[S] Change in osmo-ttcn3-hacks[master]: msc: add TC_mo_ussd_evil_ms for OS#6756 - gerrit-log

8 Apr 2025

fixeria has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/39975?usp=email )
Change subject: msc: add TC_mo_ussd_evil_ms for OS#6756
......................................................................
msc: add TC_mo_ussd_evil_ms for OS#6756
This is an "evil MS" scenario that crashes current osmo-msc.
Change-Id: If1d85a1b4b63b01b4565e53677acfd21e664e799
Related: OS#6756
---
M msc/MSC_Tests.ttcn
M msc/expected-results.xml
2 files changed, 46 insertions(+), 0 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-ttcn3-hacks refs/changes/75/39975/1

diff --git a/msc/MSC_Tests.ttcn b/msc/MSC_Tests.ttcn
index 527b71a..21e74f1 100644
--- a/msc/MSC_Tests.ttcn
+++ b/msc/MSC_Tests.ttcn
@@ -4393,6 +4393,50 @@
    vc_conn.done;
 }
+/* MO (mobile-originated) SS/USSD FACILITY for an unknown transaction,
+ * and CM SERVICE REQUEST with wrong establishment cause prior to that.
+ * This is an "evil MS" scenario that can be used to reproduce OS#6756. */
+friend function f_TC_mo_ussd_evil_ms(charstring id, BSC_ConnHdlrPars pars)
+runs on BSC_ConnHdlr {
+	f_init_handler(pars);
+
+	f_ran_register_imsi(g_pars.imsi, g_pars.tmsi);
+	f_create_gsup_expect(hex2str(g_pars.imsi));
+
+	/* Perform location update */
+	f_perform_lu();
+
+	/* Send CM Service Request indicating *wrong* reason */
+	f_establish_fully(EST_TYPE_MO_CALL);
+
+	/* GSM 04.80 FACILITY message for a non-existing transaction */
+	var template (value) PDU_ML3_MS_NW mo_ss_fac := ts_ML3_MO_SS_FACILITY(
+		tid := 1, /* An arbitrary transaction identifier */
+		ti_flag := c_TIF_ORIG, /* Sent from the side that originates the TI */
+		facility := f_rnd_octstring(23) /* We don't care about the Facility IE */
+	);
+
+	/* Expected response from the network */
+	var template PDU_ML3_NW_MS mt_ss_rel := tr_ML3_MT_SS_RELEASE_COMPLETE(
+		tid := 1, /* Same as in the FACILITY message */
+		ti_flag := c_TIF_REPL, /* Sent to the side that originates the TI */
+		facility := omit
+	);
+
+	/* Send GSM 04.80 FACILITY for non-existing transaction */
+	BSSAP.send(ts_PDU_DTAP_MO(mo_ss_fac));
+
+	/* Expect GSM 04.80 RELEASE COMPLETE message */
+	f_expect_mt_dtap_msg(mt_ss_rel);
+	f_expect_clear();
+}
+testcase TC_mo_ussd_evil_ms() runs on MTC_CT {
+	var BSC_ConnHdlr vc_conn;
+	f_init();
+	vc_conn := f_start_handler(refers(f_TC_mo_ussd_evil_ms), 111);
+	vc_conn.done;
+}
+
/* Verify multiple concurrent MO SS/USSD transactions
  * (one subscriber - one transaction) */
@@ -7659,6 +7703,7 @@
    execute( TC_lu_and_mt_csd() );
execute( TC_lu_and_mo_call_reass_for_mt_codec() );
+	execute( TC_mo_ussd_evil_ms() ); /* XXX: crashes osmo-msc */
 }
diff --git a/msc/expected-results.xml b/msc/expected-results.xml
index 2dc7e97..dacb840 100644
--- a/msc/expected-results.xml
+++ b/msc/expected-results.xml
@@ -94,6 +94,7 @@
   <testcase classname='MSC_Tests' name='TC_proc_ss_for_unknown_session' time='MASKED'/>
   <testcase classname='MSC_Tests' name='TC_proc_ss_paging_fail' time='MASKED'/>
   <testcase classname='MSC_Tests' name='TC_proc_ss_abort' time='MASKED'/>
+  <testcase classname='MSC_Tests' name='TC_mo_ussd_evil_ms' time='MASKED'/>
   <testcase classname='MSC_Tests' name='TC_multi_lu_and_mo_ussd' time='MASKED'/>
   <testcase classname='MSC_Tests' name='TC_multi_lu_and_mt_ussd' time='MASKED'/>
   <testcase classname='MSC_Tests' name='TC_cipher_complete_with_invalid_cipher' time='MASKED'/>
-- 
To view, visit https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/39975?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email

Gerrit-MessageType: newchange
Gerrit-Project: osmo-ttcn3-hacks
Gerrit-Branch: master
Gerrit-Change-Id: If1d85a1b4b63b01b4565e53677acfd21e664e799
Gerrit-Change-Number: 39975
Gerrit-PatchSet: 1
Gerrit-Owner: fixeria vyanitskiy@sysmocom.de



    