[M] Change in osmo-msc[master]: fix VLR evil twin on LU with unknown TMSI - gerrit-log

26 Mar 2024


      Attention is currently required from: fixeria, laforge, pespin.
neels has posted comments on this change. ( https://gerrit.osmocom.org/c/osmo-msc/+/36452?usp=email )
Change subject: fix VLR evil twin on LU with unknown TMSI
......................................................................
Patch Set 1:
(4 comments)
Commit Message:
https://gerrit.osmocom.org/c/osmo-msc/+/36452/comment/ee0aa82e_04e646a3 
PS1, Line 15: be discarded, for the benefit of the new one.
...
we do the same in osmo-pcu with tbfs btw (ms_merge_and_clear_ms()).
interesting, which way around is that? do we also drop the old one there?
Patchset:
PS1:
...
are we sure this code path only gets triggered after authentication [assuming authentication is enab […]
I thought about that, too. The situation is:
This happens before Auth:
- the MSC gets a LU request by TMSI,
- then requires the IMSI
- the ID response for that triggers this de-duplication.
- authentication follows.
- we can copy auth tuples safely.
- i am not copying state like the security status or FSM states that might skip important validations.
- we always have to know a subscriber's IMSI, i.e. the code makes sure that an IMSI is known in order to contact the HLR. This triggers only in a situation where the IMSI is not yet known, i.e. only possible in the short phase before the ID Request, before auth. i.e. not possible to sneakily hijack another IMSI's security context.
If authentication is switched off, then this doesn't hold of course, but nothing else does either.
File src/libmsc/paging.c:
https://gerrit.osmocom.org/c/osmo-msc/+/36452/comment/7e963ad9_991297fe 
PS1, Line 147: 	vlr_subscr_put(discarding_vsub, VSUB_USE_PAGING);
...
Ah indeed it missed that one.
yes, i wanted to keep that close together, but the use count put should happen in the end, while the if() should happen in the start... i'll drop a comment there
File src/libvlr/vlr.c:
https://gerrit.osmocom.org/c/osmo-msc/+/36452/comment/e207ac85_0f270790 
PS1, Line 597: 		struct vlr_instance *vlr = exists->vlr;
...
I'd rpobably move all this code to its own function "vsub_join()" or alike.
ack
(the paging_request_join() function was supposed to be that own function, but then this code here grew and grew with more aspects to be taken care of...)
-- 
To view, visit https://gerrit.osmocom.org/c/osmo-msc/+/36452?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Change-Id: Ifdabe0b65bffafbf7b8e5cc10e2d225d1ed1cecd
Gerrit-Change-Number: 36452
Gerrit-PatchSet: 1
Gerrit-Owner: neels nhofmeyr@sysmocom.de
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria vyanitskiy@sysmocom.de
Gerrit-Reviewer: pespin pespin@sysmocom.de
Gerrit-CC: laforge laforge@osmocom.org
Gerrit-Attention: laforge laforge@osmocom.org
Gerrit-Attention: pespin pespin@sysmocom.de
Gerrit-Attention: fixeria vyanitskiy@sysmocom.de
Gerrit-Comment-Date: Tue, 26 Mar 2024 14:13:59 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: laforge laforge@osmocom.org
Comment-In-Reply-To: pespin pespin@sysmocom.de
Comment-In-Reply-To: fixeria vyanitskiy@sysmocom.de
Gerrit-MessageType: comment