Change in osmo-msc[master]: libmsc/gsm_04_08.c: fix: verify MI before calling vlr_subscr_rx_id_re...

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

fixeria gerrit-no-reply at lists.osmocom.org
Fri Jan 3 14:27:03 UTC 2020 

Hello laforge, Jenkins Builder, 

I'd like you to reexamine a change. Please visit

    https://gerrit.osmocom.org/c/osmo-msc/+/16683

to look at the new patch set (#3).

Change subject: libmsc/gsm_04_08.c: fix: verify MI before calling vlr_subscr_rx_id_resp()
......................................................................

libmsc/gsm_04_08.c: fix: verify MI before calling vlr_subscr_rx_id_resp()

During the last congress, we have noticed that OsmoMSC crashes
on receipt of malformed MM Identity Response messages:

  BSSAP
      Message Type: Direct Transfer (0x01)
      Data Link Connection Identifier
          00.. .... = Control Channel: not further specified (0x0)
          ..00 0... = Spare: 0x0
          .... .000 = SAPI: RR/MM/CC (0x0)
      Length: 11
  GSM A-I/F DTAP - Identity Response
      Protocol Discriminator: Mobility Management messages (5)
          .... 0101 = Protocol discriminator: Mobility Management messages (0x5)
          0000 .... = Skip Indicator: No indication of selected PLMN (0)
      01.. .... = Sequence number: 1
      ..01 1001 = DTAP Mobility Management Message Type: Identity Response (0x19)
      Mobile Identity - Format Unknown
          Length: 8
          .... 1... = Odd/even indication: Odd number of identity digits
          .... .111 = Mobile Identity Type: Unknown (7)  <-- This makes OsmoMSC crash
              [Expert Info (Warning/Protocol): Unknown format 7]
                  [Unknown format 7]
                  [Severity level: Warning]
                  [Group: Protocol]

The value '111'B is not a valid Mobile Identity type, and shall be
considered as reserved according to 3GPP TS 24.008, section 10.5.1.4.
Later on it was discovered that '000'B also crashes OsmoMSC in the same way.

The crash itself is provoked by OSMO_ASSERT(0) in vlr_subscr_rx_id_resp().
Let's keep that assert in there, and make sure that:

  - on receipt of MM Identity Response, Mobile Identity type
    matches the one in MM Identity Request;

  - on receipt of RR Ciphering Mode Complete, Mobile Identity
    contains IMEI(SV) if present.

Change-Id: Ica4c90b8eb4d90325313c6eb400fa4a6bc5df825
TTCN-3 test case: I62f23355eb91df2edf9dc837c928cb86b530b743
Fixes: OS#4340
---
M include/osmocom/msc/msc_a.h
M src/libmsc/gsm_04_08.c
2 files changed, 39 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.osmocom.org:29418/osmo-msc refs/changes/83/16683/3
-- 
To view, visit https://gerrit.osmocom.org/c/osmo-msc/+/16683
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Change-Id: Ica4c90b8eb4d90325313c6eb400fa4a6bc5df825
Gerrit-Change-Number: 16683
Gerrit-PatchSet: 3
Gerrit-Owner: fixeria <axilirator at gmail.com>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <axilirator at gmail.com>
Gerrit-Reviewer: laforge <laforge at osmocom.org>
Gerrit-CC: pespin <pespin at sysmocom.de>
Gerrit-MessageType: newpatchset
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20200103/2e993ea2/attachment.htm>

More information about the gerrit-log mailing list