bug in wireshark decoder of osmo-pcu

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/osmocom-net-gprs@lists.osmocom.org/.

Ivan Kluchnikov Ivan.Kluchnikov at fairwaves.ru
Wed Oct 10 16:20:31 UTC 2012 

Hi,

I ported wireshark fixes and improvements to PCU decoder.
For this RLC/MAC control block, I have the following result:

4016766774022664e8656469003e4c002b2b2b2b2b2b2b

PayloadType = 1 |
spare = 0 |
R = 0 |
MESSAGE_TYPE = 5 |
Exist_ACCESS_TYPE = 1 |
ACCESS_TYPE = 0 |
: ID |
  Choice PacketResourceRequestID = 1 |
  u.TLLI = 0xd99dd008 |
: End ID |
Exist_MS_Radio_Access_capability = 1 |
: MS_Radio_Access_capability |
  MS_RA_capability_value { |
   Choice MS_RA_capability_value_Choice = 3 |
   u.Content length = 25 |
   RF_Power_Capability = 1 |
   Exist_A5_bits = 1 |
   A5_bits = 80 |
   ES_IND = 1 |
   PS = 1 |
   VGCS = 0 |
   VBS = 0 |
   Exist_Multislot_capability = 1 |
  : Multislot_capability |
    Exist_HSCSD_multislot_class = 0 |
    Exist_GPRS_multislot_class = 1 |
    GPRS_multislot_class = 12 |
    GPRS_Extended_Dynamic_Allocation_Capability = 1 |
    Exist_SM = 0 |
  : End Multislot_capability |
  COMPACT_Interference_Measurement_Capability = NULL |
  Revision_Level_Indicator = NULL |
  UMTS_FDD_Radio_Access_Technology_Capability = NULL |
  UMTS_384_TDD_Radio_Access_Technology_Capability = NULL |
  CDMA2000_Radio_Access_Technology_Capability = NULL |
  UMTS_128_TDD_Radio_Access_Technology_Capability = NULL |
  GERAN_Feature_Package_1 = NULL |
  Modulation_based_multislot_class_support = NULL |
  GMSK_MultislotPowerProfile = NULL |
  EightPSK_MultislotProfile = NULL |
  MultipleTBF_Capability = NULL |
  DownlinkAdvancedReceiverPerformance = NULL |
  ExtendedRLC_MAC_ControlMessageSegmentionsCapability = NULL |
  DTM_EnhancementsCapability = NULL |
  PS_HandoverCapability = NULL |
  MS_RA_capability_value } |
: End MS_Radio_Access_capability |
: Channel_Request_Description |
  PEAK_THROUGHPUT_CLASS = 6 |
  RADIO_PRIORITY = 2 |
  RLC_MODE = 0 |
  LLC_PDU_TYPE = 1 |
  RLC_OCTET_COUNT = 62 |
: End Channel_Request_Description |
  Exist_CHANGE_MARK = 0 |
  C_VALUE = 38 |
  Exist_SIGN_VAR = 0 |
  Slot | Exist = 0 | Slot | Exist = 0 | Slot | Exist = 0 | Slot |
Exist = 0 | Slot | Exist = 0 | Slot | Exist = 0 | Slot | Exist = 0 |
Slot | Exist = 0 |
  Exist_AdditionsR99 = 0 |
  Padding = 43|43|43|43|43|43|43|

2012/10/1 Ivan Kluchnikov <Ivan.Kluchnikov at fairwaves.ru>:
> Hi, Andreas
> As I understand, this problem has already fixed in the latest
> wireshark version.
> See this patch https://bugs.wireshark.org/bugzilla/attachment.cgi?id=7710
> I reviewed latest wireshark fixes for rlc/mac decoder, there are
> several important improvements, so I think I should port latest
> wireshark code.
> I think, I'll do it in two days.
>
> 2012/9/30 jolly <andreas at eversberg.eu>:
>> hi,
>>
>> i get wrong decoding of RLCMAC control block.
>>
>> the decoder of osmo-pcu is decoding following sequence:
>>
>> 0x40,0x16,0x76,0x67,0x74,0x02,0x26,0x64,0xe8,0x65,0x64,0x69,0x00,0x3e,0x4c,0x00,0x2b,0x2b,0x2b,0x2b,0x2b,0x2b,0x2
>>
>> this is the result:
>>
>> PayloadType = 1 | spare = 0 | R = 0 | MESSAGE_TYPE = 5 |
>> Exist_ACCESS_TYPE = 1 | ACCESS_TYPE = 0 |  : ID | Choice
>> PacketResourceRequestID = 1 | u.TLLI = 0xd99dd008 | : End ID |
>> Exist_MS_Radio_Access_capability = 1 |  : MS_Radio_Access_capability |
>> MS_RA_capability_value[0] { | Choice MS_RA_capability_value_Choice = 3 |
>> u.Content length = 25
>>
>>  ... at this point, the length of the content is 25 bits:
>>
>> | RF_Power_Capability = 1 | Exist_A5_bits = 1 | A5_bits = 80 | ES_IND =
>> 1 | PS = 1 | VGCS = 0 | VBS = 0 | Exist_Multislot_capability = 1 |  :
>> Multislot_capability | Exist_HSCSD_multislot_class = 0 |
>> Exist_GPRS_multislot_class = 1 | GPRS_multislot_class = 12 |
>> GPRS_Extended_Dynamic_Allocation_Capability = 1 | Exist_SM = 0
>>
>>  ... at this point all 25 bits are decoded, so the decoder must abort
>> decoding of content of Multislot_capability_t (see gsm_rlcmac.cpp).
>> instead, it continues with the data found after these 25 bits: (all crap
>> from now on)
>>
>> | Exist_ECSD_multislot_class = 0 | Exist_EGPRS_multislot_class = 0 |
>> Exist_DTM_GPRS_multislot_class = 1 | DTM_GPRS_multislot_class = 2 |
>> Single_Slot_DTM = 1 |  : DTM_EGPRS_Params |
>> Exist_DTM_EGPRS_multislot_class = 0 | : End DTM_EGPRS_Params | : End
>> Multislot_capability | Exist_Eight_PSK_Power_Capability = 0 |
>> COMPACT_Interference_Measurement_Capability = 1 |
>> Revision_Level_Indicator = 0 |
>> UMTS_FDD_Radio_Access_Technology_Capability = 0 |
>> UMTS_384_TDD_Radio_Access_Technology_Capability = 0 |
>> CDMA2000_Radio_Access_Technology_Capability = 0 |
>> UMTS_128_TDD_Radio_Access_Technology_Capability = 0 |
>> GERAN_Feature_Package_1 = 0 | Exist_Extended_DTM_multislot_class = 0 |
>> Modulation_based_multislot_class_support = 0 |
>> Exist_HighMultislotCapability = 0 | Exist_GERAN_lu_ModeCapability = 0 |
>> GMSK_MultislotPowerProfile = 3 | EightPSK_MultislotProfile = 3 |
>> MultipleTBF_Capability = 1 | DownlinkAdvancedReceiverPerformance = 0 |
>> ExtendedRLC_MAC_ControlMessageSegmentionsCapability = 1 |
>> DTM_EnhancementsCapability = 0 | Exist_DTM_GPRS_HighMultislotClass = 0 |
>> PS_HandoverCapability = 1 | MS_RA_capability_value[0] } |
>> MS_RA_capability_value[0] { | Choice MS_RA_capability_value_Choice = 0 |
>> u.Content length = 0 | RF_Power_Capability = 2 | Exist_A5_bits = 1 |
>> A5_bits = 50 | ES_IND = 1 | PS = 0 | VGCS = 1 | VBS = 1 |
>> Exist_Multislot_capability = 0 | Exist_Eight_PSK_Power_Capability = 0 |
>> COMPACT_Interference_Measurement_Capability = 1 |
>> Revision_Level_Indicator = 0 |
>> UMTS_FDD_Radio_Access_Technology_Capability = 1 |
>> UMTS_384_TDD_Radio_Access_Technology_Capability = 0 |
>> CDMA2000_Radio_Access_Technology_Capability = 1 |
>> UMTS_128_TDD_Radio_Access_Technology_Capability = 1 |
>> GERAN_Feature_Package_1 = 0 | Exist_Extended_DTM_multislot_class = 0 |
>> Modulation_based_multislot_class_support = 1 |
>> Exist_HighMultislotCapability = 0 | Exist_GERAN_lu_ModeCapability = 1 |
>> GERAN_lu_ModeCapability = 6 | GMSK_MultislotPowerProfile = 1 |
>> EightPSK_MultislotProfile = 1 | MultipleTBF_Capability = 0 |
>> DownlinkAdvancedReceiverPerformance = 3 |
>> ExtendedRLC_MAC_ControlMessageSegmentionsCapability = 0 |
>> DTM_EnhancementsCapability = 0 | Exist_DTM_GPRS_HighMultislotClass = 1 |
>> DTM_GPRS_HighMultislotClass = 2 |  : DTM_EGPRS_HighMultislotClass |
>> Exist_DTM_EGPRS_HighMultislotClass = 1 | : End
>> DTM_EGPRS_HighMultislotClass | : End MS_Radio_Access_capability |
>>
>>
>> there are two problems with the decoder:
>>
>> - it does not check if the length has been exceeded while decoding
>> Multislot_capability_t content. if the length is lower than all elements
>> in Multislot_capabilit_t, the decoder must abort decoding the content.
>> this is no bug. (the definition used at that point should be
>> M_NEXT_EXIST_OR_NULL instead of M_NEXT_EXIST, see gsm_rlcmac.cpp)
>> - even if the correct definition is used, the csn1 decoder will not use
>> the length given at "u.Content length" to abort. instead it checks for
>> reaching total length of coded data.
>>
>>
>> i played a bit with the code, but could not fix it without breaking
>> other things. but decoding with wireshark works. would it be possible to
>> port latest wireshark code?
>>
>> regards,
>>
>> andreas
>>
>>
>>
>
>
>
> --
> Regards,
> Ivan Kluchnikov.
> http://fairwaves.ru



-- 
Regards,
Ivan Kluchnikov.
http://fairwaves.ru

More information about the osmocom-net-gprs mailing list