openbsc.git branch jerlbeck/wip/gprs-patching updated. 0.13.0-750-g8d570c1

gitosis at gitosis at
Thu Nov 6 17:23:10 UTC 2014

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The OpenBSC GSM Base Station Controller (+MSC/HLR/SGSN)".

The branch, jerlbeck/wip/gprs-patching has been updated
  discards  87767b2bf18fe9bcaf7954573d94dbb8547df1de (commit)
  discards  95e67b7a58dd3ac5e4be9d51ccce32f0047cd721 (commit)
  discards  fab825a4637c1210187f05a93392be7072a87575 (commit)
  discards  f9947e70d3a0f6bc70a9d9767b988ceb15fa6266 (commit)
  discards  9e80019b7c3389843ba2020c3ae0e64e6d83e8c9 (commit)
  discards  ec75ba6ffa901c81ab936f95a8b887fe2174019b (commit)
  discards  e444e3bb8a48bf751cb9286d80ddcdf7b101011b (commit)
  discards  c16741bf78ba1ac4586cefbff0f4c2508a2d8fed (commit)
  discards  825eae2fa138e92d98d3b0d58cbf7c807c1ea491 (commit)
  discards  194943609b16f88539edadd11a15d56080d06b29 (commit)
  discards  e2c08577a8c0ceae7c2c6f82c328d04d9086175c (commit)
  discards  b1751e0b0cb2b153d98d951fb46745d24d06b53d (commit)
  discards  b44a1895051b222c1aa0d1f1bce268a84a8c6116 (commit)
  discards  fd0b34a3fa0485eef7a8b7745d452ac7904a8111 (commit)
  discards  7f416f4799814d179b5cbf9c272b8df45e646754 (commit)
  discards  b62b4af85781e2e17b4cee35ac129451bb8036b7 (commit)
  discards  f462d2ebbc68c36a511ae9ab7088e5ae0bd1dec1 (commit)
  discards  843caa4a7f2a0d27378fe97f405c65b5899c61ca (commit)
  discards  d6964dc0113acd2ccc9b792d846dbd7e7aa24a14 (commit)
       via  8d570c15a946c8adf874db68ef12e046cfd98fd0 (commit)
       via  016051129a239d6a16bd06b93716f03c145aedbb (commit)
       via  b915d5bb9726712a7e6c154559d205dc0591d393 (commit)
       via  ffefe0e35f9b106ba11071c903f2b7e700990a58 (commit)
       via  6ebd49eaed937f62b42281281434a6031cfbe2c1 (commit)
       via  0c401f18259d6223fc417aefd3d088b20ce52542 (commit)
       via  b0e9dd487f84254f0884dfba0af1237b82525734 (commit)
       via  a6a499fc8174e77bc468c2f593fe86ca4b0363b5 (commit)
       via  3f2dfee7ca5769b351b2d2a9d6ecdd5903243e87 (commit)
       via  06e8cf5c76a900227f8ed32489ecfd4a683ee5f6 (commit)
       via  60e0f06e985106204be526b9a90f21e7c417a0b6 (commit)
       via  e7308002c55da89a76f4b5db4cae2e4df5024375 (commit)
       via  c2f6fab069d14382dc444753bd59f62d87623aeb (commit)
       via  41fde68761737c8590b68e4b1aed102b62b4c2e6 (commit)
       via  597583f635d377d24cf00c3ba93e303735cc270c (commit)
       via  dd79c53aa6a7ea844852ca257f58a71aa422b747 (commit)
       via  7dc3f3cc4ec9067bbeb7c030f42396bd866efbb4 (commit)
       via  f47bdf819239b9eb44350497e6c4f95ef31e7e25 (commit)
       via  d0998fbe927ac54e0f50326b161773f8a5728b18 (commit)
       via  1464a121c02786b0b7a9ea7b92f33aeacf187c55 (commit)

This update added new revisions after undoing existing revisions.  That is
to say, the old revision is not a strict subset of the new revision.  This
situation occurs when you --force push a change and generate a repository
containing something like this:

 * -- * -- B -- O -- O -- O (87767b2bf18fe9bcaf7954573d94dbb8547df1de)
             N -- N -- N (8d570c15a946c8adf874db68ef12e046cfd98fd0)

When this happens we assume that you've already had alert emails for all
of the O revisions, and so we here report only the revisions in the N
branch from the common base, B.

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------

commit 8d570c15a946c8adf874db68ef12e046cfd98fd0
Author: Jacob Erlbeck <jerlbeck at>
Date:   Thu Nov 6 15:43:10 2014 +0100

    sgsn: Don't assign a new P-TMSI if one is pending (TODO)
    Currently every time a RA Update Req or an Attach Req is processed, a
    new P-TMSI is alocated. When an MS issues another of these messages
    before it has completed the first procedure, old_ptmsi is replaced by
    ptmsi (and thus lost) and ptmsi is replaced by the newly allocated
    P-TMSI. This can confuse the gbproxy, which can loose track of the
    logical link then. At least a blackberry emits a double set of RA Upd
    Req messages from time to time which may be just 20ms apart.
    This patch adds a check whether mm->ptmsi or mm->old_ptmsi are not
    both set. If both are set, the P-TMSI is not re-allocated. This is
    only the case, if the Complete message has not been received since
    that resets old_ptmsi.
     - Test case
    Sponsored-by: On-Waves ehf

commit 016051129a239d6a16bd06b93716f03c145aedbb
Author: Jacob Erlbeck <jerlbeck at>
Date:   Tue Sep 30 13:53:26 2014 +0200

    sgsn: Added TODOs (TODO)
      - fix and remove TODOs
      - add test cases for Detach(reattach)
      - add test cases for PDP context deletion (OW#1311)
      - add test cases for Cancel pending timer in sgsn_mm_ctx_free
      - remove this commit
    Sponsored-by: On-Waves ehf

commit b915d5bb9726712a7e6c154559d205dc0591d393
Author: Jacob Erlbeck <jerlbeck at>
Date:   Fri Oct 17 10:08:02 2014 +0200

    sgsn: Do not die in _bssgp_tx_dl_ud on TLLI mismatch (TODO)
    Currently an OSMO_ASSERT fails, if the message's and the mmctx's
    TLLIs do not match.
    This commit turns the assertion into an ERROR log message and uses
    the default values for IMSI, DRX, and RA CAP instead of the MM
    context values in this case.
      - find the real source for the problem
      - add test cases derived from what is being described in the ticket
    Ticket: OW#1322
    Sponsored-by: On-Waves ehf

commit ffefe0e35f9b106ba11071c903f2b7e700990a58
Author: Jacob Erlbeck <jerlbeck at>
Date:   Thu Nov 6 13:43:41 2014 +0100

    sgsn: Cleanup after RA Update Reject / Attach Reject
    Currently, the LLME is not cleanup up after sending an RA Update
    Reject. This happens after entering a routing area from outside,
    since in that case the SGSN sends an RA Update Reject (implicitly
    detached) which causes the MS to restart the attach procedure.
    The LLME is also not updated if an Attach Request with message errors
    (encoding, invalid MI type) is received or if an MM context cannot be
    This patch changes gsm48_rx_gmm_ra_upd_req and gsm48_rx_gmm_att_req
    to unassign the LLME or free the MM context (if available) after a
    Reject message has been sent.
    Ticket: OW#1324
    Sponsored-by: On-Waves ehf

commit 6ebd49eaed937f62b42281281434a6031cfbe2c1
Author: Jacob Erlbeck <jerlbeck at>
Date:   Tue Nov 4 12:44:15 2014 +0100

    sgsn: Notify an affected MM context if an ACL rule is removed
    Currently if an ACL access rule is removed, MS already attached are
    not affected until they try to reattach to the SGSN.
    This patch extends sgsn_acl_del to re-authenticate an MM context if
    it matches the IMSI.
    Sponsored-by: On-Waves ehf

commit 0c401f18259d6223fc417aefd3d088b20ce52542
Author: Jacob Erlbeck <jerlbeck at>
Date:   Tue Nov 4 10:08:37 2014 +0100

    sgsn: Add 'acl-only' authentication policy
    Currently the VTY 'auth-policy' command results in setting or clearing
    the acl_enabled flag. This also enables the matching of the MCC/MNC
    prefix of the IMSI.
    This patch adds an additional policy 'acl-only' which disables the
    MCC/MNC matching and relies on the ACL only.
    Sponsored-by: On-Waves ehf

commit b0e9dd487f84254f0884dfba0af1237b82525734
Author: Jacob Erlbeck <jerlbeck at>
Date:   Tue Nov 4 11:15:01 2014 +0100

    sgsn/test: Add VTY tests for the SGSN
    This patch adds some basic SGSN tests to
    - check for config tree nodes
    - check specific show commands
    Sponsored-by: On-Waves ehf

commit a6a499fc8174e77bc468c2f593fe86ca4b0363b5
Author: Jacob Erlbeck <jerlbeck at>
Date:   Fri Oct 24 18:09:54 2014 +0200

    sgsn: Make authorization asynchronous
    Currently the authorization of an IMSI is done by checking ACLs
    synchronously which is not feasible when the subscriber data has to
    be retrieved from an external source.
    This patch changes this by using a callback when the information is
    available. This is also done when only ACL are checked, in this case
    the callback is invoked from within sgsn_auth_request(). The callback
    function sgsn_update_subscriber_data calls sgsn_auth_update which
    in turn calls either gsm0408_gprs_access_granted or
    gsm0408_gprs_access_denied. gsm48_gmm_authorize is extended by a call
    to sgsn_auth_request when IMSI and IMEI are available but the
    auth_state is unknown.
    The change has been successfully tested with single phones (E71 and
    IPhone 5c).
    Sponsored-by: On-Waves ehf

commit 3f2dfee7ca5769b351b2d2a9d6ecdd5903243e87
Author: Jacob Erlbeck <jerlbeck at>
Date:   Mon Nov 3 12:48:43 2014 +0100

    bsc: Fix use-after-free on OML NM messages from the BTS
    Currently the sign_link pointer is dereferenced after a call to
    osmo_signal_dispatch, which can indirectly call
    e1inp_sign_link_destroy. If that happens, accessing *sign_link is
    illegal and can lead to a segmentation violation.
    Since only the bts pointer is needed from sign_link after the call to
    osmo_signal_dispatch, this patch changes abis_nm_rcvmsg_fom to save
    that pointer to a local variable earlier.
    <0019> input/ipa.c:250 accept()ed new link from to port 3002
    SET ATTR NACK  CAUSE=Message cannot be performed
    <0005> bsc_init.c:52 Got a NACK going to drop the OML links.
    <001b> bsc_init.c:319 Lost some E1 TEI link: 1 0xb351a830
    ==13198== ERROR: AddressSanitizer: heap-use-after-free on address 0xb5d1bc70 at pc 0x80a6e3d bp 0xbfbb33d8 sp 0xbfbb33cc
    Sponsored-by: On-Waves ehf

commit 06e8cf5c76a900227f8ed32489ecfd4a683ee5f6
Author: Jacob Erlbeck <jerlbeck at>
Date:   Wed Oct 29 22:12:20 2014 +0100

    sgsn: Move IMSI authorization to gsm48_gmm_authorize
    Currently the IMSI is only checked immediately when an Attach Request
    is received that contains an IMSI IE. If it contains a P-TMSI
    instead, access is always granted.
    This commit moves the IMSI check to gsm48_gmm_authorize where it is
    applied when IMSI and IMEI have been acquired. This fixes the
    authorization when the Attach Accept doesn't contain an IMSI.
    Sponsored-by: On-Waves ehf

commit 60e0f06e985106204be526b9a90f21e7c417a0b6
Author: Jacob Erlbeck <jerlbeck at>
Date:   Fri Oct 31 12:27:11 2014 +0100

    sgsn: Fix LLME leak when forcing a reattach
    Currently when forceing a reattach by sending a Detach
    Request (reattach), the SGSN waits for the Detach Accept until it
    frees the MM context (if present) and the LLME. If that message gets
    lost or isn't sent by the MS, the LLME is never freed if it isn't
    bound to an MM context.
    This patch adds code to free the MM context/LLME when forcing a
    Sponsored-by: On-Waves ehf

commit e7308002c55da89a76f4b5db4cae2e4df5024375
Author: Jacob Erlbeck <jerlbeck at>
Date:   Fri Oct 31 12:20:49 2014 +0100

    sgsn: Split gsm0408_gprs_force_reattach into 2 functions
    This patch replaces gsm0408_gprs_force_reattach(msg, mmctx) by two
      - gsm0408_gprs_force_reattach(mmctx)
      - gsm0408_gprs_force_reattach_oldmsg(msg)
    The old function basically consists of the code of the two new
    functions, where the code patch selected depends on mmctx == NULL,
    which is harder to maintain, less obvious to use, and not consistent
    with many other SGSN functions.
    Sponsored-by: On-Waves ehf

commit c2f6fab069d14382dc444753bd59f62d87623aeb
Author: Jacob Erlbeck <jerlbeck at>
Date:   Mon Nov 3 10:12:52 2014 +0100

    sgsn: Call mm_ctx_cleanup_free to deregister MM context
    Currently the MM context isn't always removed when it is
    de-registered (mmctx_timer_cb), mm_state is set to GMM_DEREGISTERED
    instead. This can lead to left-over MM contexts which are only
    cleaned up if the MS reattaches.
    This patch replaces all of these assignments by a call to
    Ticket: OW#1324
    Sponsored-by: On-Waves ehf

commit 41fde68761737c8590b68e4b1aed102b62b4c2e6
Author: Jacob Erlbeck <jerlbeck at>
Date:   Tue Oct 28 16:23:46 2014 +0100

    sgsn: Cleanup GMM state transitions
    Currently the GMM state is set to GMM-REGISTERED when an Attach
    Accept or a RA Update Accept message is sent, even if a new P-TMSI is
    included. In this case 04.08 requires (see and,
    that the state is set to GMM-COMMON-PROCEDURE-INITIATED when the
    Accept is sent. When the Complete is received, the SGSN shall set
    the state to GMM-REGISTERED.
    This patch modifies the state updates accordingly.
    Sponsored-by: On-Waves ehf

commit 597583f635d377d24cf00c3ba93e303735cc270c
Author: Jacob Erlbeck <jerlbeck at>
Date:   Wed Oct 29 12:11:58 2014 +0100

    sgsn/test: Add test_gmm_attach
    This test checks the attach procedure until the Attach Complete is
    Note that authorization and GMM state updates are not working
    properly yet.
    Sponsored-by: On-Waves ehf

commit dd79c53aa6a7ea844852ca257f58a71aa422b747
Author: Jacob Erlbeck <jerlbeck at>
Date:   Wed Oct 29 10:31:18 2014 +0100

    sgsn/test: Move message sending to send_0408_message
    This replaces serveral occurences of duplicated code for message
    creation and sending (passing to gsm0408_gprs_rcvmsg) into a single
    function. In addition, the sgsn_tx_counter is always reset within
    send_0408_message to simplify the code that checks for the number of
    messages sent.
    Sponsored-by: On-Waves ehf

commit 7dc3f3cc4ec9067bbeb7c030f42396bd866efbb4
Author: Jacob Erlbeck <jerlbeck at>
Date:   Tue Oct 28 12:23:29 2014 +0100

    sgsn: Reorganize and fix gsm48_gmm_authorize
    Currently the order of the 'if' clauses in gsm48_gmm_authorize
    doesn't match the order in which the conditional parts are entered.
    This makes it difficult to maintain. In addition the t3350_mode is
    not stored in every path, so that this information is lost when the
    identification procedure is started. Since the default value
    coincidentally is GMM_T3350_MODE_ATT, this doesn't hurt for Attach
    Requests which are the only messages that initially trigger the
    authentication yet.
    This patch changes the order of the 'if' clause to match the
    processing order, it removes the t3350_mode parameter entirely and
    introduces a mm->pending_req field. The latter must be set when the
    request that causes the authorization before calling
    gsm48_gmm_authorize. The gprs_t3350_mode enum is extended by
    GMM_T3350_MODE_NONE (value 0, which is the default) to make it
    possible to detect related initialisation errors or race conditions.
    Sponsored-by: On-Waves ehf

commit f47bdf819239b9eb44350497e6c4f95ef31e7e25
Author: Jacob Erlbeck <jerlbeck at>
Date:   Fri Oct 31 10:47:29 2014 +0100

    gbproxy: Honour the BSS TLLI type when creating an SGSN TLLI
    Currently gbproxy_make_sgsn_tlli always returns a foreign TLLI when
    it uses the (SGSN) P-TMSI to generate one.
    This patch changes the implementation to return a SGSN TLLI of the
    same type like the BSS TLLI in that case.
    Sponsored-by: On-Waves ehf

commit d0998fbe927ac54e0f50326b161773f8a5728b18
Author: Jacob Erlbeck <jerlbeck at>
Date:   Thu Oct 30 17:15:43 2014 +0100

    gbproxy: Reset TLLIs when the link_info is found by IMSI/P-TMSI
    Currently when the MS does a re-attach without doing a proper detach
    first, the gbproxy uses the old local TLLI if patching and the keep
    mode are enabled. This leads to a failing attachment procedure when
    TLLI patching is also enabled.
    This patch changes gbproxy_get_link_info_ul to reset all TLLIs within the
    link_info if the message contains an unknown TLLI and an MI. This is
    generally the case with Attach Request messages.
    Ticket: OW#1324
    Sponsored-by: On-Waves ehf


Summary of changes:
 openbsc/include/openbsc/ipaccess.h |   4 +-
 openbsc/src/gprs/gprs_gmm.c        |   6 +-
 openbsc/tests/sgsn/sgsn_test.c     | 143 +++++++++++++++++++++++++++++++++++++
 openbsc/tests/sgsn/sgsn_test.ok    |   6 ++
 4 files changed, 155 insertions(+), 4 deletions(-)

The OpenBSC GSM Base Station Controller (+MSC/HLR/SGSN)

More information about the osmocom-commitlog mailing list