fixeria has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/36613?usp=email )

Change subject: fixup: sgsn: fix unused param in f_routing_area_update() ......................................................................

fixup: sgsn: fix unused param in f_routing_area_update()

In 1ee1edd2 I changed f_routing_area_update() to actually use the given RAI as Old RAI in the Routing Area Update Request. Not only this broke the testcase scenario (Old RAI shall remain unchanged!), but also started triggering a use-after-free bug in osmo-sgsn.

Passing 'ran_index := 1' is enough for the second Routing Area Update Request to show up with a different RAI (at BSSGP level), however the Old RAI IE shall obviously indicate the *old* RAI, not the new one.

A follow-up commit will add a separate testcase to reproduce the use-after-free problem in osmo-sgsn.

Change-Id: Ib16985cb08834a238ca4f7a747c43097f430ed6f Fixes: 1ee1edd2 "sgsn: fix unused param in f_routing_area_update()" Related: OS#6439 --- M sgsn/SGSN_Tests.ttcn 1 file changed, 24 insertions(+), 1 deletion(-)

git pull ssh://gerrit.osmocom.org:29418/osmo-ttcn3-hacks refs/changes/13/36613/1

diff --git a/sgsn/SGSN_Tests.ttcn b/sgsn/SGSN_Tests.ttcn index 67e815b..0371e29 100644 --- a/sgsn/SGSN_Tests.ttcn +++ b/sgsn/SGSN_Tests.ttcn @@ -2734,7 +2734,7 @@ f_bssgp_client_register(g_pars.imsi, g_pars.tlli, BSSGP_PROC[1]);

log("sending second RAU via different RA"); - f_routing_area_update(f_cellid_to_RAI(g_pars.bssgp_cell_id[1]), ran_index := 1); + f_routing_area_update(old_ra := g_pars.ra, ran_index := 1);

f_detach_mo(c_GMM_DTT_MO_GPRS, true, true, 1); }