Hello,
In some situations the Nextepc is crashing when try the MT-CSFB.
Here is the log:
07/17 17:48:53.270: [mme] WARNING: EMM_CAUSE : IMSI Unknown in HSS (mme-sm.c:339) 07/17 17:48:54.480: [mme] WARNING: ERROR DIAMETER Result Code(5001) (mme-fd-path.c:298) 07/17 17:48:54.480: [mme] WARNING: EMM_CAUSE : IMSI Unknown in HSS (mme-sm.c:339) 07/17 17:48:55.611: [s1ap] ERROR: Failed to encode S1AP-PDU[-1] (s1ap-encoder.c:41) 07/17 17:48:55.611: [mme] ERROR: s1ap_encode_pdu() failed (s1ap-build.c:555) 07/17 17:48:55.611: [mme] FATAL: s1ap_send_initial_context_setup_request: Assertion `rv == OGS_OK && s1apbuf' failed. (s1ap-path.c:252) File Logging: '//var/log/nextepc/mme.log' Configuration: '//etc/nextepc/mme.conf' 07/17 17:48:58.215: [mme] INFO: MME initialize...done (mme.c:28)
NextEPC daemon v0.5.0.26-b642c
07/17 17:48:58.215: [gtp] INFO: gtp_server() [10.3.15.38]:2123 (gtp-path.c:36) 07/17 17:48:58.215: [gtp] INFO: gtp_server() [2804:828:3:15:b010:37ff:fe46:4521]:2123 (gtp-path.c:36) 07/17 17:48:58.215: [gtp] INFO: gtp_server() [2804:828:3:208:48a0:1cff:fed9:b7c9]:2123 (gtp-path.c:36) 07/17 17:48:58.215: [gtp] INFO: gtp_connect() [127.0.0.2]:2123 (gtp-path.c:61) 07/17 17:48:58.216: [mme] INFO: sgsap client() [127.0.0.1]:29118 (sgsap-lkpath.c:47) 07/17 17:48:58.216: [mme] INFO: s1ap_server() [10.3.15.38]:36412 (s1ap-lkpath.c:44) 07/17 17:48:58.217: [fd] INFO: CONNECTED TO 'hss.localdomain' (TCP,soc#14): (fd-logger.c:113) 07/17 17:48:58.802: [mme] INFO: eNB-S1 accepted[10.12.0.3]:36412 in s1_path module (s1ap-lkpath.c:70)
In the attached file is the pcap from this moment, I will try to find what is happened.
Thanks
Romeu Medeiros
Today I've analyzed this problem. Luckily it was reproduced in simulator.
The bad news seems to be a problem with the asn1c library. More than 9 protocol IE cannot be built from InitialContextSetupRequest.
So, I've added some workaround as below.
if CS Fallback then Add CS Fallback ProtofcolIE Add RegisteredLAI ELSE if RadioCababiltiy Add RadioCapbability endif
ELSE prevents InitialContextSetupRequest from creating more than 9 protocol IEs.
See more information the following link: https://github.com/open5gs/nextepc/commit/f19009c736875847f30d7ea010d1064c58...
Thanks a lot!
Best Regards, Sukchan
On Thu, Jul 18, 2019 at 5:55 AM Romeu Medeiros medeiros@medeiros.eng.br wrote:
Hello,
In some situations the Nextepc is crashing when try the MT-CSFB.
Here is the log:
07/17 17:48:53.270: [mme] WARNING: EMM_CAUSE : IMSI Unknown in HSS (mme-sm.c:339) 07/17 17:48:54.480: [mme] WARNING: ERROR DIAMETER Result Code(5001) (mme-fd-path.c:298) 07/17 17:48:54.480: [mme] WARNING: EMM_CAUSE : IMSI Unknown in HSS (mme-sm.c:339) 07/17 17:48:55.611: [s1ap] ERROR: Failed to encode S1AP-PDU[-1] (s1ap-encoder.c:41) 07/17 17:48:55.611: [mme] ERROR: s1ap_encode_pdu() failed (s1ap-build.c:555) 07/17 17:48:55.611: [mme] FATAL: s1ap_send_initial_context_setup_request: Assertion `rv == OGS_OK && s1apbuf' failed. (s1ap-path.c:252) File Logging: '//var/log/nextepc/mme.log' Configuration: '//etc/nextepc/mme.conf' 07/17 17:48:58.215: [mme] INFO: MME initialize...done (mme.c:28)
NextEPC daemon v0.5.0.26-b642c
07/17 17:48:58.215: [gtp] INFO: gtp_server() [10.3.15.38]:2123 (gtp-path.c:36) 07/17 17:48:58.215: [gtp] INFO: gtp_server() [2804:828:3:15:b010:37ff:fe46:4521]:2123 (gtp-path.c:36) 07/17 17:48:58.215: [gtp] INFO: gtp_server() [2804:828:3:208:48a0:1cff:fed9:b7c9]:2123 (gtp-path.c:36) 07/17 17:48:58.215: [gtp] INFO: gtp_connect() [127.0.0.2]:2123 (gtp-path.c:61) 07/17 17:48:58.216: [mme] INFO: sgsap client() [127.0.0.1]:29118 (sgsap-lkpath.c:47) 07/17 17:48:58.216: [mme] INFO: s1ap_server() [10.3.15.38]:36412 (s1ap-lkpath.c:44) 07/17 17:48:58.217: [fd] INFO: CONNECTED TO 'hss.localdomain' (TCP,soc#14): (fd-logger.c:113) 07/17 17:48:58.802: [mme] INFO: eNB-S1 accepted[10.12.0.3]:36412 in s1_path module (s1ap-lkpath.c:70)
In the attached file is the pcap from this moment, I will try to find what is happened.
Thanks
Romeu Medeiros
Hi Sukchan,
On Sun, Jul 21, 2019 at 10:59:44PM +0900, Sukchan Lee wrote:
The bad news seems to be a problem with the asn1c library. More than 9 protocol IE cannot be built from InitialContextSetupRequest.
I suggest to report this upstream to the asn1c hackers and ask for theri help.
It may also work using one of the other versions/branches of asn1c for comparison.
Hi Harald,
Of course, I will. But before that I should check the other asn1c upstream version. And I need to reproduce test code for asn1c hacker to analyze this problem easily.
And then, I will post this issue.
Thanks a lot!
Best Regards Sukchan
2019. 7. 21. 오후 11:41, Harald Welte laforge@gnumonks.org 작성:
Hi Sukchan,
On Sun, Jul 21, 2019 at 10:59:44PM +0900, Sukchan Lee wrote: The bad news seems to be a problem with the asn1c library. More than 9 protocol IE cannot be built from InitialContextSetupRequest.
I suggest to report this upstream to the asn1c hackers and ask for theri help.
It may also work using one of the other versions/branches of asn1c for comparison.
- Harald Welte laforge@gnumonks.org http://laforge.gnumonks.org/
============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)
It seems that this is not a problem with the asn1c library. There is a bug in ogs_calloc()/ogs_free().
I've changed memory alloc()/free() as below. https://github.com/open5gs/nextepc/commit/dba1fcac5c29509a9e662a9fedc37a674a...
And then, the source code is modified like the following. diff --git a/lib/asn1c/common/asn_internal.h b/lib/asn1c/common/asn_internal.h index 77e005f7..d561043b 100644 --- a/lib/asn1c/common/asn_internal.h +++ b/lib/asn1c/common/asn_internal.h @@ -23,7 +23,7 @@ extern "C" { #define ASN1C_ENVIRONMENT_VERSION 923 /* Compile-time version */ int get_asn1c_environment_version(void); /* Run-time version */
-#if 0 /* modified by acetcom */ +#if 1 /* modified by acetcom */ #define CALLOC(nmemb, size) calloc(nmemb, size) #define MALLOC(size) malloc(size) #define REALLOC(oldptr, size) realloc(oldptr, size)
So, s1ap encoder/decoder is executed with system's calloc()/free().
And then, run the following command. $ ./test/testcsfb crash-test
The above test is not crashed. Of course, if ogs_calloc()/ogs_free() is used, the above test command is crashed.
So, I need to analyze what the bug of ogs-memory.c raise this crash.
Thanks!
On Mon, Jul 22, 2019 at 12:02 AM Sukchan Lee acetcom@gmail.com wrote:
Hi Harald,
Of course, I will. But before that I should check the other asn1c upstream version. And I need to reproduce test code for asn1c hacker to analyze this problem easily.
And then, I will post this issue.
Thanks a lot!
Best Regards Sukchan
- 오후 11:41, Harald Welte laforge@gnumonks.org 작성:
Hi Sukchan,
On Sun, Jul 21, 2019 at 10:59:44PM +0900, Sukchan Lee wrote: The bad news seems to be a problem with the asn1c library. More than 9 protocol IE cannot be built from InitialContextSetupRequest.
I suggest to report this upstream to the asn1c hackers and ask for theri
help.
It may also work using one of the other versions/branches of asn1c for
comparison.
--
- Harald Welte laforge@gnumonks.org
============================================================================
"Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch.
A6)
Ah, one more modification is needed as below.
diff --git a/src/mme/s1ap-build.c b/src/mme/s1ap-build.c index a49d117e..cfbedc87 100644 --- a/src/mme/s1ap-build.c +++ b/src/mme/s1ap-build.c @@ -531,7 +531,8 @@ int s1ap_build_initial_context_setup_request( ogs_assert(mme_ue->p_tmsi); s1ap_uint16_to_OCTET_STRING(mme_ue->csmap->lai.lac, &LAI->lAC);
- } else if (mme_ue->ueRadioCapability.buf && + } + if (mme_ue->ueRadioCapability.buf && mme_ue->ueRadioCapability.size) { /* Set UeRadioCapability if exists */ S1AP_UERadioCapability_t *UERadioCapability = NULL;
The above change is also needed to encode more than 9 procotol IE.
Thanks!
On Wed, Jul 24, 2019 at 10:18 PM Sukchan Lee acetcom@gmail.com wrote:
It seems that this is not a problem with the asn1c library. There is a bug in ogs_calloc()/ogs_free().
I've changed memory alloc()/free() as below.
https://github.com/open5gs/nextepc/commit/dba1fcac5c29509a9e662a9fedc37a674a...
And then, the source code is modified like the following. diff --git a/lib/asn1c/common/asn_internal.h b/lib/asn1c/common/asn_internal.h index 77e005f7..d561043b 100644 --- a/lib/asn1c/common/asn_internal.h +++ b/lib/asn1c/common/asn_internal.h @@ -23,7 +23,7 @@ extern "C" { #define ASN1C_ENVIRONMENT_VERSION 923 /* Compile-time version */ int get_asn1c_environment_version(void); /* Run-time version */
-#if 0 /* modified by acetcom */ +#if 1 /* modified by acetcom */ #define CALLOC(nmemb, size) calloc(nmemb, size) #define MALLOC(size) malloc(size) #define REALLOC(oldptr, size) realloc(oldptr, size)
So, s1ap encoder/decoder is executed with system's calloc()/free().
And then, run the following command. $ ./test/testcsfb crash-test
The above test is not crashed. Of course, if ogs_calloc()/ogs_free() is used, the above test command is crashed.
So, I need to analyze what the bug of ogs-memory.c raise this crash.
Thanks!
On Mon, Jul 22, 2019 at 12:02 AM Sukchan Lee acetcom@gmail.com wrote:
Hi Harald,
Of course, I will. But before that I should check the other asn1c upstream version. And I need to reproduce test code for asn1c hacker to analyze this problem easily.
And then, I will post this issue.
Thanks a lot!
Best Regards Sukchan
- 오후 11:41, Harald Welte laforge@gnumonks.org 작성:
Hi Sukchan,
On Sun, Jul 21, 2019 at 10:59:44PM +0900, Sukchan Lee wrote: The bad news seems to be a problem with the asn1c library. More than 9 protocol IE cannot be built from
InitialContextSetupRequest.
I suggest to report this upstream to the asn1c hackers and ask for
theri help.
It may also work using one of the other versions/branches of asn1c for
comparison.
--
- Harald Welte laforge@gnumonks.org
============================================================================
"Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch.
A6)
Hi Romeu,
I've fixed this issue. There is a big bug in ogs_realloc();
The issue link as below, OGSLib : https://github.com/open5gs/ogslib/issues/4 NextEPC: https://github.com/open5gs/nextepc/issues/231
The code is fixed like the following. https://github.com/open5gs/ogslib/commit/4a6c2e2a4afcc3337b2748d0df645b4b57c...
Many thanks!
Best Regards, Sukchan
On Wed, Jul 24, 2019 at 10:20 PM Sukchan Lee acetcom@gmail.com wrote:
Ah, one more modification is needed as below.
diff --git a/src/mme/s1ap-build.c b/src/mme/s1ap-build.c index a49d117e..cfbedc87 100644 --- a/src/mme/s1ap-build.c +++ b/src/mme/s1ap-build.c @@ -531,7 +531,8 @@ int s1ap_build_initial_context_setup_request( ogs_assert(mme_ue->p_tmsi); s1ap_uint16_to_OCTET_STRING(mme_ue->csmap->lai.lac, &LAI->lAC);
- } else if (mme_ue->ueRadioCapability.buf &&
- }
- if (mme_ue->ueRadioCapability.buf && mme_ue->ueRadioCapability.size) { /* Set UeRadioCapability if exists */ S1AP_UERadioCapability_t *UERadioCapability = NULL;
The above change is also needed to encode more than 9 procotol IE.
Thanks!
On Wed, Jul 24, 2019 at 10:18 PM Sukchan Lee acetcom@gmail.com wrote:
It seems that this is not a problem with the asn1c library. There is a bug in ogs_calloc()/ogs_free().
I've changed memory alloc()/free() as below.
https://github.com/open5gs/nextepc/commit/dba1fcac5c29509a9e662a9fedc37a674a...
And then, the source code is modified like the following. diff --git a/lib/asn1c/common/asn_internal.h b/lib/asn1c/common/asn_internal.h index 77e005f7..d561043b 100644 --- a/lib/asn1c/common/asn_internal.h +++ b/lib/asn1c/common/asn_internal.h @@ -23,7 +23,7 @@ extern "C" { #define ASN1C_ENVIRONMENT_VERSION 923 /* Compile-time version */ int get_asn1c_environment_version(void); /* Run-time version */
-#if 0 /* modified by acetcom */ +#if 1 /* modified by acetcom */ #define CALLOC(nmemb, size) calloc(nmemb, size) #define MALLOC(size) malloc(size) #define REALLOC(oldptr, size) realloc(oldptr, size)
So, s1ap encoder/decoder is executed with system's calloc()/free().
And then, run the following command. $ ./test/testcsfb crash-test
The above test is not crashed. Of course, if ogs_calloc()/ogs_free() is used, the above test command is crashed.
So, I need to analyze what the bug of ogs-memory.c raise this crash.
Thanks!
On Mon, Jul 22, 2019 at 12:02 AM Sukchan Lee acetcom@gmail.com wrote:
Hi Harald,
Of course, I will. But before that I should check the other asn1c upstream version. And I need to reproduce test code for asn1c hacker to analyze this problem easily.
And then, I will post this issue.
Thanks a lot!
Best Regards Sukchan
- 오후 11:41, Harald Welte laforge@gnumonks.org 작성:
Hi Sukchan,
On Sun, Jul 21, 2019 at 10:59:44PM +0900, Sukchan Lee wrote: The bad news seems to be a problem with the asn1c library. More than 9 protocol IE cannot be built from
InitialContextSetupRequest.
I suggest to report this upstream to the asn1c hackers and ask for
theri help.
It may also work using one of the other versions/branches of asn1c for
comparison.
--
- Harald Welte laforge@gnumonks.org
============================================================================
"Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7
Ch. A6)
Hello Sukchan,
Thanks for this!
I will try tomorrow. Thanks
Romeu Medeiros
Em dom, 28 de jul de 2019 às 12:19, Sukchan Lee acetcom@gmail.com escreveu:
Hi Romeu,
I've fixed this issue. There is a big bug in ogs_realloc();
The issue link as below, OGSLib : https://github.com/open5gs/ogslib/issues/4 NextEPC: https://github.com/open5gs/nextepc/issues/231
The code is fixed like the following.
https://github.com/open5gs/ogslib/commit/4a6c2e2a4afcc3337b2748d0df645b4b57c...
Many thanks!
Best Regards, Sukchan
On Wed, Jul 24, 2019 at 10:20 PM Sukchan Lee acetcom@gmail.com wrote:
Ah, one more modification is needed as below.
diff --git a/src/mme/s1ap-build.c b/src/mme/s1ap-build.c index a49d117e..cfbedc87 100644 --- a/src/mme/s1ap-build.c +++ b/src/mme/s1ap-build.c @@ -531,7 +531,8 @@ int s1ap_build_initial_context_setup_request( ogs_assert(mme_ue->p_tmsi); s1ap_uint16_to_OCTET_STRING(mme_ue->csmap->lai.lac, &LAI->lAC);
- } else if (mme_ue->ueRadioCapability.buf &&
- }
- if (mme_ue->ueRadioCapability.buf && mme_ue->ueRadioCapability.size) { /* Set UeRadioCapability if exists */ S1AP_UERadioCapability_t *UERadioCapability = NULL;
The above change is also needed to encode more than 9 procotol IE.
Thanks!
On Wed, Jul 24, 2019 at 10:18 PM Sukchan Lee acetcom@gmail.com wrote:
It seems that this is not a problem with the asn1c library. There is a bug in ogs_calloc()/ogs_free().
I've changed memory alloc()/free() as below.
https://github.com/open5gs/nextepc/commit/dba1fcac5c29509a9e662a9fedc37a674a...
And then, the source code is modified like the following. diff --git a/lib/asn1c/common/asn_internal.h b/lib/asn1c/common/asn_internal.h index 77e005f7..d561043b 100644 --- a/lib/asn1c/common/asn_internal.h +++ b/lib/asn1c/common/asn_internal.h @@ -23,7 +23,7 @@ extern "C" { #define ASN1C_ENVIRONMENT_VERSION 923 /* Compile-time version */ int get_asn1c_environment_version(void); /* Run-time version */
-#if 0 /* modified by acetcom */ +#if 1 /* modified by acetcom */ #define CALLOC(nmemb, size) calloc(nmemb, size) #define MALLOC(size) malloc(size) #define REALLOC(oldptr, size) realloc(oldptr, size)
So, s1ap encoder/decoder is executed with system's calloc()/free().
And then, run the following command. $ ./test/testcsfb crash-test
The above test is not crashed. Of course, if ogs_calloc()/ogs_free() is used, the above test command is crashed.
So, I need to analyze what the bug of ogs-memory.c raise this crash.
Thanks!
On Mon, Jul 22, 2019 at 12:02 AM Sukchan Lee acetcom@gmail.com wrote:
Hi Harald,
Of course, I will. But before that I should check the other asn1c upstream version. And I need to reproduce test code for asn1c hacker to analyze this problem easily.
And then, I will post this issue.
Thanks a lot!
Best Regards Sukchan
- 오후 11:41, Harald Welte laforge@gnumonks.org 작성:
Hi Sukchan,
On Sun, Jul 21, 2019 at 10:59:44PM +0900, Sukchan Lee wrote: The bad news seems to be a problem with the asn1c library. More than 9 protocol IE cannot be built from
InitialContextSetupRequest.
I suggest to report this upstream to the asn1c hackers and ask for
theri help.
It may also work using one of the other versions/branches of asn1c
for comparison.
--
- Harald Welte laforge@gnumonks.org
============================================================================
"Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7
Ch. A6)
-
Harald Welte -
Romeu Medeiros -
Sukchan Lee