[S] Change in osmo-ttcn3-hacks[master]: msc: add TC_mo_ussd_evil_ms for OS#6756

fixeria has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/39975?usp=email ) Change subject: msc: add TC_mo_ussd_evil_ms for OS#6756 ...................................................................... msc: add TC_mo_ussd_evil_ms for OS#6756 This is an "evil MS" scenario that crashes current osmo-msc. Change-Id: If1d85a1b4b63b01b4565e53677acfd21e664e799 Related: OS#6756 --- M msc/MSC_Tests.ttcn M msc/expected-results.xml 2 files changed, 46 insertions(+), 0 deletions(-) git pull ssh://gerrit.osmocom.org:29418/osmo-ttcn3-hacks refs/changes/75/39975/1 diff --git a/msc/MSC_Tests.ttcn b/msc/MSC_Tests.ttcn index 527b71a..21e74f1 100644 --- a/msc/MSC_Tests.ttcn +++ b/msc/MSC_Tests.ttcn @@ -4393,6 +4393,50 @@ vc_conn.done; } +/* MO (mobile-originated) SS/USSD FACILITY for an unknown transaction, + * and CM SERVICE REQUEST with wrong establishment cause prior to that. + * This is an "evil MS" scenario that can be used to reproduce OS#6756. */ +friend function f_TC_mo_ussd_evil_ms(charstring id, BSC_ConnHdlrPars pars) +runs on BSC_ConnHdlr { + f_init_handler(pars); + + f_ran_register_imsi(g_pars.imsi, g_pars.tmsi); + f_create_gsup_expect(hex2str(g_pars.imsi)); + + /* Perform location update */ + f_perform_lu(); + + /* Send CM Service Request indicating *wrong* reason */ + f_establish_fully(EST_TYPE_MO_CALL); + + /* GSM 04.80 FACILITY message for a non-existing transaction */ + var template (value) PDU_ML3_MS_NW mo_ss_fac := ts_ML3_MO_SS_FACILITY( + tid := 1, /* An arbitrary transaction identifier */ + ti_flag := c_TIF_ORIG, /* Sent from the side that originates the TI */ + facility := f_rnd_octstring(23) /* We don't care about the Facility IE */ + ); + + /* Expected response from the network */ + var template PDU_ML3_NW_MS mt_ss_rel := tr_ML3_MT_SS_RELEASE_COMPLETE( + tid := 1, /* Same as in the FACILITY message */ + ti_flag := c_TIF_REPL, /* Sent to the side that originates the TI */ + facility := omit + ); + + /* Send GSM 04.80 FACILITY for non-existing transaction */ + BSSAP.send(ts_PDU_DTAP_MO(mo_ss_fac)); + + /* Expect GSM 04.80 RELEASE COMPLETE message */ + f_expect_mt_dtap_msg(mt_ss_rel); + f_expect_clear(); +} +testcase TC_mo_ussd_evil_ms() runs on MTC_CT { + var BSC_ConnHdlr vc_conn; + f_init(); + vc_conn := f_start_handler(refers(f_TC_mo_ussd_evil_ms), 111); + vc_conn.done; +} + /* Verify multiple concurrent MO SS/USSD transactions * (one subscriber - one transaction) */ @@ -7659,6 +7703,7 @@ execute( TC_lu_and_mt_csd() ); execute( TC_lu_and_mo_call_reass_for_mt_codec() ); + execute( TC_mo_ussd_evil_ms() ); /* XXX: crashes osmo-msc */ } diff --git a/msc/expected-results.xml b/msc/expected-results.xml index 2dc7e97..dacb840 100644 --- a/msc/expected-results.xml +++ b/msc/expected-results.xml @@ -94,6 +94,7 @@ <testcase classname='MSC_Tests' name='TC_proc_ss_for_unknown_session' time='MASKED'/> <testcase classname='MSC_Tests' name='TC_proc_ss_paging_fail' time='MASKED'/> <testcase classname='MSC_Tests' name='TC_proc_ss_abort' time='MASKED'/> + <testcase classname='MSC_Tests' name='TC_mo_ussd_evil_ms' time='MASKED'/> <testcase classname='MSC_Tests' name='TC_multi_lu_and_mo_ussd' time='MASKED'/> <testcase classname='MSC_Tests' name='TC_multi_lu_and_mt_ussd' time='MASKED'/> <testcase classname='MSC_Tests' name='TC_cipher_complete_with_invalid_cipher' time='MASKED'/> -- To view, visit https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/39975?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: osmo-ttcn3-hacks Gerrit-Branch: master Gerrit-Change-Id: If1d85a1b4b63b01b4565e53677acfd21e664e799 Gerrit-Change-Number: 39975 Gerrit-PatchSet: 1 Gerrit-Owner: fixeria &lt;vyanitskiy(a)sysmocom.de&gt;