frame has 8 object(s):
[32, 40) ''
[96, 104) ''
[160, 164) 'rc'
[224, 232) 'si4'
[288, 296) 'cbch_lchan'
[352, 360) 'restoct'
[416, 420) 'l2_plen'
[480, 483) 'cd'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/alphaone/local/osmo-asan/include/osmocom/gsm/tlv.h:237 tv_fixed_put
We can now configure the pyisical channel types for CBCH either in the
CCCH+SDCCH4 or in the SDCCH8 chanel combination.
Depending on whether a CBCH exists on the BTS, we also generate the SI4
with matching CBCH channel description to notify the phones of the
existance of the CBCH.
There is now a VTY command how a SMS-CB message can be sent to a given
BTS.
We do not yet have any logic at all for actual scheduling of multiple
CBCH RSL messages towards one or multiple BTSs yet, though.
We tend to comment out this code every XXC3, let's just get rid
off it. The nanoBTS has a rather odd timing behavior. Jacob has
spent hours this summer to trial/document/fix it in the MGCP code
and this code is not getting close to working around the ip.access
audio issues.
If someobody still wants to use the nanoBTS then he should help
to have the MGCP MGW use/share code with the rtp_proxy.c
This implements the MAP way of subscriber validation when the MS
tries to perform an Attach Request:
1. perform authentication (optionally invoke the sendAuthInfo
procedure), starts the Auth & Ciph procedure
2. perform update location
3. insert subscriber data
4. finish the update location
5. Attach Accept / Attach Reject
The authentication triplets are used and eventually updated if all of
them have been used.
This is currently accessible via the VTY interface by the following
commands:
- update-subscriber imsi IMSI update-auth-info
- update-subscriber imsi IMSI update-location-result (ok|ERR-CAUSE)
Sponsored-by: On-Waves ehf
This commit add data structures, functions, initialization, and VTY
commands for per subscriber authentication triplets.
The following VTY command is added:
- update-subscriber imsi IMSI \
insert auth-triplet <1-5> sres SRES rand RAND kc KC
Note that the triplets are not really used by the SGSN yet.
Sponsored-by: On-Waves ehf
Currently, when a BSSGP SUSPEND is received and the corresponding MM
context is already in the state GMM_REGISTERED_SUSPENDED, a
SUSPEND_NACK is returned which is not covered by GSM 08.18, 7.4.1.
The same goes for RESUME in the state GMM_REGISTERED_NORMAL.
This commit changes gprs_gmm_rx_suspend and gprs_gmm_rx_resume to not
complain (and thus answer a NACK) when the MM context is either in
GMM_REGISTERED_SUSPENDED or GMM_REGISTERED_NORMAL.
Note that GSM 08.18, 7.4.1 and 7.5.1 only mention to send an NACK if
the MS is not known. Even with this patch, the SGSN returns a NACK if
either the MS is unknown _or_ the MM context ist not in one of the
state GMM_REGISTERED_SUSPENDED and GMM_REGISTERED_NORMAL.
Sponsored-by: On-Waves ehf
Currently the parser functions for single information elements are
defined within gprs_gb_parse.c and not exported explicitely. In
addition they are named like libosmocore's TLV parser functions and
do not have a proper name prefix. Since it is planned to use them for
other protocols, they need to be globally accessible.
This patch moves them to gprs_utils.c and renames them.
The new names are:
lv_shift -> gprs_shift_lv
v_fixed_shift -> gprs_shift_v_fixed
lv_shift -> gprs_shift_lv
v_fixed_shift -> gprs_shift_v_fixed
In the long term, these functions should be moved to libosmocore (and
renamed again).
Sponsored-by: On-Waves ehf
The new lchan will be in speech mode already but for AMR we will
need to provide a working multirate config in the channel activation,
otherwise the channel act might be nacked.
Copy the config from the current lchan into the new lchan. The
abis code simply added the mrconf if the speech mode was amr.
Before this commit the invalidate mrconf with all zeroes was
copied/sent.
In case of a ho_chan_activ_nack (sent due another bug inside
both sysmobts and openbsc) the code would not stop the timer
but free the datastructure. This can lead to a clear segfault
when the timer has expired. Create a "free" function which is
responsible to detach the handover structure, stop the timer
(which is idempotent) and free the structure.
In case a BTS is dropped, iterate over the list of BTS and check
if a dependency is now missing and then drop the BTS. This check
could lead to check of 256*256 checks (e.g. all BTS on each other
in the chain and the master is being dropped). The performance
aspect of it doesn't matter for our usecase. We expect to have
pairs of BTS right now.
E.g. for the sysmoBTS2050 we have the requirement that the first
board connects before the second due clocking. The easiest point
to enforce this is the BSC. Add a simple bitmask based system to
allow to express dependencies for IP based systems.
This commit mainly extends sgsn_auth.c to use and support the
auth_state SGSN_AUTH_AUTHENTICATE. It will be activated when IMSI and
IMEI are available, authentication is required
(subscr->sgsn_data->authenticate is set), but the MM context is not
marked as authenticated. If the state has been set to
SGSN_AUTH_AUTHENTICATE and sgsn_auth_update() is called, the GMM
layer will be informed by invoking gsm0408_gprs_authenticate().
Sponsored-by: On-Waves ehf
Currently the Authentication and Ciphering procedure is not yet
invoked by the GMM layer.
This patch starts this procedure from within gsm48_gmm_authorize when
the mm->auth_state has been set to SGSN_AUTH_AUTHENTICATE and a call
to gsm0408_gprs_authenticate has been issued directly or indirectly
by the call to sgsn_auth_request.
Sponsored-by: On-Waves ehf
Currently the gprs_subscr_update function is called when the
'update-subscriber ... insert ...' command is executed. This will
eventually notify the GMM layer which is rather the purpose of the
'commit' command.
This patch removes the call from update_subscr_insert.
Sponsored-by: On-Waves ehf
There will be an increasing number of SGSN related fields per
subscriber. Instead of extending gsm_subscriber accordingly, a single
struct sgsn_subscriber_data object is assigned to it. The talloc
context used to allocated that object is the subscr object itself.
Therefore it will be freed automatically along with the subscr
object.
Sponsored-by: On-Waves ehf
This adds the following commands to the ENABLE node:
- show subscriber cache
- update-subscriber imsi IMSI insert authorized (0|1)
- update-subscriber imsi IMSI cancel
- update-subscriber imsi IMSI commit
These commands are mainly testing tools and maintenance helpers. The
update commands work asynchronously and can be used to complete a
pending update request or to terminate an existing connection. The
'insert' command just update the subscriber records but does not
notify the GMM layer. Invoke the 'commit' command to continue with
pending procedures.
Note that the subscriber cache is not stored persistently and will
always be empty after an SGSN restart.
Sponsored-by: On-Waves ehf
This function is called to delete an established MM context
silently without invoking a detach procedure.
It is called when a subscriber is cancelled by the HLR. This
generally happens, when an MS has moved to another routing area and
has to use another SGSN.
Sponsored-by: On-Waves ehf
This commit adds a new authorization policy 'remote' and uses
the subscriber cache for authorization when this policy is being used.
Note that there is no remote backend implemented yet. After the
IMSI/IMEI have been acquired, a request would be sent to the remote
peer. The attach/auth-ciph procedure continues when authorization
info has been received from the peer. This means, that
gprs_subscr_update() must be called then to tell the GMM layer
that it can proceed. A later commit will add VTY commands to do this
manually.
Sponsored-by: On-Waves ehf
This patch adds GPRS specific functions for gsm_subscriber objects
(allocation, retrieval, deletion) and subscriber data
requests/updates. The sgsn_update_subscriber_data callback is used to
notify the sgsn about updates and is extended by a parameter that
passes a reference to a gsm_subscriber.
Sponsored-by: On-Waves ehf
Currently the keep_subscr flag in gsm_subscriber_group refers to a
whole group of subscribers which makes it difficult to really delete
single entries if the flag is set.
This patch adds a keep_in_ram field to gsm_subscriber which allows for
keeping subscriber objects in RAM while deleting others.
Note that really deleting an entry requires that both flags
(subscr_group->keep_subscr and subscr->keep_in_ram) are set to 0. So
only the latter should be used if a specification requires the
deletion of a subscriber entry.
Sponsored-by: On-Waves ehf
The trans_alloc function still uses the subscr object to access the
network object.
This patch adds an explicit net parameter to this function and
removes the access to subscr to obtain it.
Sponsored-by: On-Waves ehf
Currently the SRES value in the Auth & Ciph Response is ignored.
This patch checks the SRES value in response against the value stored
in mm->auth_triplet.sres. If they don't match, an Auth & Ciph Reject
message is sent to the MS. If they match, the mm->is_authenticated
flag is set.
Note that the procedure will not be started yet.
Sponsored-by: On-Waves ehf
Currently mmctx_timer_start is called from within
gsm48_tx_gmm_auth_ciph_req which differs from the way e.g. the
identification procedure is implemented. It also makes it more
difficult to restart the procedure after timeout, which is not
implemented yet. In addition, the timer is not properly stopped when
an AUTH & CIPH response is received.
This patch removes this timer start from gsm48_tx_gmm_auth_ciph_req,
adds the retransmission of Auth & Ciph requests to the timer callback
function, and properly stops the timer in
gsm48_rx_gmm_auth_ciph_resp.
Sponsored-by: On-Waves ehf
Currently gsm48_tx_gmm_auth_ciph_req/_rej are commented out. In
addition, gsm48_tx_gmm_auth_ciph_req uses a wrong encoding (two byte TV instead of two nibbles TV) of the CKSN information element.
This patch fixes the encoding of the CKSN IE and enables the
functions mentioned above.
Sponsored-by: On-Waves ehf
Currently every subcriber object directly refers to the gsm_network
which contains a flag shared by every related subscriber
(keep_subscr). This adds a dependency on gsm_network even if only the
function defined in gsm_subscriber_base.c are used.
This patch adds a new struct gsm_subscriber_group which contains the
keep_subscr flag and a back reference to the network object. The
latter is not dereferenced in gsm_subscriber_base.c, so it can safely
be set to NULL when only that part of the gsm_subscriber API is being
used. It also changes that API to use gsm_subscriber_group instead of
gsm_network parameters.
Since there are some places where a pointer to the gsm_network is
needed but where only a gsm_subscriber is available, a 'net' back
pointer is added to the group struct, too. Nevertheless subscr group
and network could be separated completely, but this is not the topic
of this commit.
Sponsored-by: On-Waves ehf
Currently the net pointer is obtained from trans->subscr->net. On the
other hand, the list gsm_trans object is managed by the net object.
This patch adds the back pointer to the structure and replaces all
trans->subscr->net by trans->net expressions. In trans_alloc() the
trans->net pointer is obtained from the subscr object.
Sponsored-by: On-Waves ehf
The commit "sgsn: Don't send XID reset after Detach Accept" fixed the
SGSN to not respond to a Detach Accept message when there is no MM
context.
This patch adds a test case to verify, that there is really no
message sent in that case.
The test fails when the commit mentioned aboved is reverted.
Sponsored-by: On-Waves ehf
Currently the expected P-TMSI generated by the SGSN is hard-coded
into the test. This adds a dependency on the implementation of rand()
and thus the libc used. This breaks the test e.g. on FreeBSD.
This patch modifies test_gmm_attach() to srand(1) first, generate the
P-TMSI, and finally srand(1) again before starting the test.
Sponsored-by: On-Waves ehf
Currently when the MS does a re-attach without doing a proper detach
first, the gbproxy uses the old local TLLI if patching and the keep
mode are enabled. This leads to a failing attachment procedure when
TLLI patching is also enabled.
This patch changes gbproxy_update_link_state_ul to reset all TLLIs
within the link_info if the message contains an unknown TLLI and an
MI. This is generally the case with Attach Request messages.
The gbproxy_get_link_info_ul gets an additional tlli_is_valid
output parameter that is set, when a TLLI was present and found.
This flag is then used instead of checking tlli.current == 0 to
set TLLI/P-TMSI e.g. Attach Requests when a link_info was already
present for the P-TMSI/IMSI used in such a request.
Ticket: OW#1324
Sponsored-by: On-Waves ehf
Increase the bcch_change_mark and generate a new copy of the
system information. Make the method public, add a small test
case. Manually verified using the FakeBTS. I don't know if
the MS will re-read these SIs.
Related: SYS#739
The session name must be present in a SDP file. The RFC proposes
to use a space for it but the other equipment is using the dash
so I have picked that as well.
RFC 4566:
The "s=" field is the textual session name. There MUST be one and
only one "s=" field per session description. The "s=" field MUST NOT
be empty and SHOULD contain ISO 10646 characters (but see also the
"a=charset" attribute). If a session has no meaningful name, the
alue "s= " SHOULD be used (i.e., a single space as the session
name).
Fixes: RT#2196
To implement subscriber based authorization a data structure is
needed that keeps the subscriber data. The MSC already uses a similar
struct named gsm_subscriber whose implementation is split into a
generic part (allocation, retrieval, reference counting, list
maintenance) and MSC related parts. For GPRS, only the generic part
will be used and specific fields may be added when needed.
This patch adds a field mm to struct gsm_subscriber that will be used
by the SGSN to store a reference to the current MM context (or NULL
if there is none). This also adds a field subscr to struct
sgsn_mm_ctx that reversely points to a gsm_subscriber (or NULL if
there is none). Either both fields are NULL or both fields are
non-NULL. Note that subscr is being reference counted.
Sponsored-by: On-Waves ehf
Currently the function in sgsn_auth.c either have an sgsn_config or
an sgsn_instance parameter. Since then global sgsn variable is
already being used in that file and since other parts of the SGSN
related code also rely on a global sgsn singleton, these parameters
pretend to provide a flexibility that is not really supported.
Therefore this patch removes these parameters except for the ACL
related functions, which do not call code that uses the sgsn
variable.
Sponsored-by: On-Waves ehf
Currently the authorization is done in sgsn_auth_request for ACL
based authorization. This doesn't match the way remote authorization
would work, so that there is a second call to sgsn_auth_state already
present in sgsn_auth_update.
This patch removes the autorization check completely from
sgsn_auth_request which in turn calls sgsn_auth_update directly now.
Sponsored-by: On-Waves ehf
Currently every time an RA Update Req or an Attach Req is processed, a
new P-TMSI is allocated. When an MS issues another of these messages
before it has completed the first procedure, old_ptmsi is replaced by
ptmsi (and thus lost) and ptmsi is replaced by the newly allocated
P-TMSI. This can confuse the gbproxy, which can loose track of the
logical link then. At least a Blackberry emits a double set of RA Upd
Req messages from time to time which may be just 20ms apart.
This patch adds a check whether mm->ptmsi or mm->old_ptmsi are set.
If both are set, the P-TMSI is not re-allocated. This is only the
case, when the Complete message has not been received yet, since that
message will reset old_ptmsi.
Sponsored-by: On-Waves ehf
Currently when a Detach Accept is received for an unknown TLLI (which
is in general the case afer the SGSN has requested the detachment),
an XID reset is sent to the BSS, causing a BSSGP Status message. This
happens in gsm0408_rcv_gmm.
This patch moves the corresponding call to gprs_llgmm_reset downwards
so that it is not being called in that case.
Addresses:
SGSN->BSS TLLI: 0xd75b91d9 SAPI: LLGMM, UI (DTAP) (GMM) Detach Request
BSS->SGSN TLLI: 0xd75b91d9 SAPI: LLGMM, UI (DTAP) (GMM) Detach Accept
SGSN->BSS TLLI: 0xd75b91d9 SAPI: LLGMM, U, XID (Reset, IOV-UI)
BSS->SGSN TLLI: --- BSSGP STATUS (Unknown MS)
Sponsored-by: On-Waves ehf
Currently, the LLME is not cleaned up after sending an RA Update
Reject. This happens after entering a routing area from outside,
since in that case the SGSN sends an RA Update Reject (implicitly
detached) which causes the MS to restart the attach procedure.
The LLME is also not updated if an Attach Request with message errors
(encoding, invalid MI type) is received or if an MM context cannot be
allocated.
This patch changes gsm48_rx_gmm_ra_upd_req and gsm48_rx_gmm_att_req
to unassign the LLME or free the MM context (if available) after a
Reject message has been sent.
Ticket: OW#1324
Sponsored-by: On-Waves ehf
Currently the VTY 'auth-policy' command results in setting or clearing
the acl_enabled flag. This also enables the matching of the MCC/MNC
prefix of the IMSI.
This patch adds an additional policy 'acl-only' which disables the
MCC/MNC matching and relies on the ACL only.
Sponsored-by: On-Waves ehf
Currently the authorization of an IMSI is done by checking ACLs
synchronously which is not feasible when the subscriber data has to
be retrieved from an external source.
This patch changes this by using a callback when the information is
available. This is also done when only ACL are checked, in this case
the callback is invoked from within sgsn_auth_request(). The callback
function sgsn_update_subscriber_data calls sgsn_auth_update which
in turn calls either gsm0408_gprs_access_granted or
gsm0408_gprs_access_denied. gsm48_gmm_authorize is extended by a call
to sgsn_auth_request when IMSI and IMEI are available but the
auth_state is unknown.
The change has been successfully tested with single phones (E71 and
IPhone 5c).
Sponsored-by: On-Waves ehf
Currently the IMSI is only checked immediately when an Attach Request
is received that contains an IMSI IE. If it contains a P-TMSI
instead, access is always granted.
This commit moves the IMSI check to gsm48_gmm_authorize where it is
applied when IMSI and IMEI have been acquired. This fixes the
authorization when the Attach Accept doesn't contain an IMSI.
Sponsored-by: On-Waves ehf
Currently when forceing a reattach by sending a Detach
Request (reattach), the SGSN waits for the Detach Accept until it
frees the MM context (if present) and the LLME. If that message gets
lost or isn't sent by the MS, the LLME is never freed if it isn't
bound to an MM context.
This patch adds code to free the MM context/LLME when forcing a
reattachment.
Sponsored-by: On-Waves ehf
This patch replaces gsm0408_gprs_force_reattach(msg, mmctx) by two
functions
- gsm0408_gprs_force_reattach(mmctx)
- gsm0408_gprs_force_reattach_oldmsg(msg)
The old function basically consists of the code of the two new
functions, where the code path selected depends on mmctx == NULL,
which is harder to maintain, less obvious to use, and not consistent
with many other SGSN functions.
Sponsored-by: On-Waves ehf
Currently the MM context isn't always removed when it is
de-registered (mmctx_timer_cb), mm_state is set to GMM_DEREGISTERED
instead. This can lead to left-over MM contexts which are only
cleaned up if the MS reattaches.
This patch replaces all of these assignments by a call to
mm_ctx_cleanup_free.
Ticket: OW#1324
Sponsored-by: On-Waves ehf
Currently the GMM state is set to GMM-REGISTERED when an Attach
Accept or a RA Update Accept message is sent, even if a new P-TMSI is
included. In this case 04.08 requires (see 4.7.3.1.3 and 4.7.5.1.3),
that the state is set to GMM-COMMON-PROCEDURE-INITIATED when the
Accept is sent. When the Complete is received, the SGSN shall set
the state to GMM-REGISTERED.
This patch modifies the state updates accordingly.
Sponsored-by: On-Waves ehf
Currently the order of the 'if' clauses in gsm48_gmm_authorize
doesn't match the order in which the conditional parts are entered.
This makes it difficult to maintain. In addition the t3350_mode is
not stored in every path, so that this information is lost when the
identification procedure is started. Since the default value
coincidentally is GMM_T3350_MODE_ATT, this doesn't hurt for Attach
Requests which are the only messages that initially trigger the
authentication yet.
This patch changes the order of the 'if' clause to match the
processing order, it removes the t3350_mode parameter entirely and
introduces a mm->pending_req field. The latter must be set when the
request that causes the authorization before calling
gsm48_gmm_authorize. The gprs_t3350_mode enum is extended by
GMM_T3350_MODE_NONE (value 0, which is the default) to make it
possible to detect related initialisation errors or race conditions.
Sponsored-by: On-Waves ehf
Since it is planned to use struct gsm_subscriber to manage subscriber
data in the SGSN, this file which contains the generic subscriber
related methods is moved to libcommon.
Sponsored-by: On-Waves ehf
Currently libcommon depends on libbsc, because gsm_network_init
(libcommon/gsm_data.c) directly calls gsm_net_update_ctype
(libbsc/gsm_04_08_utils.c).
This patch moves gsm_network_init to a new file libbsc/net_init.c.
Sponsored-by: On-Waves ehf
This test checks the attach procedure until the Attach Complete is
received.
Note that authorization and GMM state updates are not working
properly yet.
Sponsored-by: On-Waves ehf
This replaces serveral occurences of duplicated code for message
creation and sending (passing to gsm0408_gprs_rcvmsg) into a single
function. In addition, the sgsn_tx_counter is always reset within
send_0408_message to simplify the code that checks for the number of
messages sent.
Sponsored-by: On-Waves ehf
Currently gbproxy_make_sgsn_tlli always returns a foreign TLLI when
it uses the (SGSN) P-TMSI to generate one.
This patch changes the implementation to return a SGSN TLLI of the
same type like the BSS TLLI in that case.
Sponsored-by: On-Waves ehf
Currently the sign_link pointer is dereferenced after a call to
osmo_signal_dispatch, which can indirectly call
e1inp_sign_link_destroy. If that happens, accessing *sign_link is
illegal and can lead to a segmentation violation.
Since only the bts pointer is needed from sign_link after the call to
osmo_signal_dispatch, this patch changes abis_nm_rcvmsg_fom to save
that pointer to a local variable earlier.
Addresses:
<0019> input/ipa.c:250 accept()ed new link from 192.168.1.101 to port 3002
SET ATTR NACK CAUSE=Message cannot be performed
<0005> bsc_init.c:52 Got a NACK going to drop the OML links.
<001b> bsc_init.c:319 Lost some E1 TEI link: 1 0xb351a830
=================================================================
==13198== ERROR: AddressSanitizer: heap-use-after-free on address 0xb5d1bc70 at pc 0x80a6e3d bp 0xbfbb33d8 sp 0xbfbb33cc
Sponsored-by: On-Waves ehf
In case a BTS is being bootstrapped and one TS can not be
activated prevent the whole BTS from coming up.
When the OML activation is not being done the rest of the BSC
code still assumes these logical channel(s) to be available
and one will see channel activation issues that might be hard
to debug.
Instead of having a half-configured system up and running,
keep the BTS offline.
Currently the LLME is not deleted when a GMM Status message is
received for which a mmctx cannot be found. This can fill the LLME
list with unneeded entries.
This patch adds code to unassign the LLME in that case.
Ticket: OW#1324
Sponsored-by: On-Waves ehf
The following functions are not being used:
- gsm48_tx_gmm_status_oldmsg
- gsm48_tx_sm_status_oldmsg
This patch removes the function definitions.
Sponsored-by: On-Waves ehf
Some switches do not like to receive the IPA PING/PONG messages.
Allow to disable the handling with "no timeout-ping" and create
test cases that verify the switching between the modes. Change the
code to trat <= 0 as an invalid timeout.
Fixes: SYS#713
Currently the temporary string 'tmp' is freed before parts of it are
referenced. This lets address sanitizer complain when evaluating
strlen(imsi), where imsi points into the 'tmp' data block.
This patch moves the talloc_free to the end of the function and uses
a rc variable instead of using early returns.
Addresses:
testSubscriberAddRemove (__main__.TestCtrlNITB) ... Launch:
./src/osmo-nitb/osmo-nitb -c
./doc/examples/osmo-nitb/nanobts/openbsc.cfg -l test_hlr.sqlite3
Connecting to host 127.0.0.1:4249
Sending "SET 1000 subscriber-modify-v1 2620345,445566"
Decoded replies: {}
ERROR
Sponsored-by: On-Waves ehf
Currently, when a Detach Request is received with an unknown TLLI,
it is answered by another Detach Request (!), even when a power_off
Type is used.
This patch uses gsm48_rx_gmm_det_req to handle the message instead.
So this function is changed to cope with a NULL mmctx. In that case
it doesn't unassign the llme, so this must be done manually
afterwards.
Sponsored-by: On-Waves ehf
Currently, every time the SGSN received a Detach Request from the MS
via an established logical link, it is answered by a Detach Accept.
This violates the specification (GSM 04.08, 4.7.4.1.2 and .3), which
states, that it should only be sent, if "the detach type IE value
indicates that the detach request has not been sent due to switching
off".
This patch adds a conditional to limit the sending of Detach Accept
accordingly.
Sponsored-by: On-Waves ehf
Currently only a Detach Request (MO) message with power_off = 0 is
checked.
This commit adds a new test case with power_off set to 1. It also
adds checks for the number of messages generated by the SGSN to
verify that these messages are handled differently.
Note that the handling of power_off isn't implemented yet. Therefore
the corresponding assertion is being disabled yet.
Sponsored-by: On-Waves ehf
Currently the ACL code is located in sgsn_vty.c.
This commit moves this to a new file sgsn_auth.c as a first step to
make authorization more flexible in order to implement remote
acquisition on subsciber data.
Sponsored-by: On-Waves ehf
Currently each received Ident Resp triggers an Attach Accept/Reject
if IMSI and IMEI are known. This has led to duplicated Attach Accept
messages when used with the gbproxy (IMSI acquisition active) and
with certain mobile equipment (iOS).
This patch modifies gsm48_rx_gmm_id_resp to discard Ident Resp messages
if all required information (IMEI and IMSI) has been gathered.
Ticket: OW#1322
Sponsored-by: On-Waves ehf
Currently the P-TMSI IE in PAGING_PS is not patched.
This commit adds code to patch BSSGP P-TMSI IE in
gbproxy_patch_bssgp independently from the P-TMSI patching at the LLC
layer. It also extends gbproxy_update_link_state_dl to use the IMSI
to find the link_info if the TLLI is not present in the message.
Note that the spec (GSM 08.18, 7.2) requires to use of the P-TMSI
instead of the IMSI to select the MS if that IE is available.
Nevertheless as long as the IMSI is always present in downlink BSSGP
messages and as long as the optional P-TMSI refers to the same MS
(which is the case currently), this is not an issue.
Sponsored-by: On-Waves ehf
Currently, when P-TMSI patching is enabled, a new BSS P-TMSI is
generated for each Attach Accept. So two duplicated, subsequent
Attach Accept messages will be mapped to different BSS side P-TMSI.
Because the last one will replace former ones in the link_info
struct, the MS will fail to access the SGSN if it uses the former
P-TMSI to derive the new TLLI.
This patch checks the SGSN P-TMSI already assigned to the link_info
and only generates a new BSS P-TMSI on mismatch (or if the BSS P-TMSI
hasn't been set yet).
Ticket: OW#1322
Sponsored-by: On-Waves ehf
This adds a test case to check gbproxy's behaviour when processing
two subsequent but identical Attach Accept messages.
Ticket: OW#1322
Sponsored-by: On-Waves ehf
This patch adds assertions to check the LLC/GMM message received from
the gbproxy by the test framework within the function
test_gbproxy_keep_info.
It also fixes the source address of the DETACH ACC messages.
Sponsored-by: On-Waves ehf
The osmo-sgsn sends Status messages (or nothing in case of non
GMM/GSM) when the TLLI is unknown. This prevents the MS from
reconnecting.
This patch adds the initiation of an MT detach procedure to force a
re-attach to set up a valid LLE context if an LLE or an MM context
cannot be found. Since this can also be triggered by non-GMM SAPI
messages, a GPRS application callback sgsn_force_reattach_oldmsg is
added which in turn calls the GMM layer to generate the GSM 04.08
specific messages.
Note that the MS can be left in REGISTERED state after initially
wanting to detach itself, since it will receive a Detach Req
(re-attach) when sending a DEACT PDP CTX REQ after the SGSN or
gbproxy (P-TMSI patching enabled) has been restarted. This same
behaviour has been observed with another SGSN.
Sponsored-by: On-Waves ehf
Currently the PDP contexts are hard freed (via sgsn_pdp_ctx_free)
at some places in gprs_gmm.c on the reception of a Detach Req and on
re-use of an IMSI that is already associated with an MM context. This
can lead to segfaults when there is a pending request or a data
indication at libgtp.
This patch add a new function sgsn_pdp_ctx_terminate that de-associates
the PTP context from the MM context, deactivates SNDCP, sets pdp->mm
to NULL and then calls sgsn_delete_pdp_ctx. sgsn_libgtp is updated to
check for pdp->mm being non-NULL before dereferencing it. The
sgsn_pdp_ctx_terminate function will be called for each PDP context of
an MM context before this context is going to be deleted via
sgsn_mm_ctx_free. To ensure, that the ctx->llme (which is accessed
during the deactivation of SNDCP) remains valid, the call to
gprs_llgmm_assign is moved after the call to sgsn_mm_ctx_free. The
handling of re-used IMSIs is changed to mimic the processing of a
Detach Req.
Addresses:
<0002> gprs_gmm.c:654 MM(/f6b31ab0) Deleting old MM Context for same
IMSI p_tmsi_old=0xc6f19134
<000f> gprs_sgsn.c:259 PDP freeing PDP context that still has a
libgtp handle attached to it, this shouldn't happen!
[...]
SEGFAULT
Ticket: OW#1311
Sponsored-by: On-Waves ehf
Currently the timer is not stopped before the MM context is freed
which can lead to failure if sgsn_mm_ctx_free is called while timer
protected procedures are active.
This patch add code to cancel the timer if necessary from within
sgsn_mm_ctx_free.
Ticket: OW#1322
Sponsored-by: On-Waves ehf
Currently the code segfaults when the link shall be deleted by IMSI
when the IMSI has not been set yet.
This patch adds a NULL check to skip the entry before calling
gsm48_mi_to_string,
Adresses:
Program received signal SIGSEGV, Segmentation fault.
0xb693af77 in gsm48_mi_to_string (string=0xbfffe020 "", str_len=200,
mi=0x0, mi_len=0) at gsm48.c:360
360 mi_type = mi[0] & GSM_MI_TYPE_MASK;
str_len=200, mi=0x0, mi_len=0) at gsm48.c:360
self=0x807c9a0 <delete_gb_link_by_id_cmd>, vty=0xb4303c70,
argc=3, argv=0xbfffe1c0) at gb_proxy_vty.c:670
...
Sponsored-by: On-Waves ehf
Coverity complains about having side effects in OSMO_ASSERT argument
expressions. This would be an issue in this case, because that
variable is only reference in other OSMO_ASSERT expressions.
Nevertheless this patch changes this to assign the variable outside
of OSMO_ASSERT.
Fixes: Coverity CID 1244239
Sponsored-by: On-Waves ehf
Currently all PTP messages are in general forwarded to the SGSN even
when the BVCI is not known to the gbproxy. Only if message patching
is active and the peer cannot be determined, a log message is
generated, a STATUS message returned, and the message discarded.
The intention for this was to keep the old gbproxy's behaviour if
patching is disabled. But the code gets much more complex this way.
Another drawback is that when the SGSN returns a corresponding STATUS
message, it cannot be routed to the BSS where the original message
came from.
This patch therefore changes the behaviour to reject BSSGP PTP uplink
messages immediately if the BVCI is not known.
Fixes: Coverity CID 1244240
Ticket: OW#1317
Sponsored-by: On-Waves ehf
This has been re-produced using the "osmo-pcu emulator" code
and a ping to force segmented SNDCP messages. When the NS link
enters the DEAD/BLOCKED state the msgb would be freed twice.
Once inside gprs_ns_sendmsg and once by the caller. Based on the
return one can not see if the parameter has been deleted.
I changed libosmocore/libosmogb to always free the msgb in case
of an error on the way to gprs_ns_sendmsg. Catch up, avoid the
double free and fix some memory leaks. In case the sending fails
assume the entire segmented message is at end and free the
original input data.
This has been tested by posix suspending/resuming the emulator
process to have the GPRS-NS link go to dead/blocked to alive
and unblocked. The ping recovers and "SIGUSR1" to the SGSN does
not show active memory allocations.
The SGSN calls bssgp_tx_dl_ud at the lowest level and has the
following callchains. Most of them allocate the msgb and have
no early return and transfer ownership already:
<- gprs_llc_tx_u
<- gprs_llc_tx_ui
<- gsm48_gmm_sendmsg (all callers sane)
<- _tx_status
<- _tx_detach_req
<- gprs_llc_tx_xid (all callers sane)
<- sndcp_unitdata_req
<- sndcp_send_ud_frag
To get a clue which message caused the error without having to enable
LOGL_DEBUG, information about how far the parser came (message name,
parsed fields) is logged with LOGL_NOTICE along with a full hexdump
of the message.
Ticket: OW#1307
Sponsored-by: On-Waves ehf
Currently, the log level is always LOGL_DEBUG. In case of errors it
would be helpful to use a higher log level.
This patch adds a log_level parameter to gprs_gb_log_parse_context to
let the caller decide about the level.
Ticket: OW#1307
Sponsored-by: On-Waves ehf
This function tries to get an accurate name for the message even if
the parsing has been aborted due to message errors.
The patch also moves the settings of the BSSGP related fields in
parse_ctx from behind to the front of bssgp_tlv_parse, to get more
information in the case of failure. This is now consistent with the
handling of the llc and g48_hdr fields.
Id addition, gprs_gb_log_parse_context now uses the new function to
derive a more accurate message name.
Ticket: OW#1307
Sponsored-by: On-Waves ehf
Currently it is possible to set the secondary SGSN NSEI to the same
value like the (primary) SGSN NSEI. This leads to undefined behaviour
and is hard to recognize.
This patch adds checks to either NSEI configuration command to refuse
conflicting values.
Ticket: OW#1306
Sponsored-by: On-Waves ehf
Currently, ptmsi_enc and new_ptmsi_enc point to the beginning of the
mobile identity. Since all P-TMSI in 04.08 (MM) are encoded this way (1
byte header + 4 byte P-TMSI value). This is different to the P-TMSI
encoding in 08.18 (BSSGP), where the P-TMSI is encoded into 4 byte
without MI header.
This patch changes the code to use pointers to the P-TMSI value,
which is encoded in the same way in both specifications.
Sponsored-by: On-Waves ehf
Currently BSSGP PTP messages are silently dropped when the BVCI is
not known and patching is enabled. The nanoBTS will not recognize
this and continue to send messages on the BVCI. If it receives a
STATUS(BVCI unknown) instead, it will start a BVC reset procedure
instead.
This patch modifies gbprox_rx_ptp_from_bss() to return a
STATUS(BVCI unknown) to the BSS instead of dropping the message.
Sponsored-by: On-Waves ehf
Currently the parse expects a 'MS network capability' IE with
2 <= length <= 3 which is compliant to GSM 04.08, 9.4.1 but not to
GSM 24.008, 9.4.1 which specifies 3 <= length <= 9. Thus the parser
rejects messages with a length >= 4 (including length field).
This patch relaxes the length check to accept either range by
requiring 2 <= length <= 9.
Ticket: OW#1258
Sponsored-by: On-Waves ehf
Currently one regexp ('patching') is used for all matching.
This patch adds a second category 'routing' which is exclusively used
for SGSN selection. It also adds a corresponding VTY command:
- match-imsi patching RE : MS related patching (currently APN)
- match-imsi routing RE : Select secondary SGSN on match only
- no match-imsi : Clear all filter expressions
Ticket: OW#1258
Sponsored-by: On-Waves ehf
This patch modifies the match-imsi command to allow for different
match categories (currently only 'patching' is provided).
- match-imsi patching RE : Filter APN patching and routing
- no match-imsi : Clear all filter expressions
Sponsored-by: On-Waves ehf
Currently, patch filter configurations are leaking between tests.
This adds a call to gbproxy_clear_patch_filter() to the end of each
test that calls gbproxy_set_patch_filter().
Sponsored-by: On-Waves ehf
The current implementation makes it difficult to add further match
expressions.
This patch adds a new struct gbproxy_match that contains the fields
needed for each match expression. The matches (config) and the
results (link_info) are stored in arrays. All related functions are
updated to use them. The old fields in the config structure are
removed.
Sponsored-by: On-Waves ehf
This patch adds assertions to check the LLC/GMM message received from
the gbproxy by the test framework within the function
test_gbproxy_ra_patching.
Sponsored-by: On-Waves ehf
Currently the only way to check, whether the right message have been
generated is to look into the generated text output. This is
error-prone if there are many messages.
This patch adds a way to optionally store all received messages into
a FIFO. They can then be checked by calling expect_msg() which
removes the first message from the FIFO and returns a pointer to it
or NULL if there is none. The pointer is only valid until the next
call to this function.
A few convenience functions are added to check for common message
types:
- expect_gmm_msg checks for certain GSM 04.08 messages in LLC/GMM
- expect_llc_msg checks for arbitrary LLC messages in BSSGP/UD
- expect_bssgp_msg checks for arbitrary BSSG messages
Each of their arguments can be set by MATCH_ANY to ignore it while
matching. On success, they return a pointer to a statically
allocated struct containing the pointer to the msg and the full parse
context.
Recording is enabled by setting the global variable received_messages
to a pointer to a struct llist_head. It can be disabled again by
setting it to NULL.
Sponsored-by: On-Waves ehf
Currently the pointers are computed by adding an offset to the new
message's _data pointer even when the original pointer is NULL.
This leads to invalid pointers in the copied msgb.
This patch adds a NULL check to each computation such that NULL
pointers are not adjusted.
Sponsored-by: On-Waves ehf
This patch adds und uses the function gbproxy_gsm48_to_peer() which
takes a GSM 04.08 message, encapsulates it in BSSGP and LLC, and
sends it to the BSS peer. This function increments vu_gen_tx_bss
which is now used instead of imsi_acq_retries to set the N(U) of the
outgoing message.
Since imsi_acq_retries isn't currently incremented before a Detach
Accept is generated, this patch also fixes the N(U) of such messages.
Sponsored-by: On-Waves ehf
Currently then link_info is not cleaned up completely, when
gbproxy_unregister_link_info is called.
This patch adds a function gbproxy_reset_link that must be defined
externally. This is done in gb_proxy.c, where it resets the IMSI
acquisition.
Sponsored-by: On-Waves ehf
That message is currently ignored but should invalidate the TLLI and
de-register the logical link instead.
This patch extends the parser to recognize such messages and to set
the invalidate_tlli flag.
Sponsored-by: On-Waves ehf
The TLLI should also be invalidated:
- when an Attach Reject info is received from the SGSN
- when an Attach Req is immediately followed by a Detach Req
- when an Attach Req is immediately followed by an MT detach
procedure
To verify that, this patch adds corresponding message sequences to
the test.
Sponsored-by: On-Waves ehf
This fixes the IMSI length assertion, which currently uses a
greater-or-equal than zero comparison which always yields true. It is
replaced by a greater than zero check.
Fixes: Coverity CID 1239442
Sponsored-by: On-Waves ehf
A single test case still uses time() to obtain the reference time.
This commit fixes this by using the 'now' variable instead, that
contains a fixed time value and does therefore not depend on when the
test is executed.
Sponsored-by: On-Waves ehf
Currently time() is used for age calculations. This time source
may jump either forwards or backwards in time (NTP update, leap
seconds).
This patch replaces the use of time() by using
clock_gettime(CLOCK_MONOTONIC) instead.
Sponsored-by: On-Waves ehf
Don't return a link_info if TLLI is 0 resp. P-TMSI is 0xffff. These
values are used for uninitialised or cleared fields and can possibly
match several entries.
Sponsored-by: On-Waves ehf
Since the (former) TLLI list has developed into a logical link list,
related commands are renamed accordingly.
- tlli-list * -> link-list *
- delete-gbproxy-tlli * -> delete-gbproxy-link *
- show gbproxy tllis -> show gbproxy links
Sponsored-by: On-Waves ehf
This field in struct gbproxy_patch_state has involved and holds a
list of all tracked logical links now. Thus the name is modified
accordingly.
Sponsored-by: On-Waves ehf
Currently in many places where 'tlli' (Temporary Logical Link
Identifier) within identifiers is used, the logical link itself is
meant instead. For instance, the tlli_info contain information about
an LLC logical link including up to four individual TLLI.
To avoid confusion between these concepts, this patch replaces all
'tlli_info' by 'link_info' and a few 'tlli' by 'link'.
Sponsored-by: On-Waves ehf
This patch replaces 'tlli' by 'tlli_info' within the following
function identifiers:
- gbproxy_delete_tlli
- gbproxy_delete_tllis
- gbproxy_remove_stale_tllis
- gbproxy_touch_tlli
- gbproxy_unregister_tlli
- gbproxy_remove_matching_tllis
- gbproxy_find_tlli -> gbproxy_tlli_info_by_tlli
- gbproxy_find_tlli_by_* -> gbproxy_tlli_info_by_*
These functions refer to the whole logical link info rather than to a
certain TLLI. So they are renamed to be named consistently with
gbproxy_attach_tlli_info and others.
Sponsored-by: On-Waves ehf
The function gbproxy_imsi_acquisition() has a parameter sgsn_nsei
that is alyways equal to tlli_info->sgsn_nsei (if tlli_info is not
NULL).
This patch removes this parameter from gbproxy_imsi_acquisition() and
gbproxy_flush_stored_messages() and accesses tlli_info->sgsn_nsei
instead within these functions.
Sponsored-by: On-Waves ehf
This patch renames gbproxy_check_tlli() to
gbproxy_imsi_matches() and struct tlli_info's
enable_patching to imsi_matches.
It's meant to be more obvious and consistent this way.
Sponsored-by: On-Waves ehf
Currently the number of iterations when creating a P-TMSI/TLLI is not
limited. It is nevertheless very unlikely that the loop will not
terminate. On the other hand, the number of iterations of every loop
should have an upper bound (loop variant) which wouldn't be the case
here if an arbitrary random generator was used.
This patch limits the number of iterations to 23 and logs an error if
the creation of the indentifier was aborted due to this limit.
Sponsored-by: On-Waves ehf
Currently the IMSI acquisition is not restarted when a RA Update
Request is received. This leads to repeated N(U) in the generated
Ident Request message, which in turn causes the MS to drop the
second of these message. This is bad, when the first Ident Response
has been lost between MS and gbproxy.
This patch changes gbproxy_imsi_acquisition() to handle RA Update
Request messages like Attach Requests.
Sponsored-by: On-Waves ehf
When a MS is state GMM_REGISTERED enters a new RA, it sends a RA
Update Request which is then handled by a gbproxy that possibly
doesn't have a matching tlli_info. In this case, depending on the
configuration an identification procedure to acquire the IMSI must be
started.
This adds tests to test_gbproxy_imsi_acquisition():
- IMSI acquisition triggered by a RA Update Request message
- Reaction to repeated RA Update Request messages, like it could be
caused by packet loss between PCU and gbproxy.
Sponsored-by: On-Waves ehf
On a Detach/Re-attach cycle the Address Sanitizer detected a
use-after-free kind of problem. That is because we tried to
destroy the LLME twice. The first time it is destroyed as part
of the Detach handling ans the second time it is destroyed as
part of destroying the old MM context.
In case the GPRS GMM detach message is lost the SGSN needs
to reply besides not having a MM entry.
The alternative would have been to add NULL checks for all
usages of ctx->llme which would not have helped with the
readability.
Sponsored-by: On-Waves ehf
For jitter, transit and packet loss we should count the data
that arrived and not the data we send towards the remote. This
is changing the jitter timings to what they were before the
re-factoring.
For forced timing we might willingly add jumps in the sequence
number but for jitter and packet loss we are more interested
in the data that traveled through the wire/air.
The Annex A code has a probation period but we don't have it. When
starting with seq_no==0 do not assume that the sequence numbers
have wrapped. Do it by moving the entire checking code into the
else.
mgcp_patch_and_count has grown due supporting linearizing timestamps,
ssrc and other things for equipment like the ip.access nanoBTS. Fight
back and move the Annex A code into a dedicated method.
The result is updated as we now count after all the patching and for
the Annex A code no change in SSRC can be detected.
Before the old code allowed to specify "timeout-ping bla" which
would be parsed as '0' which would trigger a flood of pings. Use
the VTY code to parse it as a number.
Currently when gprs_llgmm_reset() is invoked an XID reset is sent but
the local LLC parameters (e.g. V(U)) are not cleared (see GSM 04.64,
8.5.3.1). This can lead to discarded messages on the SGSN side.
This patch modifies gprs_llgmm_reset to clear vu_send, vu_recv,
oc_ui_send, oc_ui_recv.
Sponsored-by: On-Waves ehf
Currently the SGSN side message's TLLI are searched without checking
the originating SGSN. This leads to collisions if both SGSN use the
same P-TMSI for different MS.
With this patch, the SGSN NSEI is stored within the tlli_info and is
used in comparisons to separate the namespaces.
Note that this type of collision cannot happen with BSS numbers,
since the tlli_info are already separated and stored per (BSS) peer.
Sponsored-by: On-Waves ehf
This patch extends test_gbproxy_secondary_sgsn() by the establishment
of a third MS connection using a P-TMSI that has been assigned by the
other SGSN already. It is expected that the entries do not
interfere and are properly retrieved.
Note that these collisions are not handled properly yet.
Sponsored-by: On-Waves ehf
Currently it is possible to create serveral entries referring to the
same P-TMSI/TLLI by using P-TMSI assigment via Attach Accept or
RA Update Accept messages. This can lead to the use of the wrong
tlli_info.
This patch adds gbproxy_remove_matching_tllis() that removes all
conflicting entries. This function is called after the P-TMSIs and
the resulting TLLIs has been set up.
Sponsored-by: On-Waves ehf
This tests P-TMSI assignment when P-TMSI patching is disabled. A test
with colliding P-TMSI in Attach Accept messages is included.
Note that P-TMSI collisions are not handled properly yet.
Sponsored-by: On-Waves ehf
Since this message puts the MS into DEREGISTERED state (like a detach
procedure), this message is parsed and the invalidate_tlli field is
set accordingly.
Sponsored-by: On-Waves ehf
This commit adds/modifies the following VTY commands:
- delete-gbproxy-tlli <NSEI> de-registered : Delete all
de-registered entries
- show gbproxy tllis : Display 'DE-REGISTERED' when appropriate
In addition, the implementation of the delete-gbproxy-tlli command
has been split into two functions (with and without TLLI/IMSI
value).
Sponsored-by: On-Waves ehf
gprs_gb_log_parse_context() uses a sequence of LOGP calls to compose
a single message line. This leads to cluttered log output.
This patch replaces all but the first LOGP applications in this
function by applications of LOGPC.
Sponsored-by: On-Waves ehf
Currently it is possible to create several tlli_info entries with the
same IMSI.
This patch disables this by adding a check before the imsi field
is updated.
Sponsored-by: On-Waves ehf
Currently a tlli_info entry is deleted when the TLLI gets invalidated
by a Detach message.
This patch introduces the possibility to keep tlli_info entries in
the list. Those entries then have cleared TLLI fields, are marked as
de-registered, and can only be retrieved by a message containing an
IMSI or a P-TMSI.
The following VTY configuration commands are added to the gbproxy
node:
- tlli-list keep-mode never : Don't keep the entries (default)
- tlli-list keep-mode re-attach : Only keep them, when a Detach
message with re-attach required has been received
- tlli-list keep-mode identified : Only keep entries which are
associated with an IMSI
- tlli-list keep-mode always : Keep all entries
Note that at least one of max-length or max-age should be set when
this feature is used to limit the number of entries.
Sponsored-by: On-Waves ehf
Currently when patching is basically enabled P-TMSI and TLLI gets
patched even when P-TMSI patching is not enabled. Albeit the result
is correct in this case (the same value is re-written), the counter
shows unexpected results.
This patch adds configuration checks for P-TMSI and TLLI patching. It
also reorders the code of gbproxy_patch_raid to return early if there
is nothing to patch.
Sponsored-by: On-Waves ehf
This test case consists of a sequence of several attach and detach
procedures. The kind of detach varies (mobile originated, mobile
terminated re-attach required, mobile terminated re-attach not
required, routing area update reject). To main focus is to check that
the tlli_info is de-registered correctly (not accessible via the
TLLI) and that can be re-used afterwards (which is not implemented
yet).
Sponsored-by: On-Waves ehf
This function is a remainder of the initial implemenation that was
not meant for TLLI patching and can be used for the BSS side only.
The SGSN side is already using a composition of more flexible
single purpose functions.
This patch changes the implementation to use a similar approach. The
function is moved to gbproxy_test.c and renamed to register_tlli to
keep the tests intact.
Sponsored-by: On-Waves ehf
If IMSI acquisition is enabled and the gbproxy receives a Detach
request from the MS, it cannot pass it to the SGSN since the
acquisition has not yet been completed.
This patch implements the generation of a Detach Accept message and
for this case and updates the TLLI state accordingly.
Sponsored-by: On-Waves ehf
Currently the RAI in the LLC part of the message is not updated if
the message has been taken from the list of stored messages. The
reason is, that old_raid_matches is update in
gbprox_process_bssgp_ul() but not in gbproxy_flush_stored_messages().
This patch moves the check to gprs_gb_parse_bssgp() which is called
at both places and where other fields like parse_ctx->tlli are set,
too.
In addition, old_raid_matches is replaced by old_raid_is_foreign
since this is clearer in the case when there is no old RAI at all.
Several RAI patch counter assertions are also added to
test_gbproxy_ra_patching().
Sponsored-by: On-Waves ehf
Add a Attach Request message to test_gbproxy_ra_patching, where the
BSSGP RAI differs from the old RAI signalled in the LLC part. This
case had not been tested explicitely yet.
Change the RAI in the first Attach Request in
test_gbproxy_imsi_acquisition from rai_unknown to rai_bss.
Add Detach Requests to test_gbproxy_imsi_acquisition, one for a
incomplete attach procedure and one for an unknown (fresh) TLLI.
In these cases, the acquisition of a IMSI is not necessary and also
doesn't work properly with an E71.
Sponsored-by: On-Waves ehf
Since at all places where mi_data/mi_data_len is used it will always
contain an IMSI. Thus the names of the identifiers have been updated
accordingly for clarity.
Sponsored-by: On-Waves ehf
This commit changes gbproxy_imsi_acquisition as follows:
tlli_info->mi_data_len is used instead of parse_ctx->imsi to check,
whether the IMSI is known already. Since the function is always
called after gbproxy_update_tlli_ul(), the two values are already
synchronized.
Messages are always flushed when the IMSI gets known, if the current
message is IDENT RESP discard it, otherwise continue processing as
usual.
The 'if' clauses are simplified for better readability.
Sponsored-by: On-Waves ehf
gbprox_process_bssgp_ul has grown quite large mainly by the addition
of IMSI acquisition.
This patch moves that code into several smaller functions. In
addition, the peer resolution which is similar to that in
gbprox_process_bssgp_dl is moved into a separate function, too.
Sponsored-by: On-Waves ehf
This allows us to know what number of messages and bytes has been
received per active osmux endpoint.
Note that an Osmux message is composed of several chunks. Each chunk
contains an osmux header plus several voice data frames.
P: PS=385, OS=11188, PR=195, OR=5655, PL=0, JI=49
X-Osmo-CP: EC TIS=0, TOS=0, TIR=0, TOR=0
X-Osmux-ST: CR=51, BR=3129
The new 'X-Osmux-ST:' notifies the received chunks and bytes.
This patch removes the patch_mode feature including the related VTY
command patch-mode. Where sensible, the other configuration flags are
queried instead.
In addition, this initial checks in gbprox_process_bssgp_dl() and
gbprox_process_bssgp_ul() have been updated.
The patch mode feature has not been used and was increasingly
difficult to maintain.
Sponsored-by: On-Waves ehf
This patch add explicit tests for
- gbproxy_peer_by_bvci
- gbproxy_peer_by_nsei
- gbproxy_cleanup_peers
- gbproxy_peer_by_rai
- gbproxy_peer_by_lai
- gbproxy_peer_by_lac
and for messages with an unknown TLLI sent by the SGSN.
Sponsored-by: On-Waves ehf
Currently the stored messages are only removed, when IMSI acquisition
has succeeded. In addition, receiving two ATTACH_REQ messages in
sequence (e.g. due to loss of a Identity Req/Resp message) will not
restart the IMSI acquisition procedure.
This patch adds gbproxy_tlli_info_discard_messages() to clean up the
message list and calls it from gbproxy_delete_tlli() fixing a
potential memory leak. It is also called when an Attach Request
message has been received. In that case the imsi_acq_pending flag is
cleared, too. This would (re-)trigger the IMSI acquisition procedure
at each of these messages. If an Ident Response has been lost,
resending the Ident Request with the same N(U) will not work.
Therefore the N(U) gets incremented on each Ident Request generated
by the gbproxy. The first N(U) used is 256 which shouldn't collide
with the V(UT) used by the SGSN given that P-TMSI patching is enabled
(since a new random TLLI is used initially on every new (no
tlli_info) connection and V(U) starts with zero then).
Ticket: OW#1261
Sponsored-by: On-Waves ehf
If the Attach Request procedure gets restarted e.g. because of a lost
message, all of these messages are stored if IMSI acquisition is in
progress.
This patch adds a test for this case and modifies the dump_peers
function to output the number of stored messages.
Note that the number of stored messages currently increases with each
(repeatedly) received Attach Request which is not the desired behaviour.
Sponsored-by: On-Waves ehf
Currently, a new P-TMSI within an Attach Accept or within an RA
Update Request is applied to the TLLI mapping (gbproxy_reassign_tlli)
_before_ patching is done. This can lead to inconsistent behaviour
when the TLLI validation has not been completed, which is the case
when subsequent RA UDP REQ are received. The new TLLI must not be
applied to the message itself yet, it should only be considered for
following messages.
This patch moves the TLLI reassignment to
gbproxy_update_tlli_state_after() to fix that.
It also separates the implementation of the feature that a new
tlli_info can be created when such a message is received from the
SGSN. This makes sense, when P-TMSI patching is not active and the
tlli_info entry has expired.
Sponsored-by: On-Waves ehf
Currently tlli_info are created for SGSN originated messages when
the SGSN TLLI cannot be found and P-TMSI patching is active. This
doesn't make much sense, since the BSS side TLLI is not known in this
case. Given that the SGSN is working properly, that can only happen
if either the tlli_info has expired or the gbproxy has been
restarted.
This patch disables the creation of a tlli_info in this case.
Note that these messages are passed unmodified to the MS so far.
Sponsored-by: On-Waves ehf
This adds a sequence of two RA update procedures to
test_gbproxy_ptmsi_patching(). Each of them assigns a new P-TMSI.
Note that the implementation fails to patch the RAI within the
message labelled 'RA UDP ACC (P-TMSI 3)' and logs 'TLLI sent by the
SGSN is unknown'.
Sponsored-by: On-Waves ehf
Since the secondary SGSN selection and APN patching can both be
enable/disabled by IMSI matching, this patch introduces a separate
match-imsi command and removes the corresponding variant of the
core-access-point-name command.
P-TMSI patching and IMSI acquisition are enabled/disabled by
match-imsi resp. secondary-sgsn. The patch-ptmsi and acquire-imsi
commands are still available for internal testing but are subject to
being removed.
Sponsored-by: On-Waves ehf
This patch extends the 'show gbproxy tllis' command to display the
number of stored messages per tlli_info if there are any.
Sponsored-by: On-Waves ehf
Currently all STATUS messages coming from the SGSN are just logged
and dropped. This prevents the PCU from recognising that the
(secondary) SGSN doesn't know about a certain BVCI and might require
a reset procedure.
This patch changes gbprox_rx_sig_from_bss() to forward STATUS
messages with cause "Invalid BVCI" containing a BVCI to the BSS.
Note that this will not forward broken "Invalid BVCI"
messages which do not include a BVCI IE.
Sponsored-by: On-Waves ehf
Currently the gbproxy sends STATUS messages that are not compliant to
GSM 08.18, 10.4.14.1: The BVCI must be included if (and only if) the
cause is either "BVCI blocked" or "BVCI unknown".
This patch adds a missing BVCI to UNKNOWN_BVCI and BVCI_BLOCKED
status messages if the BVCI is available. Otherwise, INV_MAND_INF is
used instead.
Sponsored-by: On-Waves ehf
Currently the numeric TLLI or tlli_info's enable_patching flag is
used to decide, whether a APN shall be patched or the secondary SGSN
shall be used. Using the numeric TLLI imposes a problem, when
TLLI/P-TMSI patching is used, since gbproxy_check_tlli uses the BSS
side TLLI namespace when trying to get the tlli_info.
This patch modifies the gbproxy_check_tlli() function to accept a
tlli_info pointer instead of a numeric TLLI. The tlli_info is already
available when the function is called. Since this a similar approach
has been used by accessing the enable_patching flag directly, this
commit unifies checking by always using this function instead of the
flag outside of gb_proxy_tlli.c.
This fixes the APN patching that doesn't work currently when P-TMSI
patching is enabled.
Sponsored-by: On-Waves ehf
This commit adds a single ACT PDP CTX REQ message to
test_gbproxy_ptmsi_patching() to check whether APN patching works in
this case, too.
Note that this doesn't work currently, the APN patch count is not
incremented.
Sponsored-by: On-Waves ehf
Currently the new command acquire-imsi and secondary-sgsn are not
included into the write command's output.
This is fixed by this commit.
Sponsored-by: On-Waves ehf
Some messages that are related to the BVC itself must be forwarded to
the secondary SGSN, too.
This patch implements this for BVC-RESET (BVCI != 0) and FLOW-CONTROL-BVC
messages. The resulting acknowledgement messages from the secondary
SGSN are silently dropped. The idea behind this is that the primary
SGSN is responsible for setting up and maintaining the BVC whereas
the secondary SGSN is rather passive and just has to accept it.
Ticket: OW#1258
Sponsored-by: On-Waves ehf
This patch modifies gbprox_process_bssgp_ul() to send the message to
the secondary SGSN if the IMSI has matched and routing to the
secondary SGSN is enabled. The destination for stored messages is
modified accordingly.
Ticket: OW#1261
Sponsored-by: On-Waves ehf
This patch adds a case to test the establishment (and shutdown) of
connection between 2 MS and 2 SGSN, where the assignment is based
on each IMSI. Since BVC-RESET and FLOW-CONTROL-BVC will have to be
sent to both SGSN, an ACK is simulated for both.
New functions to generate FLOW-CONTROL-BVC(-ACK) messages are
provided.
It modifies dump_peers to add the string "IMSI matches" to a TLLI dump
line if appropriate.
Note that there is no real support to use a secondary SGSN in the
gbproxy yet, but the test code reflects the expected behaviour when
the feature is implemented.
Sponsored-by: On-Waves ehf
This patch refactors SGSN NSEI handling to support a secondary SGSN.
It adds the following VTY commands:
- secondary-sgsn nsei <0-65534>
- no secondary-sgsn
Sending messages to the secondary SGSN is not yet implemented, but
received messages from such a SGSN would be forwarded to the BSS
peers.
Sponsored-by: On-Waves ehf
This should have been part of the 'Implement IMSI acquisition'
commit, where a similar change has been made for BSS originated PTP
messages.
Sponsored-by: On-Waves ehf
We want to reduce the background traffic and might set the ping
interval to be in the range of minutes. But this means that if
the TCP connection is frozen several "SCCP CR CM Service Requests"
will be stuck in the send queue without ever being answered. I
could have used the logic of not receiving the "SCCP CC" to close
the connection but instead I am introducing an overload to schedule
the ping as part of the normal SCCP connection establishment.
The VTY write case has been manually verified, I have also looked
at a single trace to see that the SCCP CR and the IPA PING is
transfered in the same ethernet frame.
Jacob ran the tests with ASAN and noticed that the state is
dead. This is on purpose as we have forced a change in the
transcoding. Re-load the state and verify that it has not
changed in the other cases.
To modify or route messages based on the IMSI the latter must be known
when the action shall take place.
This patch modifies the gbproxy to optionally retain and enqueue
messages from the MS while initiating an identification procedure.
Further message processing of the LLC PTP link towards the SGSN will
be done, when the identity of the MS has been acquired.
Note that the N(U) of the LLC GMM SAPI are not adjusted, so it is
possible that adjacent messages of a single LLC link arriving either
at the BSS or the SGSN have the same N(U) and might get discarded,
leading to retransmissions and additional delay.
Note also that retransmissions and packet loss are not yet handled
explicitely. If for instance the generated IDENT REQ gets lost, the
gbproxy will not act on its own. In this case, the MS will time out
and eventually resend the Attach Request on which the gbproxy will
act exactly like before (thus having two Attach Req messages in its
queue, which will both be sent after the Ident Resp arrives).
This has been tested successfully with an E71, needing one
retransmission by the SGSN due to an N(U) collision.
Ticket: OW#1261
Sponsored-by: On-Waves ehf
This patch copies test_gbproxy_ptmsi_patching to
test_gbproxy_imsi_acquisition as a base for a later test for IMSI
acquisition (which is not yet implemented). The idea behind this is
to make the different behaviour visible in the ok file without
compromising the P-TMSI test.
Sponsored-by: On-Waves ehf
Currently when patching is enabled and an error happens when
receiving a message from the SGSN, the patched message is sent back
with the PDU_IN_ERROR IE.
This patch modifies gbprox_rx_sig_from_sgsn() to copy the message
before it is patched, so that the original message can be used with
the STATUS message. gbprox_rx_ptp_from_sgsn() does all checks before
the message is patched, so copying is not necessary.
Since gbprox_rx_sig_from_sgsn() is not called for BSSGP UNITDATA
messages and the msgb is already been copied in the gbprox_relay2peer
function, the relative performance impact is expected to be low.
Note that the PDU IE of STATUS messages received from an MS and
forwarded to the SGSN will not be patched. STATUS messages from the
SGSN are only logged and not forwarded to the MS.
Sponsored-by: On-Waves ehf
Currently messages like these with a TLLI IE (BSSGP) are not
tested (properly) with TLLI patching.
This patch extends the send_bssgp_suspend* functions to accept a
TLLI as argument and adds the send_bssgp_llc_discarded function.
These are then used in test_gbproxy_ptmsi_patching() with a valid
TLLI.
Note that the TLLI IE patching doesn't work currently.
Sponsored-by: On-Waves ehf
This patch adds gbprox_rx_data_from_sgsn() and
gbprox_rx_ptp_from_bss() which contain the PTP message processing
of gbprox_rcvmsg(). The calls to gbprox_process_bssgp_ul() are moved
from gbprox_relay2sgsn() to gbprox_rx_ptp_from_bss() and
gbprox_rx_sig_from_bss().
The goal is, to do all patching (and calls to gbprox_process_bssgp_*)
from within the gbprox_rx_* functions. Doing the patching from within
gbprox_relay2sgsn has the drawback, that the patching code cannot
call gbprox_relay2sgsn() which is needed if a single message shall
trigger a sequence of messages.
Sponsored-by: On-Waves ehf
The compiler also uses this attribute for code elimination. If the
nonnull attribute has been given erroneously for an parameter, that
is later been checked against NULL, this check is removed silently
by the gcc if optimization is enabled. This can lead to hard-to-find
segmentation violation faults.
To be on the safe side, this patch removes all uses of the nonnull
attribute in openbsc.
Compiler:
- gcc 4.8.2 (Ubuntu 4.8.2-19ubuntu1): no warning, segfault
- clang 3.4 (3.4-1ubuntu3): no warning, no segfault, asm ok
Example:
/* foo.c */
int f(int* p) __attribute((nonnull));
int f(int *p) {
if (!p)
return 0;
return *p;
}
/* main.c */
int f(int* p) __attribute((nonnull));
int g () {
return f(arg);
}
int main() {
return g(NULL);
}
When these files are compiled into an executable, no warnungs are
issued but it will fail with a segfault when -O2 is used (unless LTO
is active).
Compiler output (gcc -O2):
int f(int *p) {
0: 8b 44 24 04 mov 0x4(%esp),%eax
4: 8b 00 mov (%eax),%eax
6: c3 ret
}
Sponsored-by: On-Waves ehf
In case we get offered G729 and G711 we might have selected
G729 as the audio codec. The first packet we receive might be
G711 though. In that case we will need to change. But only if
we have a matching alternate codec payload_type. E.g. in the
case of comfort noise we will receive the PT=11 and we don't
want to change.
In case of some RTP proxy from time to time we are offered both
G729 and G711 but only one of them will work. I intend to adjust
the codec at runtime in case we receive the wrong codec.
We might be offered multiple codecs by the remote and need to
switch between them once we receive data. Do this by moving it
to a struct so we can separate between proposed and current
codec. In SDP we can have multiple codecs but a global ptime.
The current code doesn't separate that clearly instead we write
it to the main codec.
Use the rtp_hdr structure. The basic alignment issue remains
and I need to merge/cherry-pick Jacob's getters for the ts,
sequence number and other attributes.
./configure --help indicates:
--enable-external-tests Include the VTY/CTRL tests in make check
[default=no]
but
./configure ... --enable-external-tests
configure: WARNING: unrecognized options: --enable-external-tests
the name of the option seems to be --enable-ext-tests.
The library allows to indicate zero as batch size if you want to use
the default size, however openbsc saves 'osmux batch-size 0' which is
not good as input.
Use OSMUX_BATCH_DEFAULT_MAX to explicitly initialize the batch size
from mgcp_parse_config().
The talloc_free on the nat lead to the freeing of the bsc_config
which lead to freeing of the rate_ctr_group. The rate_ctr_group
remained in a global list and the next creation of a bsc_config
would access dead memory. Fix it.
The free routine is only meant to be used by the test, for the
real nat we would need to make sure that all connections and
other state that refers to the cfg is removed/closed first.
Fix various memleaks in the test while we are at it. There are
still some to fix.
==7195== Invalid write of size 4
==7195== at 0x4043171: rate_ctr_group_alloc (linuxlist.h:65)
==7195== by 0x804D893: bsc_config_alloc (bsc_nat_utils.c:174)
==7195== by 0x804B5D2: main (bsc_nat_test.c:954)
==7195== Address 0x4311cbc is 52 bytes inside a block of size 208 free'd
==7195== at 0x4029D28: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==7195== by 0x4048D98: _talloc_free (talloc.c:609)
==7195== by 0x4052806: talloc_free (talloc.c:578)
==7195== by 0x804B58A: main (bsc_nat_test.c:940)
bsc_nat_ctrl.c: In function ‘set_net_cfg_cmd’:
bsc_nat_ctrl.c:360:3: warning: implicit declaration of function ‘bsc_replace_string’ [-Wimplicit-function-declaration]
bsc_replace_string(bsc_cfg, &bsc_cfg->acc_lst_name, cmd->value);
^
gbproxy_patch_bssgp: Move a check for tlli_info in front of the first
conditional that depends on it, and return immediately if it is NULL.
gbproxy_register_tlli: Initialize tlli_already_known to 0.
Fixes: Coverity CID 1232691
Fixes: Coverity CID 1232692
Sponsored-by: On-Waves ehf
Remove redundant information log message:
<000b> bsc_mgcp_utils.c:647 BSC doesn't want to use Osmux, failing back to RTP
<000b> bsc_mgcp_utils.c:669 bsc didn't accept to use Osmux (cid=0)
One single log message is just fine. The error path already indicates
the precise reason not to accept the request to use Osmux.
This patch includes several osmux fixes that are interdependent:
1) This adds Osmux circuit ID, this is allocated from the bsc-nat. This
announces the circuit ID in the CRCX MGCP message. This aims to resolve
the lack of uniqueness due to the use of endp->ci, which is local to
the bsc. This ID is notified via X-Osmux: NUM where NUM is the osmux
circuit ID.
2) The dummy load routines are now used to setup osmux both in bsc and
bsc-nat to resolve source port NAT issues as suggested by Holger. The
source port that is used from the bsc is not known until the first
voice message is sent to the bsc-nat, therefore enabling osmux from
the MGCP plane breaks when a different source port is used.
3) Add refcnt to struct osmux_handle, several endpoints can be using the
same input RTP osmux handle to perform the batching. Remove it from the
osmux handle list once nobody is using it anymore to clean it up.
4) Add a simple Osmux state-machine with three states. The initial state
is disabled, then if the bsc-nat requests Osmux, both sides enters
activating. The final enabled state is reached once the bsc-nat sees
the dummy load message that tells what source port is used by the bsc.
5) The osmux input handle (which transforms RTP messages to one Osmux batch)
is now permanently attached to the endpoint when Osmux is set up from the
dummy load path, so we skip a lookup for each message. This simplifies
osmux_xfrm_to_osmux().
After this patch, the workflow to setup Osmux is the following:
bsc bsc-nat
| |
|<------ CRCX ----------|
| X-Osmux: 3 | (where 3 is the Osmux circuit ID
| | that the bsc-nat has allocated)
|------- resp --------->|
| X-Osmux: 3 | (the bsc confirm that it can
| | use Osmux).
. .
| |
setup osmux |----- dummy load ----->| setup osmux
| Osmux CID: 3 |
In two steps:
1st) Allocate the Osmux Circuit ID (CID): The bsc-nat allocates an unique
Osmux CID that is notified to the bsc through the 'X-Osmux:' extension.
The bsc-nat annotates this circuit ID in the endpoint object. The bsc
replies back with the 'X-Osmux:' to confirm that it agrees to use Osmux.
If the bsc doesn't want to use Osmux, it doesn't include the extension
so the bsc-nat knows that it has to use to RTP.
2nd) The dummy load is used to convey the Osmux CID. This needs to happen
at this stage since the bsc-nat needs to know what source port the bsc
uses to get this working since the bsc may use a different source
port due to NAT. Unfortunately, this can't be done from the MGCP signal
plane since the real source port is not known that the bsc uses is not
known.
This patch also reverts the MDCX handling until it is clear that we need
this special handling for this case.
In the bsc-nat side, the osmux socket initialization can be done from
the vty. This ensure that the osmux socket is available by the time the
bsc-nt receives the dummy load that confirms that the osmux flow has
been set up.
This change is required by the follow up patch. This change ensures that
the Osmux socket in the bsc-nat is already in place by the time this
receives the dummy load.
Back in March 2013, some structures and defines related to decoded
measurement reports have been moved from openbsc to libosmocore
(libosmocore e128f4663104ed64e33e362cff2566f36d65e658) so that they can
be used also from osmo-bts. This finally makes gsm_lchan follow suit
for osmo-bts.
The gb_proxy shouldn't start to open the box of pandora by including the
gsm_data_shared.h file, particularly not without defining the BSC role.
In any case, as the reserved TMSI is something that's part of the GSM
specs, and not specific to the OpenBSC implementation, it should be part
of libosmocore.
All review feedback will be addressed _after_ the split of the
files. This is the only reasonable approach to get the split of
files merged. I didn't have the time to review all of the code
before the point of splitting.
This patch moves the peer related definitions from gb_proxy.c to
gb_proxy_peer.c and adjusts the prefix of each global symbol to
gbproxy_:
Peer definitions (prefix adjusted to gbproxy_):
peer_ctr_description -> gprs/gb_proxy_peer.c (static)
peer_ctrg_desc -> gprs/gb_proxy_peer.c (static)
*peer_by_* -> gprs/gb_proxy_peer.c
gbproxy_peer_alloc -> gprs/gb_proxy_peer.c
gbproxy_peer_free -> gprs/gb_proxy_peer.c
gbprox_cleanup_peers -> gprs/gb_proxy_peer.c
Sponsored-by: On-Waves ehf
This patch moves several functions and declarations out of gb_proxy.c
to make them reusable by other components and to separate them by
context and task.
Counter enums (prefix is changed to gbproxy_):
enum gbprox_global_ctr -> gprs/gb_proxy.h
enum gbprox_peer_ctr -> gprs/gb_proxy.h
Generic Gb parsing (prefix is changed to gprs_gb_):
struct gbproxy_parse_context -> openbsc/gprs_gb_parse.h
gbprox_parse_dtap() -> gprs/gprs_gb_parse.c
gbprox_parse_llc() -> gprs/gprs_gb_parse.c
gbprox_parse_bssgp() -> gprs/gprs_gb_parse.c
gbprox_log_parse_context() -> gprs/gprs_gb_parse.c
*_shift(), *_match() -> gprs/gprs_gb_parse.c (no prefix)
gbprox_parse_gmm_* -> gprs/gprs_gb_parse.c (static)
gbprox_parse_gsm_* -> gprs/gprs_gb_parse.c (static)
MI testing/parsing (prefix gprs_ added):
is_mi_tmsi() -> gprs/gprs_utils.c
is_mi_imsi() -> gprs/gprs_utils.c
parse_mi_tmsi() -> gprs/gprs_utils.c
TLLI state handling (prefix is changed to gbproxy_):
gbprox_*tlli* -> gprs/gb_proxy_tlli.c
(except gbprox_patch_tlli, gbproxy_make_sgsn_tlli)
Message patching (prefix is changed to gbproxy_):
gbprox_*patch* -> gprs/gb_proxy_patch.c
gbprox_check_imsi -> gprs/gb_proxy_patch.c
Sponsored-by: On-Waves ehf
Add LLC test messages containing XID (SAPI LLGMM, U frame) and IP traffic
(SAPI LL11, UI frame).
Add a test case containing a complete SGSN session with TLLI/PTMSI
patching enabled.
Sponsored-by: On-Waves ehf
This patch modifies gbprox_make_bss_ptmsi() to generate a new P-TMSI
when patch_ptmsi is set in the configuration instead of using the
P-TMSI assigned by the SGSN. It modifies gbprox_make_sgsn_tlli() to
either use a foreign TLLI based on the SGSN side P-TMSI or (if there
is none) generate a random TLLI if patch_ptmsi is set. Otherwise, the
TLLI used by the BSS is used.
The seeds for the pseudo-random sequences sre set based on time
initially. Note that these are neither cryptographically safe nor
protected against collisions.
Ticket: OW#1259
Sponsored-by: On-Waves ehf
This patch contains fixes for the TLLI tracking and handling.
It adds and uses gbprox_map_tlli() the map the source TLLI to the
destination TLLI while respecting whether it is current or assigned.
It removes gbprox_register_tlli() from the downlink path. It fixes
TLLI validation and disables the use of the BSSGP TLLI IE.
Sponsored-by: On-Waves ehf
Currently, these messages lead to a parsing error which prevents them
from being processed any further.
This patch sets the return value of gbprox_parse_llc to 1 in these
cases and fixes a segfault which is triggered by any non-04.08
message.
Sponsored-by: On-Waves ehf
Currently gbprox_patch_raid() updates the local MCC/MNC with every
BSS originated message, even if the RAI is an 'old' one.
This patch separates state updating and patching into 2 functions
gbprox_update_current_raid and gbprox_patch_raid. In addition, a
field named old_raid_enc is added to gbproxy_parse_context, which is
used for 'old RAI' IEs in Attach Requests and RA Update Requests.
Only the bssg_raid_enc in BSS originated message is used to update
the BSS side 'local' MCC/MNC.
Sponsored-by: On-Waves ehf
This patch splits the functionality of gbprox_get_detached_tlli_info
into 2 new functions:
- gbprox_tlli_info_alloc to allocate an intialized and detached
tlli_info
- gbprox_detach_tlli_info to detach an already attached tlli_info
Sponsored-by: On-Waves ehf
This VTY command add the following commands to the gbproxy node:
- patch-ptmsi: Enables P-TMSI/TLLI patching
- no patch-ptmsi: Disables P-TMSI/TLLI patching
Note that using these commands interactively can load to undefined
behavior of existing LLC connections.
Sponsored-by: On-Waves ehf
This patch separates BSS side from SGSN side TLLI/PTMSI tracking. When
TLLI/PTMSI patching is not enabled, the corresponding states shall be
identical. The TLLI/PTMSI state has been moved into the struct
gbproxy_tlli_state and is used twice in gbproxy_tlli_info.
Since the state handling for uplink and downlink messages is
diverging, gbprox_update_state() is replaced by two functions
gbprox_update_state_dl/gbprox_update_state_ul and
gbprox_process_bssgp_message() is replaced by
gbprox_process_bssgp_dl/gbprox_process_bssgp_ul.
Sponsored-by: On-Waves ehf
This patch adds the functions send_bssgp_ul_unitdata(),
send_bssgp_dl_unitdata(), send_llc_ul_ui(), and send_llc_dl_ui().
They are used instead of send_ns_unitdata() in
test_gbproxy_ra_patching(). This make it easier to modify TLLI, N(U),
and other parameters.
Sponsored-by: On-Waves ehf
The following parts of the messages have been fixed
- Attach Accept: checksum
- Attach Complete: checksum
- RA Update Accept: Use the same MS Radio Access Capabilities and
DRX Parameters like the other messages
The N(U) of most messages have not been fixed.
Sponsored-by: On-Waves ehf
Don't replace the current TLLI immediately, store it in an additional
'assigned_tlli' field and discard the old TLLI when both sides have
used the new one (see GSM 04.08, 4.7.1.5).
Add an Attach Complete message to test and check, whether the related
field of the corresponding tlli_info struct are set as expected
during the local TLLI validation cycle.
Sponsored-by: On-Waves ehf
Currently the enable_patching field in tlli_info is not updated,
when an IMSI is assigned to a TLLI that is already known.
This patch fixes this in gbprox_update_state() after the call to
gbprox_update_tlli_info().
The number of APN increases and the test output file is updated
accordingly.
Sponsored-by: On-Waves ehf
GSM 24.008 also allows a P-TMSI field in Detach request messages.
This patch adds gbprox_parse_gmm_detach_req() to parse Detach Request
messages which sets the ptmsi field if the IE is present.
In addition, when power_off is set to 1 (MO only), the
invalidate_tlli field is set, since Detach Request message is
expected in this case.
The second detach test (see 'RA update') is modified to use
power_off instead of relying on a Detach Accept from the network.
To make this work, the PTMSI of the RA Update Accept is fixed to
match the TLLI of the Detach Request.
Sponsored-by: On-Waves ehf
We started with only testing the VTY but now test VTY and CTRL
interface with this python framework and might even extend this
to SMPP. So add and "--enable-external-tests" directive which
enables the external interface tests.
Add a separate function to clear the IMSI filter to be used instead of
gbprox_set_patch_filter(cfg, NULL, ...). Albeit it fixes a Coverity
issue (Unchecked return value), it is a false positive, since the
return value is always 0 in these cases. Nevertheless it is more
obvious what happens when an explicit clear function is called. Using
NULL as filter argument of gbprox_set_patch_filter still clears the
filter.
Fixes: Coverity CID 1231255
Sponsored-by: On-Waves ehf
As bsc_ctrl_node_lookup() is called for each iteration,
the variables 'bts' and 'trx' are no longer static accross multiple
calls, which means we need a different way to determine if we are in the
right node while matching for a trx or a ts.
Now that the bulk of the control interface node lookup has
no reference to the BSC specific data structures, we are
moving it into libosmocore.
A control interface user now only registers an optional small
node lookup function like bsc_ctrl_node_lookup()
The idea here is that bsc_ctrl_cmd_handle now has no dependency
at all to the BSC related data structures and thus can actually become
part of libctrl.
The new function bsc_ctrl_node_lookup however will remain bsc-specific.
This patch modifies the code to pass a pointer to the tlli_info
around once it has been acquired. To achieve this,
gbprox_register_tlli() and gbprox_update_state() are modified to
return it (if it has been found or created), and gbprox_patch_llc(),
gbprox_patch_bssgp(), and gbprox_update_state_after() are modified to
take it as parameter.
Add a new function gbprox_touch_tlli() to update timestamp and list
ordering for existing tlli_infos.
The motivation behind this patch is to make the tlli_info available to
the patching code and to avoid repeated searches for the same TLLI.
Sponsored-by: On-Waves ehf
The current implementation of this function is O(N), where N is the
number of entries.
The new implementation is O(D), where D is the number of entries that
are going to be deleted.
Sponsored-by: On-Waves ehf
This patch adds a combined expiry test to remove one entry by list
length and another by age.
This patch also modifies the existing age based test to register both
TLLI with a different timestamp and to remove only one of the TLLI
entries by age based expiration.
Sponsored-by: On-Waves ehf
Currently time() is called at several places to control TLLI aging.
Beside calling time() more often than necessary, the decision which
timesource is to be used is coded into the TLLI handling, and testing
complex aging scenarios is cumbersome.
This patch passes the current time as a parameter instead. The call
to time() is moved to gbprox_process_bssgp_message().
Sponsored-by: On-Waves ehf
This patches removes the call to gbprox_remove_stale_tllis()
from gbprox_register_tlli(), so it must be called explicitly now.
The call is now done from within gbprox_update_state_after().
In addition, the TLLI cache size counter is also kept in sync when
gbprox_remove_stale_tllis is called manually. The call to
gbproxy_peer_free() in gbproxy_peer_free() is moved behind the TLLI
to allow for counter updates in gbprox_delete_tlli().
Sponsored-by: On-Waves ehf
This patch refactors that function by separating the actual patch
code into a new function gbproxy_patch_bssgp(), similar to
gbproxy_patch_llc(). The remaining function is renamed to
gbproxy_process_bssgp_message. The existing function
gbproxy_parse_bssgp_message() is renamed to
gbproxy_process_bssgp_message to match gbproxy_parse_llc.
Sponsored-by: On-Waves ehf
This adds a test for gbprox_set_patch_filter() and
gbprox_check_imsi().
It also fixes the masking of the type field when IMSIs are checked by
using GSM_MI_TYPE_MASK (0x07) instead of 0x0f.
Sponsored-by: On-Waves ehf
Currently only TLLIs for which it is known that they may be patched
are put into the TLLI list.
This patch changes this to add TLLIs even when the IMSI is not yet
known. A enable_patching flag is added to the gbproxy_tlli_info
structure to control patching.
Note that this puts every active TLLI into the list where accesses
are O(N) currently.
Sponsored-by: On-Waves ehf
This adds parsing support for the following messages:
- Attach Request: IMSI/PTMSI
- Identity Response: IMSI/PTMSI
- BSSGP: Optional TLLI IE
- BSSGP/PAGING_PS: PTMSI
A new new_ptmsi_enc field is added for newly assigned PTMSI in
SGSN->BSS messages (instead of ptmsi_enc). The ptmsi_enc field is now
used for informational PTMSI IE in messages.
Sponsored-by: On-Waves ehf
This adds a gbprox_parse_bssgp_message() function that contains the
parsing part of the former gbprox_patch_bssgp_message(). This
includes a call to gbprox_parse_llc().
The calls to gbprox_patch_llc(), gbprox_update_state() and
gbprox_update_state_after() have therefore been moved to
gbprox_patch_bssgp_message().
Sponsored-by: On-Waves ehf
This patch unifies the TLLI tracking for all LLC messages. The TLLI
state handling is moved into separate functions.
Only Detach Accept messages are taken into account to release a TLLI,
which is safe but not optimal.
Sponsored-by: On-Waves ehf
Currently, parsing and optionally patching is done in the same
functions (e.g. gbprox_patch_gmm_attach_req()).
This patch moves the patching code out of these functions into
gbprox_patch_llc() and just stores pointers to the relevant data
areas into parse_ctx. Consequently the len_change parameter is
removed and the _patch_ in the function's names is renamed to
_parse_. In addition, the patching_is_enabled checks and counter
increments are moved out of these functions, too.
Sponsored-by: On-Waves ehf
Send a non-call related SS message for an active call indentified
by the CIC of that call. As an ugly hack the order of the SS
release and the invocation are changed. That was necessary for the
E71 on a TCH. The time between notify and release was just too short.
The right would be to wait for the returnResultLast but this would
involve keeping more local state. Let's see how far we get here. It
might be necessary to change the order in the other call sites as
well.
Some broken equipment does not convert the P-TMSI to a Local TLLI.
This leads to the SGSN ignoring the GPRS Attach Complete message
from the phone. Proprietary SGSNs and some documentation we found
state that one should always set the two highest bits of a P-TMSI
to one. This will help broken equipment and will avoid a potential
P-TMSI/TLLI clash. The P-TMSI/Local TLLI mapping is now bijective.
Currently gbprox_register_tlli() is a rather complex function.
This patch splits it into several smaller functions to ease reviewing
and maintaining it.
Sponsored-by: On-Waves ehf
This adds a unit test for gbprox_register_tlli() and
gbprox_remove_stale_tllis().
The dump_peers() function is extended by a cfg parameter to support
a non-global gbproxy_config.
Done with Jacob
This comparison bit-ored the TLLI with 0xc000 instead of 0xc000000.
Since this has never worked properly yet and since normalizing to
local TLLIs doesn't seem sensible here, the comparison is removed
entirely.
Sponsored-by: On-Waves ehf
In these functions we assume that peer is not NULL. Add a compiler
attribute in the hope that either coverity or GCC/Clang will help
us to find a misusage.
Done with Jacob
Global state prevents us from writing simple units tests for
single routines. Go through the code and add pointers to the
gbproxy configuration. Only the vty and the test code remain
using the global gbproxy instance.
Create a testcase for the gprs_str_to_apn and gprs_apn_to_str
routines. While writing the testcase we noticed it is possible to
write more bytes than should have been allowed. This is fixed by
checking that the max_len is at least 1 (needed to write the first
length octet) and to do the size check before writing to the output.
Modify the signature of gprs_str_to_apn to put the length/size next
to the parameter that requires a size.
Done with Jacob
We intend to move some of these routines to libosmocore but to avoid
a feature symbol clash we are prefixing these routines with gprs_.
Done with Jacob
The application is called gbproxy but the structures and functions
were inconsistently named as either gbprox or gbproxy. Rename all
structures to use gbproxy.
Done with Jacob
Move the global data into the struct and use it. gbprox_reset will
first free data and then re-initialize the structure. This code is
used by the unit test.
Done with Jacob
Timing advance is stored inside lchan structure, so it is removed from
arguments. This is useful, if other actions are required prior calling
rsl_chan_activate_lchan. (like deactivating PDCH first)
The "shifted TA value" that is required by BS11 is now calculated inside
rsl_chan_activate_lchan and not by each user.
[Rebased by Holger. So some hunks were skipped as the patch
depended on Jolly's HO code]
rtp_proxy.c: In function ‘rtp_decode’:
rtp_proxy.c:199:8: warning: assignment from incompatible pointer type
frame = msgb_put(new_msg, sizeof(struct gsm_data_frame));
This commit moves the fixing code of the length field of the LLC
information element to the BSSGP patching level since that is not a
part of LLC itself.
Sponsored-by: On-Waves ehf
This commit adds code to parse the PTMSI in network originated
messages
- Attach Accept,
- Routing Area Update Accept, and
- P-TMSI Reallocation Command (see below)
to keep track of the TLLI identifying the LLC connection.
The P_TMSI Realloc Command specific code is not being tested yet, so
a corresponding notice is logged when such a message will be
received.
NOTE:
The gbproxy will lose the TLLI when the MS doesn't receive/use
the message (normally the SGSN remembers the old TLLI for some time
to avoid this kind of problem). If this happens the MS will
probably restart the procedure and the network will have to answer
again eventually using one of the above messages which will
re-associate the IMSI with the TLLI before the MS can send a
PDP Context Request message.
Ticket: OW#1192
Sponsored-by: On-Waves ehf
Add a struct containing context information from the parts of the
message that have been parsed already. A pointer to this (temporary)
struct is passed to parse/patch functions.
Sponsored-by: On-Waves ehf
Currently the patching code directly accesses the single bytes to
parse the LLC/DTAP messages.
This patch uses the shift functions instead to parse tlv and similar
structures.
Sponsored-by: On-Waves ehf
This adds a set of function that parse a single tlv, lv, tv, or v
encoded information element. They are complementary to the *_put
functions defined in libosmocore's tlv.h file. The functions update
the data and data_len fields unless they are a 'match' function and
the tag field doesn't match.
Sponsored-by: On-Waves ehf
Currently the enabled_tllis_count field isn't always decremented when
an element is removed from the TLLI cache list.
This patch adds the missing update and also adjusts the counter
accordingly.
Sponsored-by: On-Waves ehf
Add TLLI cache output to gbprox_dump_peers() to include this info
into the test output.
Separate RA Update Req message handling from Attach Request handling.
Note: There is no test case for the P-TMSI Reallocation Command yet.
Sponsored-by: On-Waves ehf
This commit adds the following counters:
- attach-reqs: Number of Attach Request messages
- attach-rejs: Number of Attach Reject messages
- tlli-cache: Size of the TLLI cache
Sponsored-by: On-Waves ehf
These commands manage the TLLI list used to decide whether an APN
shall be patched or not. Note that this list is (currently) only
maintained if IMSI matching is used.
VTY commands (enable node):
show gbproxy tllis show all TLLI entries
delete-gbproxy-tlli NSEI stale purge all stale entries
delete-gbproxy-tlli NSEI imsi IMSI purge entry with the IMSI given
delete-gbproxy-tlli NSEI tlli TLLI purge entry with the TLLI given
Sponsored-by: On-Waves ehf
This patch adds IMSI/TLLI connection tracking and uses it to control
APN patching based on the IMSI. TLLI entries can expire based on age
and/or by limiting the TLLI list size.
VTY config-gbproxy:
no core-access-point-name disable APN patching
core-access-point-name none remove APN if present
core-access-point-name APN replace APN if present
core-access-point-name none match-imsi RE remove if IMSI matches
core-access-point-name APN match-imsi RE replace if IMSI matches
tlli-list max-age SECONDS expire after SECONDS
no tlli-list max-age don't expire by age
tlli-list max-length N keep N entries only
no tlli-list max-length don't limit list length
RE is an extended regular expression, e.g. ^12345|^23456
Ticket: OW#1192
Sponsored-by: On-Waves ehf
Currently, all patching state is stored globally in the gbproxy. Thus
the feature cannot be used safely with a concentrating gbproxy (NAT).
This patch moves the state and relevant counters to the gbprox_peer
structure. It adds code to resolve the corresponding peer when
packets are received by looking at BVCI, NSEI, and BSSGP IEs (BVCI,
RAI/LAI/LAC) when the peer is not passed to the
gbprox_patch_bssgp_message() function.
Test cases are also added for the SGSN->BSS case including test cases
with invalid identifiers.
Note that this patch should make it possible to use RAI patching at a
NAT gbproxy as long as the messages are not encrypted.
Ticket: OW#1185
Sponsored-by: On-Waves ehf
This patch adds a Detach Request (MO) / Detach Accept sequence to the
test, followed by another (here invalid) Act PDP Context Req which
should be APN patched.
Sponsored-by: On-Waves ehf
Add a DTAP GMM Information message with an IMSI in the BSSGP header
to enable the association between IMSI and TLLI.
The TLLI of the Routing Area Update messages is set to foreign.
Sponsored-by: On-Waves ehf
Patch the APN in every 'Activate PDP Context Request' message to the
value given by the 'core-access-point-name' command. If the command is
given without an APN, the whole APN IE will be removed. If the
command is being prefixed by a 'no', the APN IE remains unmodified.
The patch mode 'llc-gsm' is added to selectively enable the patching
of LLC session management messages. This is enabled implicitely by
the patch mode 'llc'.
Note that the patch mode should not be set to a value not enabling
the patching of LLC GSM messages ('llc-gsm', 'llc', and 'default' are
sufficient to patch 'Activate PDP Context Request' messages).
Ticket: OW#1192
Sponsored-by: On-Waves ehf
This patch extends the BSSGP patch code to also patch LLC information
elements along with MCC/MNC patching support for the following messages:
- Attach Request
- Attach Accept
- Routing Area Update Request
- Routing Area Update Accept
- P-TMSI reallocation command
Note that encrypted packets will not be patched.
Ticket: OW#1185
Sponsored-by: On-Waves ehf
This adds a feature to patch the BSSGP MNC/MCC fields of messages going
to and coming from the SGSN. To enable this feature, the gbproxy's
VTY commands 'core-mobile-country-code' and/or
'core-mobile-network-code' must be used. All packets to the SGSN are
patched to match the configured values. Packets received from the
SGSN are patched to the corresponding values as last seen from the BSS
side.
Note that this will probably not work with a gbproxy used for several
BSS simultaneously.
Note also, that MCC/MNC contained in a LLC IE will not be patched.
Ticket: OW#1185
Sponsored-by: On-Waves ehf
The wrong field has been use for the field length computation. This
hadn't any impact so far, since
sizeof(ctx->imei) == sizeof(ctx->imsi)
This patch fixes the computation to use the right field.
Sponsored-by: On-Waves ehf
This patch makes a few changes to improve readability:
- change the sendto() hexdump to start with NS instead of BSSGP
- use more specific message descriptions instead of 'UNITDATA'
- add a title line per test
Sponsored-by: On-Waves ehf
The osmux code doesn't work if the MGCP MGW is behind a NAT (which
is likely to be the case). The usage of endp->ci is troublesome too
not only because of the uint8_t vs. uint32_t mismatch but because
this identity is generated by the MGCP MGW and can clash. This means
that with two clients the wrong call might be connected.
The next bigger thing is that old handles are never cleared. This
code is clearly not ready for deployment.
We need to discover the remote port as we are likely behind a NAT.
Right now the NAT code will just send to port 1984 on the BSC but
this might not arrive at the BSC. Include the CI (in the future we
need to include the endpoint address or send the dummy to the net
port). This is just an interim solution.
The CI is a MGCP value that is counted from 0 upwards. The code
is comparing a uint8_t with a uint32_t. This will only work for
up to UINT8_MAX calls and then will silently break. The code should
probably work with the endpoint number and not the CI. For now
truncate things and hope things work.
Jacob pointed out that "free_endp" refers to the memory of
the endpoint being freed. What we want is actually a way to
release an endpoint (and the resource it allocated) or in
the case of the testcase/testapp initialize the data structure
correctly. Introduce two names for that.
In case the sender didn't send a couple of frames we will have
a time gap that is bigger than the accepted delta. Add a new
testcase for this and update the next_time.
Transcoding from GSM to PCMA can lead to the MGCP MGW sending
two PCMA packages with the same sequence number and timestamp.
Once with the encoded audio and once completely empty.
This is because "state->dst_packet_duration" is 0 in most cases
(unless a ptime is forced) and we attempt to encode audio even
if there are not enough samples. The encode_audio return will
return 0 in that case which is not trated as an error by the
mgcp network code.
Handle rc == 0 specially and document the semantic.
The sequence number was read from the wrong place and then
the wrong byte order conversion routine was used so we ended
up wirting 0x00, 0x00 into the patched sequence number. Add
a testcase for that.
When going from a ptime of 10 to 20 a lot of alignment errors
are reported. In fact the alignment check should be done before
and after the transcoding. As this is not possible right now
only do it _after_ the patching.
It took me a long time to figure out that errx just exits and
the test output didn't indicate that the application was exited
early. Use a printf and good old abort in case of a failure.
The GSM handle was never released. This was found using valgrind
and the leak check.
==14933== 752 bytes in 1 blocks are definitely lost in loss record 15 of 19
==14933== at 0x4028B4C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==14933== by 0x4130201: gsm_create (in /usr/lib/i386-linux-gnu/libgsm.so.1.0.12)
==14933== by 0x80517AE: mgcp_transcoding_setup (mgcp_transcode.c:199)
==14933== by 0x8049691: given_configured_endpoint.isra.1 (mgcp_transcoding_test.c:198)
==14933== by 0x8049C11: test_transcode_result (mgcp_transcoding_test.c:328)
==14933== by 0x8049418: main (mgcp_transcoding_test.c:582)
<000b> osmux.c:177 Cannot find endpoint with cid=7
!
<000b> osmux.c:253 Cannot find an endpoint for circuit_id=7
The extra newline and '!' do not provide any extra value and
make reading the output more difficult. Just remove it.
An empty log_info is not enough. We need to make sure that at least
DLGLOBAL is present. Instead of doing that make sure that we have
enough entries.
==26163== Conditional jump or move depends on uninitialised value(s)
==26163== at 0x403B289: osmo_vlogp (logging.c:290)
==26163== by 0x403B3DA: logp2 (logging.c:339)
==26163== by 0x804D027: gbprox_relay2bvci (gb_proxy.c:347)
==26163== by 0x804D3CF: gbprox_rx_sig_from_sgsn (gb_proxy.c:589)
==26163== by 0x804DBFC: gbprox_rcvmsg (gb_proxy.c:685)
==26163== by 0x4052CB0: gprs_ns_process_msg (gprs_ns.c:669)
==26163== by 0x4052F70: gprs_ns_rcvmsg (gprs_ns.c:1053)
==26163== by 0x804BB49: gprs_process_message (gbproxy_test.c:488)
==26163== by 0x804BC4C: send_ns_unitdata (gbproxy_test.c:210)
==26163== by 0x804BDE8: send_bssgp_reset_ack (gbproxy_test.c:243)
==26163== by 0x804B54F: main (gbproxy_test.c:863)
==26163==
The peers are (talloc) children of the GPRS NS. This means the
peers (and the rate counters) are currently being deleted twice.
==23446== Invalid write of size 4
==23446== at 0x403C243: rate_ctr_group_alloc (linuxlist.h:66)
==23446== by 0x4050974: gprs_nsvc_create (gprs_ns.c:209)
==23446== by 0x405320D: gprs_ns_instantiate (gprs_ns.c:1330)
==23446== by 0x804ABEB: main (gbproxy_test.c:666)
==23446== Address 0x4300694 is 52 bytes inside a block of size 784 free'd
==23446== at 0x4029DA8: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==23446== by 0x4041B9D: _talloc_free (talloc.c:609)
==23446== by 0x4043292: talloc_free (talloc.c:578)
==23446== by 0x40532D3: gprs_ns_destroy (gprs_ns.c:1363)
==23446== by 0x804ABD7: main (gbproxy_test.c:660)
Make the llc_default_params structure from which data is initialized
large enough. Otherwise address sanitizer complains with out-of-bounds
reads.
Only SAPIs 1, 2, 3, 5, 7, 8, 9, 11 are defined for GPRS but the
struct gprs_llc_llme includes NUM_SAPIS lle's and they are populated
from the llc_default_params structure.
This adds a test case with several messages to test BSSGP patching.
New messages:
- BSSGP/DTAP Attach Request
- BSSGP/DTAP Attach Accept
- BSSGP/DTAP Routing Area Update Request
- BSSGP/DTAP Routing Area Update Accept
- BSSGP/DTAP Activate PDP Context Request
- BSSGP SUSPEND
- BSSGP SUSPEND ACK
Sponsored-by: On-Waves ehf
This parameter is not used (the methods are always called with an
argument of 1 in the third position). Thus the parameter is removed
completely.
Sponsored-by: On-Waves ehf
The type in the schema is integer but we need to use ulonglong to
read it as otherwise the read will fail.
DBI: -7: The requested variable type does not match what libdbi thinks it should be
Currently the terms 'Routing area code' (RAC) and 'Location area
code' (LAC) are used in several places where 'Routing area
identification' (RAI) or 'Location area identification' (LAI) are
meant in fact.
This patch replaces RAC/LAC by RAI/LAI and 'code' by 'identification'
at these places.
Note that RAI := MCC MNC LAC RAC, and LAI := MCC MNC LAC (see GSM
03.03, sections 4.1 and 4.2).
Sponsored-by: On-Waves ehf
Currently when ftmp_extra is set, a doubled a=rtpmap line is emitted
instead of the fmtp_extra info.
This patch fixes replaces the formerly copied and pasted but not
modified snprintf parameters by the correct ones.
Fixes: Coverity CID 1220873
Sponsored-by: On-Waves ehf
Add tests setting the fmtp_extra field to check the response
generation. This triggers a bug found by Coverity.
Addresses: Coverity CID 1220873
Sponsored-by: On-Waves ehf
Currently, if there is no SDP data in the MGCP message received from
the net, the fields containing audio encoding information are not set
in net_end. So in recvonly mode transcoding would not be set up
correctly.
This patch changes the implementation of the code handling CRCX and
MDCX to use the codec signalled in the MGCP local connection options
(field 'a:') if there isn't any SDP data. This is only halfway
negotiation, because the codec is used blindly and not matched
against the supported ones.
Sponsored-by: On-Waves ehf
This patch moves the files relevant to transcoding from
src/osmo-bsc_mgcp to src/libmgcp and src/include/openbsc. Makefiles
and include directives are being updated accordingly.
Sponsored-by: On-Waves ehf
The current transcoder implemenation always does a 1:1 recoding
concerning the duration of a packet. So RTP timestamps and sequence
numbers are not modified.
This is not sufficient in some cases, e.g. when the BTS does only
allow for a single fixed ptime.
This patch decouples encoding from decoding and moves the decoded
samples to the state structure so that samples can be combined or
drain according to the packaging of incoming and outgoing packets.
This patch incorporates parts of Holger's experimental fixes in
0e669e05^..9eba68f9.
Ticket: OW#1111
Sponsored-by: On-Waves ehf
This patch implements audio transcoding between the formats GSM,
PCMA, L16, and optionally G.729.
The feature needs to be enabled by using the autoconf option
'--enable-mgcp-transcoding'. In this case mgcp_transcode.c will
be compiled and linked to osmo-bsc_mgcp, and the transcoding
functions provided will be registered as processing callbacks.
If G.729 support is required, libcg729 needs to be installed and
'--with-g729' must be passed to ./configure.
Ticket: OW#1111
Sponsored-by: On-Waves ehf
Don't show media related lines if the payload type has not been set.
Don't show a 'a=rtpmap' line if the audio_name has not been set.
This patch unifies the SDP generation of create_response_with_sdp()
and send_msg().
Sponsored-by: On-Waves ehf
This patch adds the get_net_downlink_format_cb() callback to provide
payload_type, subtype_name, and fmtp_extra suitable for use in a MGCP
response sent to the network. Per default, the BTS side values are
returned since these must be honoured by the net peer when sending
audio to the media gateway (unless transcoding is done).
Sponsored-by: On-Waves ehf
This patch adds the fields channels, subtype_name, and audio_name to
the struct. The field audio_name contains the full string that has
been used for the last part of a SDP a=rtpmap line. The others contain
decoded parts of that string. If no a=rtpmap line has been given
(e.g. because dynamic payload types are not used), values are
assigned when the payload type matches one of the predefined ones
(GSM, G729, PCMA).
The patch also moves the audio_name parsing code to a dedicated
set_audio_info() function.
Sponsored-by: On-Waves ehf
This patch adds the callbacks rtp_processing_cb and
setup_rtp_processing_cb to mgcp_config to support arbitrary RTP
payload processing.
Sponsored-by: On-Waves ehf
Currently LLC parsing is part of gprs_llc.c which needs large parts
of the SGSN code parsing to fulfill its link dependencies.
This patch moves the functions that just do plain parsing, dumping,
and FCS computation to a different file to avoid these dependencies
if LLC stateful processing is not needed. It also exposes
struct gprs_llc_hdr_parsed and enum gprs_llc_cmd publically.
Sponsored-by: On-Waves ehf
The code currently uses an encoded sequence of (hex) 10 20 30 40 50
60 as RAI, for which no bijective mapping to the set of
representations MCC-MNC-LAC-RAC exists.
This patch changes the hard-coded RAI to 11 22 33 40 50 60 which maps
to 112-332-16464-96 (and vice-versa).
Sponsored-by: On-Waves ehf
The patches were posted to the ML but didn't receive review
there. At the time I merge the change I did a Location Updating
Request and the channel was released in a successful way.
In case we receive ERROR INDICATION and CONNECTION FAILURE we only
want to RF Channel Release the lchan once. This code is more simple
and should work as reliable as the previous commit.
When we receive an ERROR INDICATION and CONNECTION FAILURE we
might call rsl_rf_chan_release multiple times. The channel release
handling is still a bit messy and there too many paths that lead
to the call.
1.) In case we receive an ERROR INDICATION for SAPI=3. A RLL
error signal will be emitted that leads to the release of the
channel through the SMS code in case of the NITB. The call to
rsl_rf_chan_release might be a double release.
2.) In case a CONNECTION FAILURE is received when the release
process has already been started we would unconditionally
call rsl_rf_chan_release as well.
Because the lchan state is changed by the callers of the
rsl_rf_chan_release we can not move the state checking into this
code but need to do it in the caller. The issue was seen in a trace
from Rhizomatica and I created the DoubleRelease.st to re-produce
the issue and verified that we have no duplicate RF Channel Releses.
The other option would be to introduce a new state to track
the release process and see if we have already released SAPIs
deactivated the SACCH or such. We can not simply look at these
as for a channel that fails to activate they will be null already.
Looking at the code it seemed possible that a channel would
transition from BROKEN to NONE. Or worse from NONE to BROKEN.
Start the timer _after_ the channel has been released.
Make it possible to inform local CTRL connections about some state.
The TRAP will be only sent to local connections. The notification
text may not contain spaces.
Use the right size for scanf.
=================================================================
==6106== ERROR: AddressSanitizer: unknown-crash on address 0xbffff4b0 at pc 0xb69d87fd bp 0xbffff248 sp 0xbffff21c
WRITE of size 65 at 0xbffff4b0 thread T0
#0 0xb69d87fc (/usr/lib/i386-linux-gnu/libasan.so.0.0.0+0xa7fc)
#1 0xb69d9239 (/usr/lib/i386-linux-gnu/libasan.so.0.0.0+0xb239)
#2 0xb69d92d6 (/usr/lib/i386-linux-gnu/libasan.so.0.0.0+0xb2d6)
#3 0x804f151 (/home/ich/source/gsm/openbsc/openbsc/tests/mgcp/mgcp_test+0x804f151)
#4 0x80531e8 (/home/ich/source/gsm/openbsc/openbsc/tests/mgcp/mgcp_test+0x80531e8)
#5 0x8051e6f (/home/ich/source/gsm/openbsc/openbsc/tests/mgcp/mgcp_test+0x8051e6f)
#6 0x8049b0a (/home/ich/source/gsm/openbsc/openbsc/tests/mgcp/mgcp_test+0x8049b0a)
#7 0x804bd9e (/home/ich/source/gsm/openbsc/openbsc/tests/mgcp/mgcp_test+0x804bd9e)
#8 0xb6778a62 (/lib/i386-linux-gnu/i686/cmov/libc-2.18.so+0x19a62)
#9 0x8049330 (/home/ich/source/gsm/openbsc/openbsc/tests/mgcp/mgcp_test+0x8049330)
Address 0xbffff4b0 is located at offset 416 in frame <parse_sdp_data> of T0's stack:
This frame has 8 object(s):
[32, 36) 'audio_payload'
[96, 100) 'payload'
[160, 164) 'channels'
[224, 228) 'ptime'
[288, 292) 'port'
[352, 368) 'ipv4'
[416, 480) 'audio_name'
[512, 576) 'audio_codec'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are*
This addresses an ASAN issue where the request was already deleted
by our callback function.
(gdb) where
#0 0xb69e7810 in __asan_report_error () from /usr/lib/i386-linux-gnu/libasan.so.0
#1 0xb69e0aff in __asan_report_store4 () from /usr/lib/i386-linux-gnu/libasan.so.0
#2 0x0804ea64 in subscr_send_paging_request (subscr=subscr@entry=0xb5103cb0)
at gsm_subscriber.c:212
#3 0x0804edac in subscr_get_channel (subscr=subscr@entry=0xb5103cb0, type=type@entry=2,
cbfn=cbfn@entry=0x804969d <subscr_cb>, param=param@entry=0x2342) at gsm_subscriber.c:246
#4 0x080498f7 in main (argc=1, argv=0xbffff804) at channel_test.c:77
Breakpoint 3, subscr_paging_dispatch (hooknum=hooknum@entry=101, event=event@entry=200,
msg=msg@entry=0x1323, data=<optimized out>, data@entry=0x8063900 <s_conn>,
param=<optimized out>, param@entry=0xb5103cb0) at gsm_subscriber.c:126
126 llist_del(&request->entry);
(gdb) b llist_del
(gdb) bt
#0 subscr_paging_dispatch (hooknum=hooknum@entry=101, event=event@entry=200,
msg=msg@entry=0x1323, data=<optimized out>, data@entry=0x8063900 <s_conn>,
param=<optimized out>, param@entry=0xb5103cb0) at gsm_subscriber.c:126
#1 0x0804e8a9 in subscr_paging_cb (hooknum=101, event=200, msg=0x1323,
data=0x8063900 <s_conn>, param=0xb5103cb0) at gsm_subscriber.c:187
#2 0x080497e9 in paging_request (bts=0xb5b03e70, subscriber=subscriber@entry=0xb5103cb0,
type=2, cbfn=cbfn@entry=0x804e881 <subscr_paging_cb>, data=data@entry=0xb5103cb0)
at channel_test.c:51
#3 0x0804ea39 in subscr_send_paging_request (subscr=subscr@entry=0xb5103cb0)
at gsm_subscriber.c:207
#4 0x0804edac in subscr_get_channel (subscr=subscr@entry=0xb5103cb0, type=type@entry=2,
cbfn=cbfn@entry=0x804969d <subscr_cb>, param=param@entry=0x2342) at gsm_subscriber.c:246
#5 0x080498f7 in main (argc=1, argv=0xbffff804) at channel_test.c:77
(gdb) q
In ae1997248c the handwritten tokenizer
was replaced with strtok_r. As part of this change the structural
checking of MGCP parameters was stopped. This means that a code like
"line + 3" might access beyond the first NUL and be possibly behind
the msgb. Manually add size checking again. Manually jumping to the
error label is not possible anymore as it has been removed. The result
is that invalid lines will be skipped. This is matching the general
approach by the IETF RFCs to be permissive in data being received.
This patch adds the voice muxer. You can use this to batch RTP
traffic to reduce bandwidth comsuption. Basically, osmux transforms
RTP flows to a compact batch format, that is later on decompacted
to its original form. Port UDP/1984 is used for the muxer traffic
between osmo-bsc_nat and osmo-bsc_mgcp (in the BSC side). This
feature depends on libosmo-netif, which contains the osmux core
support.
Osmux is requested on-demand via the MGCP CRCX/MDCX messages (using
the vendor-specific extension X-Osmux: on) coming from the BSC-NAT,
so you can selectively enable osmux per BSC from one the bsc-nat.cfg
file, so we have a centralized point to enable/disable osmux.
First thing you need to do is to accept requests to use Osmux,
this can be done from VTY interface of osmo-bsc_nat and
osmo-bsc_mgcp by adding the following line:
mgcp
...
osmux on
osmux batch-factor 4
This just initializes the osmux engine. You still have to specify
what BSC uses osmux from osmo-bsc_nat configuration file:
...
bsc 1
osmux on
bsc 2
...
bsc 3
osmux on
In this case, bsc 1 and 3 should use osmux if possible, bsc 2 does
not have osmux enabled.
Thus, you can selectively enable osmux depending on the BSC, and
we have a centralized point for configuration from the bsc-nat to
enable osmux on demand, as suggested by Holger.
At this moment, this patch contains heavy debug logging for each
RTP packet that can be removed later to save cycles.
The RTP ssrc/seqnum/timestamp is randomly allocated for each MDCX that
is received to configure an endpoint.
In rtcp_sdes_cname_mangle when skipping over additional zeroes at the
end of a chunk we should not read past the actual message (rtcp_end).
Fixes CID #1206579
I'm not entirely sure if this is the best approach. However,
there are phones that send a RACH request for TCH/F on MO calls, even
though they actually do support TCH/H channels.
When forwarding AMR from RTP towards the MNCC interface, we need to set
the apropriate msg_type. Before this patch it was unitialized,
resulting in improper/unknown msg_types of messages on the MNCC
interface.
AMR frames on the MNCC interface are slightly different as they
include a single-byte payload_length indicator prior to the actual
payload. Commit 3f201ac89952b68d05c0bb6cb41932b9cd898b19 introduced
more special-case handling than required, so I'm trying to simplify
things again.
We now also use msgb_put() more consistently, i.e. always put
before actually using the data, and use the return value of msgb_put()
rather than first making assumptions about the pointer, writing to it
and then calling msgb_put().
This has been pointed out by Jacob and removes two more duplicates
of the struct. For the unused CTRL_CMD_DEFINE_STRING macro there
will be no verify command.
Currently, if a CTRL method does not set the reply, an error is
logged ("cmd->reply has not been set"). It even complains when the
function implementing the command returns CTRL_CMD_HANDLED, where
a reply text is not needed.
This patch changes the logging level from ERROR to NOTICE. The logging
is now only done, when the retry has not been set and the
implementation returns either CTRL_CMD_ERROR or CTRL_CMD_REPLY. So
in these cases the reply field must be set.
This fixes the generation of log messages when doing NAT ctrl command
forwarding.
Ticket: OW#1177
Sponsored-by: On-Waves ehf
This adds a --frame-size option to read payload binary files with a
fixed frame size directly. The file must not contain RTP headers.
In addition '--rate' and '--duration' can be used to configure the
timing.
Sponsored-by: On-Waves ehf
FreeBSD uses POSIX netinet/in.h for representing socket addresses
data types.
[Holger removed the #ifdef and changed the order of includes to
have specific ones first and system includes later]
The code in the BSC/NAT called ipaccess_rcvmsg_base without
checking if the protocol is IPA. This lead the BSC to respond
to SCCP messages with an "ID ACK". From a quick look neither
the code of ipaccess_rcvmsg_base in OpenBSC nor the copy of
libosmo-abis ever checked the protocol header. So this code
has been wrong since initially being created in 2010.
The sender_id is gone so the code that attempted to delete SMS
didn't work anymore. Delete the SMS based on src_addr or the
dest_addr.
Fixes:
======================================================================
ERROR: testSubscriberAddRemove (__main__.TestCtrlNITB)
----------------------------------------------------------------------
Traceback (most recent call last):
File "tests/ctrl_test_runner.py", line 379, in testSubscriberAddRemove
r = self.do_set('subscriber-delete-v1', '2620345')
File "tests/ctrl_test_runner.py", line 114, in do_set
return self.recv_msgs()[id]
KeyError: 1002
This branch allows a SMPP user to fully specify the sender id. It
requires a change in schema, database migration code and exposed
some issues in the libdbi and the sqlite3 driver.
This is mostly based on Alexander's migration code. The code
adds transaction handling and some sanity checks and cleanups
to the code. We made the decision to fork the sms_from_result
method and freeze it to that version. This way sms_from_result
can move forward without having to deal with legacy.
That was a bad idea from the very beginning. A visible result of this is a wrong
SMS routing when you change subscriber extensions, while having queued SMS. It's
also a very wrong thing from the code layering perspective.
I think the next logical step should be to remove "receiver" pointer from
the gsm_sms structure into a structure, special for the internal SMS queue.
This is an incompatible database schema change. Store the type of
the address in the database for both the sender and the receiver.
Currently it is possible to use SMPP to store a SMS and the NPI
and TON will be lost on the delivery of the SMS. The schema is
changed to make the delivery always use the right NPI/TON. This
patch is not ready for the master branch as there is no upgrade
path for the HLR yet.
Use memcpy to copy from the OML message into the stack and then
convert the network byte order.
network_listen.c: In function ‘test_rep’:
network_listen.c:145:2: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
test_rep_len = ntohs(*(uint16_t *) &foh->data[3]);
^
network_listen.c:153:3: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
ferr_list_len = ntohs(*(uint16_t *) &foh->data[7]);
^
network_listen.c:164:3: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
ferr_list_len = ntohs(*(uint16_t *) &foh->data[7]);
^
network_listen.c:130:11: warning: variable ‘test_rep_len’ set but not used [-Wunused-but-set-variable]
uint16_t test_rep_len, ferr_list_len;
sgsn_main.c: In function ‘main’:
sgsn_main.c:345:2: warning: implicit declaration of function ‘gprs_sndcp_vty_init’ [-Wimplicit-function-declaration]
gprs_sndcp_vty_init();
^
sgsn_main.c:354:2: warning: implicit declaration of function ‘sgsn_gtp_init’ [-Wimplicit-function-declaration]
rc = sgsn_gtp_init(&sgsn_inst);
^
CC gprs_sndcp_vty.o
gprs_sndcp_vty.c: In function ‘vty_dump_sne’:
gprs_sndcp_vty.c:46:15: warning: unused variable ‘i’ [-Wunused-variable]
unsigned int i;
CC sgsn_libgtp.o
sgsn_libgtp.c: In function ‘create_pdp_conf’:
sgsn_libgtp.c:262:6: warning: variable ‘rc’ set but not used [-Wunused-but-set-variable]
int rc;
^
sgsn_libgtp.c: In function ‘cb_data_ind’:
sgsn_libgtp.c:432:6: warning: variable ‘rc’ set but not used [-Wunused-but-set-variable]
int rc;
CC gprs_llc.o
gprs_llc.c: In function ‘t200_expired’:
gprs_llc.c:322:2: warning: enumeration value ‘GPRS_LLES_UNASSIGNED’ not handled in switch [-Wswitch]
switch (lle->state) {
^
gprs_llc.c:322:2: warning: enumeration value ‘GPRS_LLES_ASSIGNED_ADM’ not handled in switch [-Wswitch]
gprs_llc.c:322:2: warning: enumeration value ‘GPRS_LLES_REMOTE_EST’ not handled in switch [-Wswitch]
gprs_llc.c:322:2: warning: enumeration value ‘GPRS_LLES_ABM’ not handled in switch [-Wswitch]
gprs_llc.c:322:2: warning: enumeration value ‘GPRS_LLES_TIMER_REC’ not handled in switch [-Wswitch]
gprs_llc.c: In function ‘gprs_llc_hdr_rx’:
gprs_llc.c:564:2: warning: enumeration value ‘GPRS_LLC_NULL’ not handled in switch [-Wswitch]
switch (gph->cmd) {
^
gprs_llc.c:564:2: warning: enumeration value ‘GPRS_LLC_RR’ not handled in switch [-Wswitch]
gprs_llc.c:564:2: warning: enumeration value ‘GPRS_LLC_ACK’ not handled in switch [-Wswitch]
gprs_llc.c:564:2: warning: enumeration value ‘GPRS_LLC_RNR’ not handled in switch [-Wswitch]
gprs_llc.c:564:2: warning: enumeration value ‘GPRS_LLC_SACK’ not handled in switch [-Wswitch]
gprs_llc.c: In function ‘gprs_llc_rcvmsg’:
gprs_llc.c:791:23: warning: unused variable ‘udh’ [-Wunused-variable]
struct bssgp_ud_hdr *udh = (struct bssgp_ud_hdr *) msgb_bssgph(msg);
^
gprs_llc.c: At top level:
gprs_llc.c:311:13: warning: ‘t200_expired’ defined but not used [-Wunused-function]
static void t200_expired(void *data)
^
gprs_llc.c:337:13: warning: ‘t201_expired’ defined but not used [-Wunused-function]
static void t201_expired(void *data)
CC gprs_sndcp.o
gprs_sndcp.c: In function ‘defrag_input’:
gprs_sndcp.c:188:25: warning: variable ‘scomph’ set but not used [-Wunused-but-set-variable]
struct sndcp_comp_hdr *scomph = NULL;
^
gprs_sndcp.c: In function ‘sndcp_llunitdata_ind’:
gprs_sndcp.c:512:11: warning: variable ‘npdu_num’ set but not used [-Wunused-but-set-variable]
uint16_t npdu_num;
^
gprs_sndcp.c: At top level:
gprs_sndcp.c:565:12: warning: ‘sndcp_ll_reset_ind’ defined but not used [-Wunused-function]
static int sndcp_ll_reset_ind(struct gprs_sndcp_entity *se)
^
gprs_sndcp.c:573:12: warning: ‘sndcp_ll_status_ind’ defined but not used [-Wunused-function]
static int sndcp_ll_status_ind()
^
CC gprs_gmm.o
gprs_gmm.c: In function ‘gsm48_tx_gmm_att_ack’:
gprs_gmm.c:350:11: warning: unused variable ‘ptsig’ [-Wunused-variable]
uint8_t *ptsig, *mid;
^
gprs_gmm.c: In function ‘gsm48_rx_gmm_auth_ciph_resp’:
gprs_gmm.c:524:6: warning: variable ‘rc’ set but not used [-Wunused-but-set-variable]
int rc;
^
gprs_gmm.c: In function ‘gsm48_rx_gmm_att_req’:
gprs_gmm.c:703:9: warning: implicit declaration of function ‘sgsn_acl_lookup’ [-Wimplicit-function-declaration]
!sgsn_acl_lookup(mi_string))) {
^
gprs_gmm.c:632:40: warning: variable ‘old_ra_info’ set but not used [-Wunused-but-set-variable]
uint8_t *cur = gh->data, *msnc, *mi, *old_ra_info, *ms_ra_acc_cap;
^
gprs_gmm.c: In function ‘gsm48_rx_gmm_ra_upd_req’:
gprs_gmm.c:915:6: warning: variable ‘rc’ set but not used [-Wunused-but-set-variable]
int rc;
^
gprs_gmm.c:910:11: warning: variable ‘ms_ra_acc_cap’ set but not used [-Wunused-but-set-variable]
uint8_t *ms_ra_acc_cap;
^
gprs_gmm.c: At top level:
gprs_gmm.c:458:12: warning: ‘gsm48_tx_gmm_auth_ciph_req’ defined but not used [-Wunused-function]
static int gsm48_tx_gmm_auth_ciph_req(struct sgsn_mm_ctx *mm, uint8_t *rand,
^
gprs_gmm.c:501:12: warning: ‘gsm48_tx_gmm_auth_ciph_rej’ defined but not used [-Wunused-function]
static int gsm48_tx_gmm_auth_ciph_rej(struct sgsn_mm_ctx *mm)
^
gprs_gmm.c:1169:13: warning: ‘msgb_put_pdp_addr_ipv4’ defined but not used [-Wunused-function]
static void msgb_put_pdp_addr_ipv4(struct msgb *msg, uint32_t ipaddr)
^
gprs_gmm.c:1180:13: warning: ‘msgb_put_pdp_addr_ppp’ defined but not used [-Wunused-function]
static void msgb_put_pdp_addr_ppp(struct msgb *msg)
Given that the method is only called for a traffic channels the
missing breaks didn't hurt.
Fixes: Coverity CID 1040731, CID 1040732, CID 1040733,
CID 1040734
In case ftell -1 will be returned. Coverity complained that the
pos we pass to fseek might be negative. In case the ftell fails
we are at the last line for sure.
Fixes: Coverity CID 1040721
Coverity complains about checking connection->cfg in
bsc_close_connection() at one place but not at the second.
This patch fixes this by adding a check before accessing cfg when
generating the 'partial message' log message.
Fixes: Coverity CID 1195180
Sponsored-by: On-Waves ehf
The log message lacked a lot of context. A SCCP connection is
created on behalf of a configured BSC. This way we should be
able to always list this information.
The old ipa_msg_recv() implementation didn't support partial receive,
so IPA connections got disconnected when this happened.
This patch adds the handling of the temporary message buffers and uses
ipa_msg_recv_buffered().
It has been successfully tested by jerlbeck with osmo-nitb and
osmo-bsc.
Ticket: OW#768
Sponsored-by: On-Waves ehf
In case the max_power_reduction changes, issue a new Set Radio
Carrier Attributes command. OML 12.21 allows to not include the
ARFCN list and the semantic I picked/understand is that a partial
update is possible.
Fixes: SYS#267
Add the control interface with no hierachy right now and implement
the first command to list IMSI + Context Address of active sessions.
sgsn_cmd_handle could share more code with bsc variant.
Fixes: SYS#264, SYS#265
For GPRS the look-up via bts/trx does not make any sense and would
introduce bad depdencies for the SGSN. Move the look-up code to a
new file and introduce new setup methods.
Sadly there is no proper foreign key relationship on the tables
that related to the Subscriber. This means we can't use a DELETE
with Cascade and need to delete everything by hand. To make things
worse maybe the SMS/Paging code is still using the subscriber
making the operation more dangerous. I had added NULL checks for
sender_id/receiver_id at 30C3 so we should not crash in this
situation.
Fixes: SYS#274
The test has been manually verified. Executing the select for
the subscribers showed:
sqlite> select * from Subscriber;
1|2014-03-23 12:12:46|2014-03-23 12:19:09|2620345||445567|1||0|
This created a subscriber with the right IMSI, MSISDN and has
it authorized.
Fixes: SYS#275
The new definitions are: half rate and AMR
Change of definition name for bad frame, because it applies to all types of
traffic, not only TCH/F.
Increase MNCC interface version to 4. Version 3 is skipped, because it was
used by older version of Linux-Call-Router which is incompatible with the
current version of the MNCC interface.
Send the two strings that caused the read handling to misbehave.
Verify that we handle this correctly by still being able to issue
a VTY command. The CPU load issue could not be verified like this.
The size parameter of msgb_alloc is uint16_t so any length value above
65535 will allocate a msgb with incorrect size.
This patch changes the type of rdlen and rc to ssize_t (the return value
of read) and guards against the read length being larger than
UINT16_MAX.
To reproduce the issue run:
echo -en "\x00\x01\x00\x01\x01" |socat stdin tcp:localhost:2775
The first 4 bytes are the length including the length field. For
length < 4 the subsequent msgb_put(msg, sizeof(uint32_t)) will fail,
resulting in an abort. The code also expects (in smpp_msgb_cmdid()) the
existence of 4 more bytes for the SMPP command ID.
This patch checks that the length received is large enough to hold all
8 bytes in the msgb and drops the connection if that's not the case.
The issue is reproducible with:
echo -e "\x00\x00\x00\x02\x00" |socat stdin tcp:localhost:2775
Read returning -1 is an error here so make sure to print the actual
reason and close the socket. Before this patch we just looped over the
fd with read returning -1 every time.
EINTR is handled to not cause an error and we don't need to check
EAGAIN/EWOULDBLOCK since the callback is only called in case there is
something to read.
To avoid copy&paste issues the check is implemented as a macro and the
log message moved into a separate if.
Make sure that bsc_gsmnet->bsc_data->rf_ctrl is initialized for
NITB. In commit a9fae1ae66 the
conditions for the rf_ctrl was removed but it was still needed
for the NITB.
Fixes regression from:
a9fae1ae66
bsc: rf_ctrl will always be created, remove the NULL checks
When one SMS has been delivered check if a second SMS can be scheduled
to that subscriber. If nothing can be scheduled kick the normal SMS queue
as one slot has become free now. Otherwise send the SMS and create a
pending entry.
It was possible that two SMS would be delivered at the same time
which violates GSM 04.11. We should solely rely on the sms queue
to schedule more SMS to the subscriber.
As can clearly be seen from SMPP Spec v3.4 Chapter 5.2.19,
a SUBMIT-SM with data_coding == 0x08 is UCS2, not with 0x80.
Thanks to ciaby@rhizomatica.org for reporting the bug.
Each RP-DATA should have a unique msg reference. Currently 42 is
used for all of these. Remember the last reference we used and
increment it on the next SMS. Do not track if the reference is
still in use a clash is a lot less likely now. First unless SMPP
is used only one SMS is delivered at a time, second the transaction
space is a lot smaller than the one for the reference.
In file included from bsc_api.c:34:0:
../../include/openbsc/trau_mux.h:62:15: warning: ‘struct decoded_trau_frame’ declared inside parameter list [enabled by default]
const struct decoded_trau_frame *tf);
^
../../include/openbsc/trau_mux.h:62:15: warning: its scope is only this definition or declaration, which is probably not what you want [enabled by default]
../../include/openbsc/trau_mux.h:64:15: warning: ‘struct decoded_trau_frame’ declared inside parameter list [enabled by default]
const struct decoded_trau_frame *tf);
^
../../include/openbsc/trau_mux.h:66:2: warning: ‘struct decoded_trau_frame’ declared inside parameter list [enabled by default]
const unsigned char *data);
^
../../include/openbsc/trau_mux.h:68:2: warning: ‘struct decoded_trau_frame’ declared inside parameter list [enabled by default]
const unsigned char *data);
The interface can be accessed through CTRL and a socket. But currently
it is only available when the socket interface has been configured.
Create the interface all the time but only listen on the socket when
a path has been specified.
For the max power reduction we will need to have a different range
method. It will need to check if the value is even. Make the set,
get and verify methods available through a macro.
With the current multiplication we might end up with 19999 as
time on i386. When we round it ends up as 20000 on i386 and
should work the same on AMD64.
Should fix on AMD64:
mgcp_test.c: In function ‘sendto’:
mgcp_test.c:318:10: warning: format ‘%d’ expects argument of type ‘int’, but argument 5 has type ‘size_t’ [-Wformat]
So far, the jitter computation has been based on output timestamps.
This patch uses the input timestamps instead and resets jitter
computation on SSRC changes.
Sponsored-by: On-Waves ehf
Currently, when the SSRC changes within a stream and SSRC fixing is
enabled, the RTP timestamp between the last packet that has been
received with the old SSRC and the first packet of the new SSRC
is always incremented by one packet duration.
This can lead to audio muting (at least with the nanoBTS) when the
wallclock interval between these packets is too large (> 1s).
This patch changes the implementation to base the RTP timestamp offset
on the wallclock interval that has passed between these two packets.
Ticket: OW#466
Sponsored-by: On-Waves ehf
Currently micro-secs and RTP rate get mixed when the transit value is
computed in mgcp_patch_and_count().
This patch changes get_current_ts() to accept the desired rate as
argument and to use it for the time conversion instead of always
converting to microseconds. If microseconds are needed,
get_current_ts(1000) can be used.
The arrival_time is now measured in 1/rtp_end->rate seconds so that
it can be directly compared to RTP timestamps as required by RFC3550
(section 6.4.1, see definition of 'interarrival jitter').
Sponsored-by: On-Waves ehf
Currently the stats (jitter, transit) cannot be checked properly,
since they depend on the wallclock time.
This patch fakes clock_gettime (CLOCK_MONOTONIC) to reflect the
scheduling time of the RTP packets. In addition, the RTP statistical
value are written to stdout.
A RTP test case with a SSRC change along with a reference time delay
has been added.
Sponsored-by: On-Waves ehf
Currently the conn_mode and the output_enabled flags are printed to
stdout.
This patch modifies this to print the output_enabled flags to stderr
instead. The bits in conn_mode are shown as RECV, SEND, and LOOP.
This does not reduce the significance of the test, since there is an
assertion already that verifies the values of the output_enabled
flags with respect to the conn_mode.
Sponsored-by: On-Waves ehf
Incoming DTAP messages from MS are discarded during silent calls,
which leads to the repeated delivery of SMS since the ACKs are not
being processed.
This patch adds some log messages that have been helpful to track
this down.
Sponsored-by: On-Waves ehf
E1 based BTS use TRAU muxer to decode TRAU frames. After changing
channel from one timeslot to another (due to handover or assignment),
the TRAU muxer must be updated. The call reference of the call is
disconnected from the old channel and connected to the new channel.
The filtering architecture already allowed to specify a reject
reason but this has not been used for the access-lists. Extend
the access-list to include a reject reason and extend the test
case to honor it.
Currently, the conn_mode field is reset after it has been checked.
This patch disables this behaviour and only adds a mark (bit) to
detect modifications.
Sponsored-by: On-Waves ehf
This patch changes implementation and the mgcp_connection_mode enum
in a way that net_end.output_enabled (bts_end.output_enabled) flag
always matches the MGCP_CONN_SEND_ONLY (MGCP_CONN_RECV_ONLY) bit of
conn_mode.
Based on this, the conn_mode bits are then used instead of the
output_enabled fields within mgcp_protocol.c.
Sponsored-by: On-Waves ehf
Currently RTP output_enabled is set to 1 on initialisation, which
does not semantically match the initial value of conn_mode
(MGCP_CONN_NONE).
This patch changes this initial value to 0.
Sponsored-by: On-Waves ehf
We don't want every caller to check for ts->tsc == -1 and then
using ts->trx->bts->tsc instead. Rather, introduce a new inline
function to retrieve the correct value.
This patch (hopefully) fixes the new defects reported by coverity.
Addresses:
** CID 1156986: Negative array index read (NEGATIVE_RETURNS)
/tests/gsm0408/gsm0408_test.c: 419 in test_si_range_helpers()
/tests/gsm0408/gsm0408_test.c: 423 in test_si_range_helpers()
/tests/gsm0408/gsm0408_test.c: 427 in test_si_range_helpers()
** CID 1156987: Unchecked return value from library
(CHECKED_RETURN)
/src/libmgcp/mgcp_protocol.c: 1150 in mgcp_keepalive_timer_cb()
** CID 1156988: Unchecked return value from library
(CHECKED_RETURN)
/src/libmgcp/mgcp_protocol.c: 983 in handle_modify_con()
Sponsored-by: On-Waves ehf
The check is removed from gsm48_cc_rx_setup() and gsm48_cc_rx_call_conf().
Receiving a layer 3 message implies that the transaction has a subscriber
connection and a logical channel.
This patch fixes the Coverity issues with CID 115311 and CID 1155312.
So far, a single dummy packet has been sent immediately after the
reception of a MDCX message. There is no dedicated keep alive
mechanism (it just worked because the audio from the MS has always
been forwarded to the NAT until the 'mgcp: Set output_enabled flags
based on the MGCP mode' patch).
This patch adds explicit, timer based keep alive handling that can be
enable per trunk. A VTY command 'rtp keep-alive' command is added for
configuration which can be used to set the interval in seconds, to
send a single packet after the reception of a CRCX/MDCX when RTP data
from the net is expected ('once'), or to disable the feature
completely ('no rtp keep-alive'). In 'send-recv' connections, only
the initial packet is sent if enabled (even when an interval has been
configured). The default is 'once'.
Note that this removes the mgcp_change_cb() from mgcp_main.c.
Sponsored-by: On-Waves ehf
Currently a dummy packet is only sent to the RTP port. This is not
enough if RTCP must also cross the SNAT.
This patch sends an additional dummy packet to the RTCP net
destination if omit_rtcp is not set.
Sponsored-by: On-Waves ehf
Rename the timestamp variable to make in clear, that the input
timestamp is meant. Add a helper variable to illustrate the offset
computation.
Sponsored-by: On-Waves ehf
This patch extends the test_messages test to show the number of dummy
packets that has been passed to sendto(). This way, dummy packets are
even being counted when sendto() itself failes (e.g. due to the fd
being -1).
Sponsored-by: On-Waves ehf
This modifies the test MGCP messages to include M:recvonly (CRCX),
M:sendrecv (MDCX) and M:sendonly (MDCX) outputs the resulting
output_enabled flags and the conn_mode after processing the message.
Sponsored-by: On-Waves ehf
This patch make it possible to have a valid endpoint that drops all
outgoing RTP packets. The number of dropped packets is shown by the
VTY 'show mgcp' command. By default, this feature is disabled. To
enable packet dropping, the corresponding output_enabled field must
be set to 0.
Ticket: OW#1044
Sponsored-by: On-Waves ehf
Currently there are two symmetric code paths which are selected by
the packet destination (NET or BTS).
This patch introduces 3 variables that take the different values
and unifies both code paths into one.
Sponsored-by: On-Waves ehf
This commit adds the implementation of these range formats to the
encoder. In addition, the work-around that tried range 512 first is
removed, so that the selection is primarily based on the max distance
between frequencies.
Ticket: OW#1061
Sponsored-by: On-Waves ehf
Currently the encoding of the chan_list is done by a hard-coded
sequence of macros that closely resembles figure 10.5.16 in
3GPP TS 04.08.
This patch replaces this by an algorithmic solution that can be used
for all range encodings and is based on the property
W(2^i) to W(2^(i+1)-1) are on w1_len-i bits when present
(see section 10.5.2.13 in TS 04.08).
Ticket: OW#1061
Sponsored-by: On-Waves ehf
f0 is currently set to arfcns[0] in range_enc_determine_range(),
while GSM 04.08 requires f0 to be ARFCN 0 in range1024 encoding.
This patch modifies range_enc_determine_range() to force f0 to be 0
if this encoding is used. This way the case distinction in
range_enc_filter_arfcns() is not longer necessary.
Sponsored-by: On-Waves ehf
Currently tests covering features of the GSM 04.08 specification are
spread over the si and gsm0408 subdirs in tests.
This commit merges all tests from 'si' into 'gsm0408' and removes the
'si' test sub-directory.
Sponsored-by: On-Waves ehf
This commit adds test range encoding tests. They check the property
decoding(encoding(L)) = L and optionally dump the results and
encoded sequences to stdout.
There a 2 test modes:
- A list of fixed tests
- A random number based test loop per ARFCN list size (only dumps
the first failing test)
Sponsored-by: On-Waves ehf
The iPhone5 (US) appears to have some issues with the SIs generated,
or the nanoBTS is not sending them correctly.
Add a configurable hack to put all bands into the SI2/SI5 message.
It is enabled by the bts VTY command 'force-combined-si'.
This is a quick change without much reflection and watching for side
effects. I have verfied that a network with ARFCN 134 and neighbors
ARFCN 130 and 512 do not get generate the SI2ter and announce everything
inside the SI2.
This patch is conceptually based on 'si: Add a hack to disable
SI2ter/SI2bis/SI5ter/SI5bis messages' (692daaf2d2).
Ticket: OW#1062
Sponsored-by: On-Waves ehf
Speech codings which are not supported by BTS will be removed from the
bearer capability information element after parsing. This way it is not
required for the MNCC application to consider support of each BTS.
Only GSM full rate is supported by default.
This option is a workarround for a bug found in Nokia InSite BTS firmware
version 3.0.0. There is no RELease CONFirm message for local end release.
Nokia MetroSite with firmware version 4.178.16 is not affected.
TS 04.06 Chapter 5.4.4.4 "Local end release procedure" states that a
confirm must be sent by layer 2 when receiving a local end release
request.
In order to correctly switch a channel (handover or assignment), local
end release is required.
Currently the NET_DST information element (see GSM 24.008) is not
included in generated MM info messages even when the DST field in the
timezone info has been set via the VTY or the control interface.
This patch modifies gsm48_tx_mm_info() to append this information
element if (and only if) a non-zero DST has been configured. The
DST IE is not part of GSM 4.8. Therefore it will only be sent, if the
DST offset is configured to a value != 0.
The DST functionality has been verified with wireshark by Jacob.
Sponsored-by: On-Waves ehf
Currently we only set the SUBSCR on RSL messages. Extend it to
messages that go through MNCC. For call control/bridging it is
difficult to pick the right subscriber. We should support a list
or at least two legs in the imsi filter context.
In case the unpack of a USSD request is failing the channel would
remain open and the phone would not receive a response. Simply
reject the interrogation.
Example interrogation:
0000 1b 7b 1c 0d a1 0b 02 01 01 02 01 0e 30 03 04 01
0010 11 7f 01 00
Sylvain pointed out that in the current crash log the transaction
we try to read the SMS from is actually a transaction for Call
Control. On AMD64 the struct layout is different and that leads to
a crash when the CC transaction is in front of the SMS transaction.
Look at the trans->protocol to fix the crash. The issue got
introduced in 6a3d765bf9 (2010)
when I added the SAPI N Reject handling.
#0 smpp_sms_cb (subsys=1, signal=4, handler_data=0xbb8270, signal_data=0x7fff33574ea0)
at smpp_openbsc.c:284
284 if (sms->source != SMS_SOURCE_SMPP)
(gdb) bt
#0 smpp_sms_cb (subsys=1, signal=4, handler_data=0xbb8270, signal_data=0x7fff33574ea0)
at smpp_openbsc.c:284
#1 0x00007f424e4a094c in osmo_signal_dispatch (subsys=1, signal=4,
signal_data=0x7fff33574ea0) at signal.c:105
#2 0x000000000042b070 in send_signal (sig_no=<optimized out>, trans=<optimized out>,
sms=<optimized out>, paging_result=<optimized out>) at gsm_04_11.c:125
#3 0x000000000042ccd2 in gsm411_sapi_n_reject (conn=0xec6790) at gsm_04_11.c:1000
#4 0x0000000000408983 in send_sapi_reject (link_id=<optimized out>, conn=<optimized out>)
at bsc_api.c:733
#5 rll_ind_cb (_data=<optimized out>, lchan=<optimized out>, link_id=<optimized out>,
rllr_ind=<optimized out>) at bsc_api.c:755
#6 rll_ind_cb (lchan=<optimized out>, link_id=<optimized out>, _data=<optimized out>,
rllr_ind=<optimized out>) at bsc_api.c:736
#7 0x000000000041f8d2 in complete_rllr (rllr=<optimized out>, type=<optimized out>)
at bsc_rll.c:55
#8 0x00007f424e4a03bc in osmo_timers_update () at timer.c:243
#9 0x00007f424e4a069b in osmo_select_main (polling=0) at select.c:133
#10 0x0000000000407394 in main (argc=<optimized out>, argv=0x7fff33575238) at bsc_hack.c:346
(gdb) frame 3
#3 0x000000000042ccd2 in gsm411_sapi_n_reject (conn=0xec6790) at gsm_04_11.c:1000
1000 send_signal(S_SMS_UNKNOWN_ERROR, trans, sms, 0);
(gdb) p trans
$1 = (struct gsm_trans *) 0xedba80
(gdb) p *trans
....
data = 0x1}}, sms = 0x3439323400000003}}}
(gdb) p trans->protocol
$4 = 3 '\003'
Avoid a crash when reading a SMS and a Subscriber could not be resolved.
It is not clear why the read was failing. The sender_id and the receiver_id
was valid for the given sms. I assume that the database has been locked
due external access to it.
The side-effect is that in case of such a failure the sms_queue will start
to deliver starting from subscriber id = 0 again.
#1 0x0000000000428bec in sms_from_result (net=0x156a270, result=0x15eda30) at db.c:1146
#2 0x000000000042a8e0 in db_sms_get_unsent_by_subscr (net=0x156a270,
min_subscr_id=<optimized out>, failed=<optimized out>) at db.c:1255
#3 0x000000000042e900 in take_next_sms (smsq=<optimized out>) at sms_queue.c:193
#4 sms_submit_pending (_data=0x158e300) at sms_queue.c:227
#5 0x00007f3fd30de3bc in osmo_timers_update () at timer.c:243
#6 0x00007f3fd30de69b in osmo_select_main (polling=0) at select.c:133
#7 0x0000000000406fbc in main (argc=9, argv=<optimized out>) at bsc_hack.c:346
(gdb) frame 1
#1 0x0000000000428bec in sms_from_result (net=0x156a270, result=0x15eda30) at db.c:1146
1146 strncpy(sms->src.addr, sms->sender->extension, sizeof(sms->src.addr)-1);
(gdb) p *sms
(gdb) p sms->sender
$1 = (struct gsm_subscriber *) 0x0
(gdb) p sender_id
$2 = <optimized out>
Sylvain pointed out that the RLL and the SMC timeout is the same.
This can lead to have a SMC re-transmission before the first RLL
Establish Request has timed out. Reduce the RLL timeout. GSM 08.58
does not specify a timeout so right now I just reduce it to seven
seconds.
conn->loc_operation is already NULL (e.g. due a five second timeout but
we are still processing a RSL message after we initiated the release
procedure). Do not attempt to authorize a subcriber without knowing the
key_sequence.
This can cause more problems but we will need to test this in the field.
(gdb) bt
#0 gsm0408_authorize (conn=0x19fc2f0, msg=<optimized out>) at gsm_04_08.c:323
#1 gsm0408_authorize (conn=0x19fc2f0, msg=<optimized out>) at gsm_04_08.c:319
#2 0x000000000043a99a in mm_rx_id_resp (conn=0x19fc2f0, msg=<optimized out>)
at gsm_04_08.c:495
#3 gsm0408_rcv_mm (msg=<optimized out>, conn=0x19fc2f0) at gsm_04_08.c:1041
#4 gsm0408_dispatch (conn=0x19fc2f0, msg=<optimized out>) at gsm_04_08.c:3232
(gdb) p *conn
$5 = {entry = {next = 0x1746930, prev = 0x1a14270}, subscr = 0x1745eb0,
expire_timer_stopped = 1 '\001', loc_operation = 0x0, sec_operation = 0x0,
anch_operation = 0x0, silent_call = 0, put_channel = 0, sccp_con = 0x0, in_release = 0,
lchan = 0x7f8c79007218, ho_lchan = 0x0, bts = 0x1719f90, T10 = {node = {
rb_parent_color = 0, rb_right = 0x0, rb_left = 0x0}, list = {next = 0x0, prev = 0x0},
timeout = {tv_sec = 0, tv_usec = 0}, active = 0, cb = 0, data = 0x0},
secondary_lchan = 0x0}
When modern Smartphones receive "Not in VLR". The baseband firmware
apparently does not try to do an IMSI ATTACH but just remains un-happy
and will not connect to the network anymore.
Let's revert it and see if we can find the real issue about the
sms being invalid. Sylvain has pointed out that we get invoked
from a timer and might not have stopped it properly.
This reverts commit 80ba9b5dd6.
I am not sure why it is crashing so this is a speculative fix based on
something we already did in 3e9b2ec257.
#0 sms_find_pending (smsq=0x2706300, sms=<optimized out>) at sms_queue.c:77
#1 sms_sms_cb (subsys=<optimized out>, signal=4, handler_data=0x26e2270,
signal_data=0x7fffdac256c0) at sms_queue.c:396
#2 0x00007fcdea94394c in osmo_signal_dispatch (subsys=1, signal=4,
signal_data=0x7fffdac256c0) at signal.c:105
#3 0x000000000042acc0 in send_signal (sig_no=<optimized out>, trans=<optimized out>,
sms=<optimized out>, paging_result=<optimized out>) at gsm_04_11.c:124
#4 0x000000000042c8e2 in gsm411_sapi_n_reject (conn=0x2722d30) at gsm_04_11.c:999
#5 0x00000000004085d3 in send_sapi_reject (link_id=<optimized out>, conn=<optimized out>)
at bsc_api.c:733
#6 rll_ind_cb (_data=<optimized out>, lchan=<optimized out>, link_id=<optimized out>,
rllr_ind=<optimized out>) at bsc_api.c:755
#7 rll_ind_cb (lchan=<optimized out>, link_id=<optimized out>, _data=<optimized out>,
rllr_ind=<optimized out>) at bsc_api.c:736
#8 0x000000000041f522 in complete_rllr (rllr=<optimized out>, type=<optimized out>)
at bsc_rll.c:55
#9 0x00007fcdea9433bc in osmo_timers_update () at timer.c:243
#10 0x00007fcdea94369b in osmo_select_main (polling=0) at select.c:133
#11 0x0000000000406fbc in main (argc=9, argv=<optimized out>) at bsc_hack.c:346
The legacy functions have a bad/wrong return value for the number
of septets in the string. Change the code to use the new functions
which will fix encoding issues as well.
Location Update Requests time out and get rejected because the
subscriber is not authorized. Authorizing the subscriber through
openBSC or sqlite3 doesn't help the subscriber is still seen and
shown as not authorized
The value is read as uint, this is the wrong type it's a (u)longlong
in libdbi 0.9.0 and later.
Currently, all timestamps are force to SeqNo*d + C which is more than
required by the nanoBTS which seems to be sensitive to alignment
errors only (dTS != k*d, d = ptime * rate = 160).
This patch replaces the force_constant_timing feature by a
force_aligned_timing feature. The timestamp offset will only be
changed (and timestamp errors counted) when the alignment does not
match to the raster based on ptime (default 20ms).
The VTY interface does not change.
Sponsored-by: On-Waves ehf
Currently the counter and output timestamp values are written out for
each packet. This makes it difficult to see in the diffs what has
been changed significantly.
This patch changes this by showing differences for those
values. The absolute input values are also shown now. In addition,
the sequence numbers (the difference for the output value) are
written, too.
Sponsored-by: On-Waves ehf
This adds two test cases:
1. Packet repetition (dSeq=0, dTS=0)
2. Broken seqNo (dSeq=0, dTS=160)
The second had been already present in the test cases, but it was a
mere copy&paste mistake which turned out to be rather helpful. This
patch therefore turns it into a documented test case.
Sponsored-by: On-Waves ehf
Decoding and encoding of FR and EFR TRAU frames are put into seperate
functions. CRC check is done to detect bad EFR TRAU frames.
The test case includes FR and EFR transcoding.
EFR support was tested with Nokia InSite BTS and Siemens BS11.
There is the wrong record field selection being used to extract the
default value. It returns the tuple offset instead of the value.
This patch fixes this.
Sponsored-by: On-Waves ehf
Currently the SDP 'ptime' media attribute is never set in generated
MGCP responses.
This patch optionally includes the 'ptime' attribute if
packet_duration_ms is != 0. This behaviour can be enabled/disabled
by using the VTY command "sdp audio-payload send-ptime" (enabled by
default).
Sponsored-by: On-Waves ehf
This patch parses the 'ptime' and 'maxptime' SDP attributes, and the
SDP rate information and sets up packet_duration_ms accordingly. If
the packet duration is unknown or allows for different values (e.g.
because 'ptime' uses a range or 'maxptime' allows for more than one
frame) the duration is set to 0.
Sponsored-by: On-Waves ehf
Currently the local connection options have been stored as a string.
This patch replaces this string by a struct (that still contains a
string) along with the parsed fields (only the packetization period
at the moment).
It also re-adds the calls to set_local_cx_options() to the
handle_create_con() and handle_modify_con() functions. Except for
the test program this has no side effects, since the LCO values
aren't used yet.
This also adds additional MDCX tests (based on MDCX4) to test the
analysis of different combinations of 'p' and 'ptime' fields.
Sponsored-by: On-Waves ehf
Currently the timestamp offset calculation is done in two different
places.
This patch moves and unifies both code parts into a separate function.
Sponsored-by: On-Waves ehf
This tool provides the following features:
- Output formats: state, C arrays
- Optionally take RTP payload from existing state files
- Generate streams with RTP timestamp jumps and/or delays
- Set/change SSRC or payload type
Requires erlang to be installed.
Example:
Generate 300 packets, set playout time offset to 1s, set
RTP timestamp offset to 8000 (1s), generate another 100
packets, the RTP payload is copied from rtp.state:
./gen_rtp_header.erl --type=98 --file=rtp.state --
0 300 0 --delay=1.0 100 8000
Sponsored-by: On-Waves ehf
This patch adds optional parameters to pass the state file, the
destination address (default 127.0.0.1), the destination port
(default 4000), the source port (default 0). So it is called as
follows:
gst rtp_replay.st -a [FILE [HOST [SOURCEPORT [DESTPORT]]]]
In addition, nonexistant FILEs are no longer created but opened
read-only instead.
Sponsored-by: On-Waves ehf
Andreas highlighted that the doubel assignment is not needed and
wrong. Change the code to assign chan_list[0] before writing the
base frequency to the header. Update the testcase to make the highest
bit set and update the test result.
The IMSI can only be 15 characters in length, our define gives
us a length of 17. This means we have place for two NULs. Use
strncpy and make sure it is null-terminated.
Fixes: Coverity CID 1040707
Since the packet duration is given in ms with the 'ptime' RTP media
attribute and also with the 'p' MGCP local connection option, the
computation is changed to use this value (if present). The
computation assumes, that there are N complete frames in a packet and
takes into account, that the ptime value possibly had been rounded
towards the next ms value (which is never the case with a frame length
of exact 20ms).
Sponsored-by: On-Waves ehf
This forces the output timing to fulfill
dTS = dSegNo * fixedPacketDuration
where dSegNo = seqNo - lastSeqNo.
If timestamp patching is enabled, the output timestamp will be set
to lastTimestamp + dTS. This kind of relative updating is used to
handle seqNo- and timestamp-wraparounds properly.
The updating of timestamp and SSRC has been separated and the patch
field of mgcp_rtp_state has been renamed to patch_ssrc to reflect
it's semantics more closely. The offset fields are now used always
and will change the corresponding header field if they are != 0.
Ticket: OW#1065
Sponsored-by: On-Waves ehf
Currently the output SSRC is always forced to be the same if SSRC
patching is enabled.
This patch modifies this to optionally restrict the number of SSRC
changes that will be corrected.
Note that the configuration only allows for the 'once' mode and 'off'.
Sponsored-by: On-Waves ehf
The ssrc has been used without respect to proper byte ordering in
mgcp_patch_and_count(). This only affected log messages.
This patch introduces a new variable 'ssrc' that takes the value of
the SSRC in proper byte order.
Sponsored-by: On-Waves ehf
This patch adds a packet_duration field to mgcp_rtp_state which
contains the RTP packet's duration in RTP timestamp units or 0, when
the duration is unknown or not fixed.
Sponsored-by: On-Waves ehf
Currently seq_offset and timestamp_offset are updated on each SSRC
change even when SSRC patching is not allowed.
This patch fixes this by changing mgcp_patch_and_count() to only
update these fields when SSRC patching is allowed.
Sponsored-by: On-Waves ehf
Show old and new SSRC. Move logging command upward to show the values
immediately after the change has been detected and before any fixing
attempt is made.
Sponsored-by: On-Waves ehf
This adds datastructures and a VTY frontend to configure the
different type of RTP header patching: SSRC and timestamp.
Note that timestamp patching is not yet implemented.
Sponsored-by: On-Waves ehf
The tsdelta computation and error detection didn't handle the
intialisation phase properly.
This patches fixes this by skipping the output timing validation
when the SSRCs don't match.
Sponsored-by: On-Waves ehf
This patch extends the existing RTP error check test by adding a
check for timestamp errors after SSRC changes and a check for a
segno delta of 2 (with a timestamp delta of 320).
To test SSRC patching too, a corresponding line will be written on
each SSRC change that has been detected in the output stream.
In addition there is now support for selectively enabling/disabling
SSRC and timestamp patching. The RTP test sequence is repeated for
all combinations thereof.
Sponsored-by: On-Waves ehf
So far the SDP part of the CRCX message has been ignored by the MGW.
This patch adds SDP parsing for this case, eventually updating the
net end's payload type and connection parameters.
Sponsored-by: On-Waves ehf
So far the payload type used in RTP streams has been taken from the
trunk configuration in NAT mode.
This patch changes the implementation to use the payload type
announced in the SDP part of MGCP messages and responses. SDP
descriptions more than one m=audio line are not yet supported
properly (always the last one is taken).
Ticket: OW#466
Sponsored-by: On-Waves ehf
The MGCP message isn't always NUL-terminated when arriving at
mgcp_handle_message(). This may lead to undefined results.
This patch ensures that the message text is NUL-terminated by
setting *msg->tail to '\0' in mgcp_handle_message().
Addresses:
<000b> mgcp_protocol.c:642 Unhandled option: 'r'/114 on 0x3
<000b> mgcp_protocol.c:593 Unhandled SDP option: '='/61 on 0x3
<000b> mgcp_protocol.c:871 Unhandled option: '.'/46 on 0x2
Sponsored-by: On-Waves ehf
This patch add the for_each_line macro based on a strline_r()
function (similar to strtok_r()), that is also part of this patch.
This strline_r() function is tolerant with respect to line endings,
it supports CR-only, CRLF, and LF-only and any combinations thereof
(note that a CRLF is always detected as a single line break).
Similar to for_each_non_empty_line (the former for_each_line) where
the 'save' pointer needed to be initialised by a call to strtok_r(),
the new for_each_line macro expects, that the 'save' pointer has been
initialised by a call to strline_r(). Also note, that
for_each_line/strline_r and for_each_non_empty_line/strtok_r may use
the 'save' pointer differently, so calls to them can not be mixed.
Sponsored-by: On-Waves ehf
The implementation of for_each_line is based on strtok() and skips
any sequence of CR and LF. Thus empty lines are never detected. There
exists code which tests for an empty line to detect the beginning of
the SDP part which is dead code currently (the parser works
nevertheless due to other reasons). So the semantics of this macro
have been misunderstood at least once.
This patch renames the macro to reflect the semantics more precisely.
Sponsored-by: On-Waves ehf
The current implementation increments the seqno but does not increment
the RTP timestamp, leading to two identical timestamps following one
after the other.
This patch fixes this by adding the computed tsdelta when the offset
is calulated. In the unlikely case, that a tsdelta hasn't been
computed yet when the SSRC changes, a tsdelta is computed based on
the RTP rate and a RTP packet duration of 20ms (one speech frame per
channel and packet). If the RTP rate is not known, a rate of 8000 is
assumed.
Note that this approach presumes, that the per RTP packet duration
(in samples) is the same for the last two packets of the stream being
replaced (the first one).
Sponsored-by: On-Waves ehf
This patch adds a test case to check, whether RTP timestamps are
generated properly after SSRC changes and whether the error counters
work properly.
Sponsored-by: On-Waves ehf
This patch modifies the patch_and_count() function to check for RTP
timestamp inconsistencies. It basically checks, whether dTS/dSeqNo
remains constant. If this fails, the corresponding counter is
incremented. There are four counter for this: Incoming and outgoing,
each for streams from the BTS and the net.
Note that this approach presumes, that the per RTP packet duration
(in samples) remains the same throughout the entire stream. Changing
the number of speech frames per channel and packet will be detected
as error.
In addition, the VTY command 'show mgcp' is extended by an optional
'stats' to show the counter values, too.
Ticket: OW#964
Sponsored-by: On-Waves ehf
GSM 12.21 specifies that "No elementary procedure shall be
initiated to an object instance which has not yet replied to
a previously initiated elementary procedure with a response,
an ACK or a NACK within a layer 3 time-out. The layer 3
timeout for ACK, NACK and responses shall have a default value
of 10 seconds."
We are using this flag in the BTS to enforce/safe-guard
this situation.
Rename this function to bsc_send_ussd_no_srv() since it's a rather
specialised function and not a generic USSD notification function.
Sponsored-by: On-Waves ehf
The MS do not show the USSD messages yet. This patch modifies the
implementation to insert a CM Service Accept to finish the
establishment of the MM connection according to 3GPP TS 04.10/3.2.1
before the USSD notification is sent.
This fix has been tested with a Blackberry phone that has shown
an ussd_grace_txt after rf_locked has been set to '1'. Without this
patch, that message wasn't shown. The phone has sent a CC Setup
and other messages before processing the channel release message sent
by the BSC, but these messages have not been forwarded to the MSC (as
expected).
Ticket: OW#957
Sponsored-by: On-Waves ehf
These functions are currently located in libmsc/gsm_04_08.c together
with other symbols that (transitively) depend on many external
symbols (and thus libraries) that aren't otherwise needed by e.g.
osmo-bsc.
Since gsm48_tx_mm_serv_ack() will be needed by osmo-bsc, these
functions are moved to avoid the dependency on gsm_04_08.o.
Sponsored-by: On-Waves ehf
The MS do not show the USSD messages yet. This patch modifies the
implementation to insert a CM Service Accept before the ussdNotify
to finish the establishment of the MM connection according to
3GPP TS 04.10/3.2.1.
This fix has been tested with a Blackberry phone that has shown
an ussd_grace_txt after rf_locked has been set to '1'. Without this
patch, that message wasn't shown. The phone has sent a CC Setup
and other messages before processing the channel release message sent
by the BSC, but these messages have not been forwarded to the MSC (as
expected).
Ticket: OW#957
Sponsored-by: On-Waves ehf
This patch replaces the calls to ignoredCheckForEndAndExit by calls
to checkForEndAndExit to test the libosmocore nodes, too. The former
method is removed.
Sponsored-by: On-Waves ehf
Remove ournode_exit_cmd, ournode_end_cmd, and bsc_install_default()
since this functionality is provided by the current libosmocore.
Replace calls to bsc_install_default() by call to
vty_install_default() with the following semantic patch:
@rule1@
expression N;
@@
- bsc_install_default(N);
+ vty_install_default(N);
Ticket: OW#952
Sponsored-by: On-Waves ehf
When the PCU is activating a channel we don't want to tell the
BSC using RSL. Add a flag so we can keep track of who asked for
the activation/release of the channel.
The gbproxy looses NSEI changes on BVC_RESET and then tries to send
later messages to the wrong (not longer existing) destination.
This patch fixes this by updating the peer's nsei field on BVC_RESET.
Ticket: OW#874
Sponsored-by: On-Waves ehf
This checks the behavior of the gbproxy when the BSS peer changes the
NSEI and the NSVCI. It also tests BVC_RESET and other UNITDATA
messages after these changes between BSS and SGSN and vice versa (via
the gbproxy).
Ticket: OW#874
Sponsored-by: On-Waves ehf
This adds the option to delete all BVC peers and/or NS_VC with a
given NSEI with a single command. Static (configured) NS-VC are not
affected. In addition, all connections for this NSEI that can be
deleted by this command can be listed without deleting them by
appending 'dry-run' to the command.
Sponsored-by: On-Waves ehf
Currently such messages lead to a creation of a new peer with the
SGSN's NSEI, which results in echoing the message back to the SGSN.
This patch modifies this by sending a STATUS response (invalid BVCI)
instead back to the SGSN.
Sponsored-by: On-Waves ehf
This adds a test with a UNITDATA SGSN message that is addressed to an
invalid (unknown) BVCI. The test shows, that the message is echoed to
the SGSN.
Sponsored-by: On-Waves ehf
This adds counters that are incremented when errors are detected.
It also modifies the VTY command 'show gbproxy' so that
'show gbproxy stats' shows the counters.
Sponsored-by: On-Waves ehf
Add the unused attribute to peer_free() that isn't used currently.
Change 'RAC' to 'NSEI' in the log message, since the latter has been
examined before the log message is generated.
Sponsored-by: On-Waves ehf
This adds a simulation of the SGSN side of the Gbproxy. The VC is set
up correctly and several combinations of BSSGP messages are sent.
Sponsored-by: On-Waves ehf
Currently in most places in gb_proxy.c a reference to a NS-VC object
is used where the peer is meant instead. The patch changes this by
using the NSEI instead in these cases.
Sponsored-by: On-Waves ehf
This program tests the gbproxy implementation by passing NS messages
to a modified gbproxy that dumps the resulting messages, signals, and
state.
It focusses on testing abnormal situations like port changes.
Ticket: OW#874
Sponsored-by: On-Waves ehf
This adds a per BTS control command 'timezone' which expects a value
of the format '<hours>,<mins>,<dst>' or 'off' to set the value of
bts->tz. It has the same functionality like the existing VTY command
'timezone' in network/bts.
Sponsored-by: On-Waves ehf
Ticket: OW#978
This adds in-place patching of the time information in the
MM INFORMATION message. The timezone in the 'Local time zone' and
the 'Universal time and local time zone' information elements
and the offset in the 'Network Daylight Saving Time' information
element are optionally set.
The new values are determined by the 'timezone' vty command in the
config_net_bts node. That command is extended by an optional
DST offset parameter.
Tests are provided for the vty part and for the plain
bsc_scan_msc_msg() function.
Sponsored-by: On-Waves ehf
Ticket: OW#978
When verification failed and the reply string was not updated, the
message "Someone forgot to fill in the reply." was shown instead
of the default "Value failed verification." message.
This patch changes the default reply handling in ctrl_cmd_handle()
by setting the reply to NULL initially and then checking it at the
end. If it hasn't been set, a generic message is assigned and an
error is logged.
This script is similar to vty_test_runner.py but tests the control
interface instead.
It currently tests some error cases, BTS status queries, and
setting/clearing rf_locked.
This stores the last SET rf_locked control command along with a
timestamp. The 'show network' vty command is extended to show
this information.
Ticket: OW#659
This prevents the application from crashing when there is a half
configured BTS (e.g. by using the command 'bts 1' when there isn't
a BTS 1) and the 'write' command is used.
Send an USSD message to the mobile station requesting a connection
for a call or a SMS when the link to the MSC is down or in the
grace period.
The messages can be set (and this feature activated) by setting
bsc/missing-msc-text resp. msc/bsc-grace-text via the vty.
The generation of both messages has been tested manually.
Ticket: OW#957
In case of the RLSD coming from the MSC we are patching the address
in-situ but for local calls set con = NULL. We then answered the RLSD
with the wrong reference and the MSC kept on trying.
It was possible to cause a crash by enabling and disabling the
MSC connection. The enabling lead to scheduling a connection
and the second call was not stopping the timer.
Assign a static name to a MSC Connection and use it. In case there
are multiple connections we can now more easily identify them.
This is only used for the NAT right now, the BSC could start to
name the various MSC connections too.
Currently the 'mgcp' command fails in the 'config-nat' node, because
it get confused with 'mgcp-through-msc-ipa' which is executed
instead because of the prefix based command selection. Thus the
latter command is renamed by this patch to avoid the common prefix.
The workaround in the test suite is removed.
Add bsc_install_default() and replace all install_default()
This patch adds bsc_install_default() which calls install_default()
and add 'exit' and 'end'. All other calls to install_default() are
replaced by calls to bsc_install_default().
Since 'exit' and 'end' are now added automatically to each node, the
explicit registrations of these commands are removed by this patch,
too.
The related tests succeed now without work-arounds (except for the
'config' node itself which is part of libosmocore).
ournode_exit() duplicates most of bsc_vty_go_parent(). This patch
fixes the inconsistencies of both functions within
bsc_vty_go_parent() and replaces the implementation of
ournode_exit() by a call to it. This makes 'exit' behave exactly
like ^D in all openbsc nodes.
ournode_end() has been changed to walk through the intermediate
nodes until one of the top nodes is reached. This allows for
cleanups to be done on the way.
Note that in config mode if the tree is searched along the nodes
toward the config node and a command is not found this way, a
rollback is done by just replacing the vty's node and index member
variable by the saved old values which might break the whole thing, when
there has been a free() on the way.
These tests check for the availability of 'exit' and 'end' in each
configuration node and for the node specific commands to traverse
the tree.
In addition, using these commands from within inner contexts is
checked. This will detect problems, when an outer command word is
a prefix of an inner command, like with 'mgcp' and
'mgcp-through-msc-ipa'.
Several assertions are disabled due to inconsistencies and missing
commands (see above).
Addresses:
osmo_bsc_sccp.c:280:2: warning: implicit declaration of function ‘gsm0480_send_ussdNotify’ [-Wimplicit-function-declaration]
osmo_bsc_sccp.c:281:2: warning: implicit declaration of function ‘gsm0480_send_releaseComplete’ [-Wimplicit-function-declaration]
It was possible that the wrong NSEI information was sent to the
BTS. This is because patch_nm_tables is not called before sending
the data to the BTS. This will break when two BTS connect more or
less at the same time.
Stop using the arrays directly and instead introduce a method
that will patch the table and return the data and length. This
makes sure that all users patch the table before we send the
data to the BTS.
I bootstrapped a sysmoBTS and I can bring up rsl. The device is
running with a dummy load so I couldn't do more verification.
Change '%s(bsc)#' to '%s(config-bsc)# '. The missing trailing blank
breaks osmopy's VTYInteract.command() because the blank is contained
in the end patterns which are checked to decide whether to leave the
select loop. Thus trying to execute the 'bsc' command there blocks
the test script forever.
Send an USSD message on each MS connection if the connection to
the MSC has been lost.
Add a vty config command 'bsc-msc-loss-txt' in 'config-msc' to set
the notification string and to enable the feature.
Ticket: OW#957
This command returns the current state of the connection to the USSD
side channel provider. It shows whether a provider has been connected
and authorized or not.
Fixes: OW#953
These commits have been deployed by sysmocom and it should qualify
as some form of smoke testing. Let's see how things go from here.
The by IMSI alertion has not been used, the rest should have been
executed by the system.
There's a VTY option by which for every ESME the user can specify if the
E.212 or E.164 number should be used in DELIVER-SM. The ALERT
notifications generate by subscriber LU have so far always contained the
E.212 (IMSI) rather than E.164 (MSISDN) which is a bit inconsistent.
Rather than copying code, we create a new function that implements
ALERTing all ESMEs.
If the MS memory for SMS is exceeded and we get an RP-layer error, we
need to report that back to the (transaction-mode) ESME. Otherwise the
ESME will wait forever after sending a SUBMIT-SM without ever receiving
a response to it.
Thanks to Holger for catching this.
* The post-routing is applied after the first re-writing. To do this
the new number is copied back into the called data structure.
* Add a testcase that goes from 0172 to 0049 and then back to 0049
using the post rule with a table lookup.
* Increase the rewritten rule to five digits (this is the easiest
for the unit test). This will add another 40kb to the runtime size.
* Create a unit test that tests adding and removing the prefix rules.
* Use the regexp match to replace from one package
* It is a trie. The max depth of the trie is the length of the
longest prefix. The lookup is O(lookuped_prefix), but as the prefix
length is limited, the lookup time is constant.
* Each node can hold the entire prefix, has place for the rewrite
rule with up to three digits.
* A trie with 20k entries will take about 3MB ram.
* Filling the trie 100 times takes ~800ms on my i7 laptop
* 10.000.000 lookups take 315ms.. (for the same prefix).
* 93/99 lines are tested, 6/6 functions are tested, 49 of 54 branches
are tested. Only memory allocation failures are not covered
* A late addition is to handle the '+' sign and to increase the number
of chars in the rewrite prefix. The timing/line coverage has not
been updated after this change.
In case we have access to the context verify that the selected
msgb_tlli is either the old_tlli or the tlli in either local or
foreign format. It is wrong to use any other TLLI.
Attempt to solve what f0901f0067 tried to
solve without breaking the case of someone with a foreign TLLI from a
different network.
Lookup with the foreign TLLI converted to a local one in case we did
not find the TLLI and only then create a LLE/LLME on the fly for the
RX path.
During the GPRS Attach procedure we might have a foreign tlli and
in the RX create a LLME on the fly for this tlli. The GMM GPRS
Attach handling code will then assign a new TLLI and keep the
foreign tlli as the llme->old_tlli.
When the GMM is sending the identity request the msgb_tlli will
point to the foreign tlli. The GPRS LLC code will then try to find
that foreign tlli but due the conversion this will not be found.
Instead a new ad-hoc LLE/LLME will be created on the fly for
each message (this means there are duplicate LLE/LLMEs in the
list).
Make the code more strict and remove the tlli_foreign2local change
from the look-up routine. This will make the GPRS LLC code find
the right LLE/LLME and the N(U) will be handled correctly.
This partially reverts:
f0901f0067
Addresses:
<0012> gprs_llc.c:773 LLC RX: unknown TLLI 0xadf11820, creating LLME on the fly
...
<0012> gprs_llc.c:357 LLC TX: unknown TLLI 0xedf11820, creating LLME on the fly
Reproducable:
Use pcu_emu (gprs attach) and observe with wireshark.
In case of a failure this method didn't set the pctx->lib back to
NULL. In case of a timeout the callback will be made with pdp=NULL
and this would lead to leaking the PDP context. Check for the case
of having a pctx->lib != pdp and free it.
This resolves:
<000f> gprs_sgsn.c:259 freeing PDP context that still has a libgtp handle attached to it, this shouldn't happen!
The jenkins build node has Python 2.5.X installed and the
assertGreater method is not available. Use assert_ until
we can use newer versions of Python.
Disable the periodic LU using "no periodic location update" VTY
command. In that case set the expire_lu to 0 which will then be
translated to a NULL in the database layer. This leads to a bit of
copy and paste in the db_sync_subscriber method but I don't see
how we could easily use 'datetime(%i, 'unixepoch')' and 'NULL'
at the same time.
Change the query to find expired queries to check for NOT NULL
and the time being in the past. This means if there are still
old subscribers in the database they might not be expired. One
would need to execute a query like "UPATE Subscriber SET expire_lu
= 0 WHERE expire_lu is null". The same applies when disabling the
periodic LU. One would need to update the database by hand.
Manual tests executed/passed:
1.) periodic LU enabled:
* use gst LUTest.st to do a LU
* UPDATE Subscriber SET expire_lu=datetime('now');
* observe the subscriber being expired (it was)
2.) periodic LU disabled:
* use gst LUTest.st to do a LU
* verify that the expire_lu is NULL in the database
We were expiring subscribers during active calls. This is because
the T3212 is stopped under certain conditions but we didn't stop
that timer at all.
Remember if T3212 timer was stopped due something done by NITB and
update the expiration time at the end of the radio connection, as
the phone should restart it when returning to MM Idle.
It is a bit difficult to decide when we should set the flag. E.g.
in a CM Service Request we don't know if we accept the service and
during a LU we already send MM messages before we accept or reject
the subscriber.
The easiest is to set the flag when receiving a paging response
on known subscribers and at the end of the authentication process.
Do not expire a subscriber that has an active connection that is
marked with the flag, e.g. we would still expire a subscriber that
is being paged.
Manual tests executed/passed:
* gst LUTest.st verified that a expiration date was set
* gst SMSTest.st (doing another LU but forcing a timeout on the
SMS sending). Verified that the expire_lu was updated.
Make sure to not ever have issues with this code again, move the
utility code to a new file and create a basic testcase. The method
currently has 100% line and branch coverage. My initial patched
missed the smpp_utils.c file and I re-did the copying (and verifying
the branch coverage)
bsc_api.c:417:3: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 7 has type ‘unsigned int’ [-Wformat]
bsc_api.c: In function ‘handle_ass_fail’:
bsc_api.c:458:3: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 7 has type ‘unsigned int’ [-Wformat]
db.c: In function ‘db_sync_subscriber’:
db.c:785:3: warning: format ‘%i’ expects argument of type ‘int’, but argument 8 has type ‘time_t’ [-Wformat]
osmo_msc.c: In function ‘msc_release_connection’:
osmo_msc.c:145:20: warning: unused variable ‘trans’ [-Wunused-variable]
smpp_smsc.c: In function ‘link_accept_cb’:
smpp_smsc.c:891:24: warning: assignment from incompatible pointer type [enabled by default]
smpp_smsc.c:271:1: warning: ‘esme_by_system_id’ defined but not used [-Wunused-function]
smpp_openbsc.c: In function ‘smpp_openbsc_init’:
smpp_openbsc.c:545:2: warning: implicit declaration of function ‘smpp_vty_init’ [-Wimplicit-function-declaration]
osmo_bsc_ctrl.c: In function ‘verify_bts_loc’:
osmo_bsc_ctrl.c:340:19: warning: variable ‘height’ set but not used [-Wunused-but-set-variable
smpp_mirror.c: In function ‘main’:
smpp_mirror.c:297:2: warning: implicit declaration of function ‘osmo_init_logging’ [-Wimplicit-function-declaration]
This adds a minimalistic ACL by which certain, individual roaming IMSIs
can be authorized to use the SGSN. So you can selectively bypass the
'MCC+MNC == first 5 digits of IMSI' checking for a couple of IMSIs
It appears to me that for NM_OC_BS11 mo was either NULL or the
one mo value from NM_OC_BS11_RACK. The break inside the nested
switch case didn't break from the outer one.
Fixes Coverity: CID 1040728
The esme->acl is treated like it can be NULL in other places
of the code. Assume it can be NULL during this check as well.
Dereference after null check (FORWARD_NULL)
9. var_deref_op: Dereferencing null pointer "esme->acl".
Fixes: Coverity CID 1042374
As Holger pointed out, they contained a GPLv2+ disclaimer rather than
the AGPLv3+ which we use for OpenBSC. This is not an incompaibility,
but was done unintentionally. The code was always mean to be under
AGPLv3+.
Nevertheless, anyone using those two files in a version up to this
commit have the right to use it under GPLv2+ as well. This is not
applicable for any versions after this commit.
A CM service request must be acknowledged also, when encryption is already
enabled.
Without encryption enabled, the security status is GSM_SECURITY_NOTAVAIL,
which causes a CM service acknowledge. On initial CM service request, the
security status is GSM_SECURITY_SUCCEED, if encryption is enabled. This
will not lead to an acknowledge, because the cyphering command implies an
acknowlege. An additional CM service request requires an acknowledge, so
I added a new security status: GSM_SECURITY_ALREADY
Coverity pointed out that we use trans->subscr after a NULL check,
it is our believe that every transaction will have a subscriber.
Remove the check and add an assert before we are dispatching things.
Fixes: Coverity CID 1040740, CID 1040739
Coverity pointed out that this code is logically dead. Quickly
judging the code we will forward the RSLD message anyway. Remove
the code for now and next time I work on the NAT/USSD bridge I
will have a look at the flow of the RLSD messages.
Fixes: Coverity CID 1042327
The number = int_number assignment will make the number point to
the stack and as the int_number goes out of scope at the end of
the if statement other code could re-use this stack for other memory.
Fixes: Coverity CID 1042325
Coverity complains about the saveptr used in the strtok_r. This
is not a bug because we pass a string as part of the first call
to strtok_r but it is easier to just initialize it.
Addresses: Coverity CID 1042323
This fixes both a GCC and a Coverity warning:
GCC:
gsm_subscriber.c: In function ‘subscr_expire_callback’:
gsm_subscriber.c:389:2: warning: format ‘%i’ expects argument of type ‘int’, but argument 8 has type ‘long long unsigned int’ [-Wformat]
Coverity:
CID 1040712
This is fixing a GCC and Coverity warning.
GCC:
sgsn_vty.c: At top level:
sgsn_vty.c:308:1: warning: ‘show_ggsn_cmd’ defined but not used [-Wunused-variable]
Coverity: CID 1040727
This is fixing a GCC and Coverity warning:
GCC:
sgsn_vty.c: In function ‘vty_dump_pdp’:
sgsn_vty.c:64:5: warning: ‘i’ may be used uninitialized in this function [-Wmaybe-uninitialized]
sgsn_vty.c:49:15: note: ‘i’ was declared here
Coverity: CID 1040706
The code was written like checking the return value of the
osmo_fd_register but the rc variable was not assigned for the
subsequent calls.
Fixes: Coverity CID 1040741
Original code was inconsistent about lengths and could lead to out
of bounds write. Lengths were also inconsistent with the TS 24.008.
Fixes: Coverity CID 1040714.
The support has been implemented for an old model, we were told that
newer versions would be made incompatible with OpenBSC. Ther are
various warnings in the code and coverity has found some new ones.
Just remove the code as we don't know of anyone using this code.
Coverity is not happy about it but it doesn't appear to be a real
issue as the data will not be NULL on the first call.
Addresses: Coverity CID 1040704
In case the specified trx number is not configured, do not crash
but return NULL from the function. The libosmo-abis library should
close the connection for us then.
Begin with the NAT code. It is not clear yet if we will have one
file with all the tests or will have a sub directory with *.py files.
In the long run the base class will move to the osmo-python-tests
module.
The test scripts warn about missing documentation, untested configs,
check common errors, and stub out testing individual VTY commands.
The scripts have been moved to the another osmocom repository,
python/osmo-python-tests
The features were requested by zecke.
In some situations (like MS reboot without prior DETACH or SGSN reboot
without prior MS detach), the LLC sequence numbers for UI mode could
be different on both sides.
The LLC spec unfortunately doesn't permit us to send something like a
FRMR in this case, but instructs us to silently discard the frame. At
that time the remote LLC entity will re-transmit the frame with the same
seqeunce number over and over again, which we will drop again and again.
The mthod used now will keep track of the last received UI sequence
number. If that number is retransmitted for three times in a row, then
we accept this sequence number and recover from that point on.
system_id is a char array, which makes the NULL check a tautology,
so we should check with strlen if the string is empty or not.
This is fixing the "write" command of VTY that would otherwise
create a config file that can not be parsed.
If an ESME has the dcs_transparent config flag, then the TP-DCS
of MO-SMS is transparently passed to SMPP and not converted to SMPP
specific data_coding values.
This is needed in cases where ESMEs actually care about the exact
TP-DCS, as the conversion from TP-DCS to SMPP data_coding is not
bijective.
There are multiple ways how the TS 03.38 TP-DCS can indicate 8bit or
7bit messages. SMPP has it's own data coding specification, which is
different from TS 03.38.
However, some SMPP ESMEs want to be able to have fine-grained control
over the TP-DCS indicated in the TPDU header. If such values like 0xF6
are used in SMPP, we now transparently pass them on to the GSM side.
The RQNT message might not contain a 'S:' line with the actual tone
to play. Instead of calling the callback with the 0 as tone just leave
early.
Example:
X: 6B9519B88F0
R: D/[0-9#*](N), G/ft, fxr/t38
A channel that fails to send an ACK/NACK/REL within the four second
timeout is now marked as broken. In case the release comes in late
it will be ignored. The lchan should already been freed and for now
we don't want to trust the channel.
In the future we might want to send a "release" for a channel that
got activated ack late and just set the state to none on a channel
that is released acked late.
The late ACK and REL has been tested with two manual tests using the
fakebts. The channels remained blocked even after having received
the ACK message here. The NACK case has not been manually tested.
* This branch make the type sysmobts work.
* Asssume a bsc_gsmnet variable to be defined.
* This allows to use channel configurations not supported by the
nanoBTS.
* Manually tested with the FakeBTS and tested by users.
Assume that there is a bsc_gsmnet and modify the ipaccess-config to
provide this symbol. If a bsc_gsmmnet is not available when linked
the linker will complain and fail.
E.g. give an error like this:
../../src/libbsc/libbsc.a(bts_ipaccess_nanobts.o): In function `ipaccess_sign_link_up':
src/libbsc/bts_ipaccess_nanobts.c:550: undefined reference to `bsc_gsmnet'
Make sure that the bts_ipa_nm_sig_cb is only installed once. In
a nanoBTS + sysmoBTS network the _start method will be called
for each mode leading to the handler being registered twice.
Make sure that there is only one handler registered by unregistering
a previously installed handler. The osmo_signal_unregister_handler
will remove 0 or 1 handlers per invocation and we only add one
handler in this file so it is always balanced.
The nanoBTS code is trying to find a struct gsm_bts based on
the ipaccess_gsmnet and the ipaccess_unit data. The pointer is
not initialized in the case of a sysmoBTS leading to a classic
NULL pointer dereference.
Move the feature init into the _init method. This way we can
re-use the start code of the nanoBTS. This ensures that the
ipaccess_gsmnet pointer is properly initialized and that the
signal handlers are installed.
Extend the status message and send LAC/CI as part of the status
message. It is using TV to allow sending more fields in the feature.
We only need to encode the data and this is why there is no tlv
description yet.
The bsc_nat.h is included by common_vty.c so we may not used
sccp_types.h in the bsc_nat.h header file. Move the callstats
to a new file and include it where it is needed.
Find the Cell Identifier from the Complete Layer3 Information and
store it for future reference. We could begin to verify that the
LAC/CI used really belongs to the BSC.
The name sccp_connection is used in the osmo-sccp code, sccp_connections
was used in the NAT for tracking a sccp_connection. Rename it so it is
obvious that the struct belongs to the nat.
The rename was done with sed:
$ sed -i s,"struct sccp_connections","struct nat_sccp_connection",g \
include/openbsc/*.h src/osmo-bsc_nat/* tests/*/*
Prepend the international number with a '+' and then do the normal
re-writing on it. There are a couple of ways to handle this:
\+([0-9]), \+[0-9][0-9]([0-9]), \+49([0-9])
Add a test case for the international re-write based on an already
internationalized number.
Limit the amount of pending DLCX responses to three times the amount
of available endpoints. Currently all MGCP messages are sent and handled
in sequence.
We want to send a TRAP with the MGCP statistics from the NAT and
the connected BSC. The BSC endpoint can be either released because
of a DLCX from the MGCP CallAgent or the SCCP Connection release on
the A-link.
This is why we need to queue the statistics when the deleting the
endpoint on the BSC. The processing is continued once the response
arrives. This code assumes that the response of the DLCX will be sent
by the remote side. The current amount of outstanding responses can be
seen on the VTY. This assumption is based on the fact that the BSC has
already responded to the CRCX and maybe to the MDCX.
The MGCP RFC is bended to prefix the transaction identifier with "nat-"
to easily detect the response and hand it to the handler. This will
then parse the response and generate the TRAP. The current version is
v1. We assume that the transaction space is big enough and we will
not re-assign the transaction identifier too early.
The sysmobts is now having a SAPI queue with all pending SAPI operations
on the BTS. Add the llist_head to the lchan and make sure it is initialized
by the shared code.
The token was compared with the configured one but only up to a
user supplied length. Compare the token sizes and then use memcmp
for the actual comparison to make sure to compare the right ammount
of characters.
There is no unit-test but there should be one.
It was possible that the tmp was strduped but not freed, e.g. when
the number of commas was not right. It would evenutally be freed at
the time the cmd is freed thanks to the talloc hierachy.
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
