fixeria submitted this change.
msc: add TC_mo_ussd_evil_ms for OS#6756
This is an "evil MS" scenario that crashes current osmo-msc.
Change-Id: If1d85a1b4b63b01b4565e53677acfd21e664e799
Related: osmo-msc.git I724f0f0c9ef8611d3c3653e9370361b252127f72
Related: OS#6756
---
M msc/MSC_Tests.ttcn
M msc/expected-results.xml
2 files changed, 49 insertions(+), 0 deletions(-)
diff --git a/msc/MSC_Tests.ttcn b/msc/MSC_Tests.ttcn
index 527b71a..2f8df4d 100644
--- a/msc/MSC_Tests.ttcn
+++ b/msc/MSC_Tests.ttcn
@@ -4393,6 +4393,50 @@
vc_conn.done;
}
+/* MO (mobile-originated) SS/USSD FACILITY for an unknown transaction,
+ * and CM SERVICE REQUEST with wrong establishment cause prior to that.
+ * This is an "evil MS" scenario that can be used to reproduce OS#6756. */
+friend function f_TC_mo_ussd_evil_ms(charstring id, BSC_ConnHdlrPars pars)
+runs on BSC_ConnHdlr {
+ f_init_handler(pars);
+
+ f_ran_register_imsi(g_pars.imsi, g_pars.tmsi);
+ f_create_gsup_expect(hex2str(g_pars.imsi));
+
+ /* Perform location update */
+ f_perform_lu();
+
+ /* Send CM Service Request indicating *wrong* reason */
+ f_establish_fully(EST_TYPE_MO_CALL);
+
+ /* GSM 04.80 FACILITY message for a non-existing transaction */
+ var template (value) PDU_ML3_MS_NW mo_ss_fac := ts_ML3_MO_SS_FACILITY(
+ tid := 1, /* An arbitrary transaction identifier */
+ ti_flag := c_TIF_ORIG, /* Sent from the side that originates the TI */
+ facility := f_rnd_octstring(23) /* We don't care about the Facility IE */
+ );
+
+ /* Expected response from the network */
+ var template PDU_ML3_NW_MS mt_ss_rel := tr_ML3_MT_SS_RELEASE_COMPLETE(
+ tid := 1, /* Same as in the FACILITY message */
+ ti_flag := c_TIF_REPL, /* Sent to the side that originates the TI */
+ facility := omit
+ );
+
+ /* Send GSM 04.80 FACILITY for non-existing transaction */
+ BSSAP.send(ts_PDU_DTAP_MO(mo_ss_fac));
+
+ /* Expect GSM 04.80 RELEASE COMPLETE message */
+ f_expect_mt_dtap_msg(mt_ss_rel);
+ f_expect_clear();
+}
+testcase TC_mo_ussd_evil_ms() runs on MTC_CT {
+ var BSC_ConnHdlr vc_conn;
+ f_init();
+ vc_conn := f_start_handler(refers(f_TC_mo_ussd_evil_ms), 111);
+ vc_conn.done;
+}
+
/* Verify multiple concurrent MO SS/USSD transactions
* (one subscriber - one transaction) */
@@ -7568,6 +7612,10 @@
execute( TC_proc_ss_paging_fail() );
execute( TC_proc_ss_abort() );
+ if (Misc_Helpers.f_osmo_repo_is("nightly")) {
+ execute( TC_mo_ussd_evil_ms() ); /* XXX: crashes osmo-msc */
+ }
+
execute( TC_multi_lu_and_mo_ussd() );
execute( TC_multi_lu_and_mt_ussd() );
diff --git a/msc/expected-results.xml b/msc/expected-results.xml
index 2dc7e97..dacb840 100644
--- a/msc/expected-results.xml
+++ b/msc/expected-results.xml
@@ -94,6 +94,7 @@
<testcase classname='MSC_Tests' name='TC_proc_ss_for_unknown_session' time='MASKED'/>
<testcase classname='MSC_Tests' name='TC_proc_ss_paging_fail' time='MASKED'/>
<testcase classname='MSC_Tests' name='TC_proc_ss_abort' time='MASKED'/>
+ <testcase classname='MSC_Tests' name='TC_mo_ussd_evil_ms' time='MASKED'/>
<testcase classname='MSC_Tests' name='TC_multi_lu_and_mo_ussd' time='MASKED'/>
<testcase classname='MSC_Tests' name='TC_multi_lu_and_mt_ussd' time='MASKED'/>
<testcase classname='MSC_Tests' name='TC_cipher_complete_with_invalid_cipher' time='MASKED'/>
To view, visit change 39975. To unsubscribe, or for help writing mail filters, visit settings.