bug in wireshark decoder of osmo-pcu

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/osmocom-net-gprs@lists.osmocom.org/.

Ivan Kluchnikov Ivan.Kluchnikov at fairwaves.ru
Mon Oct 1 10:33:11 UTC 2012 

Hi, Andreas
As I understand, this problem has already fixed in the latest
wireshark version.
See this patch https://bugs.wireshark.org/bugzilla/attachment.cgi?id=7710
I reviewed latest wireshark fixes for rlc/mac decoder, there are
several important improvements, so I think I should port latest
wireshark code.
I think, I'll do it in two days.

2012/9/30 jolly <andreas at eversberg.eu>:
> hi,
>
> i get wrong decoding of RLCMAC control block.
>
> the decoder of osmo-pcu is decoding following sequence:
>
> 0x40,0x16,0x76,0x67,0x74,0x02,0x26,0x64,0xe8,0x65,0x64,0x69,0x00,0x3e,0x4c,0x00,0x2b,0x2b,0x2b,0x2b,0x2b,0x2b,0x2
>
> this is the result:
>
> PayloadType = 1 | spare = 0 | R = 0 | MESSAGE_TYPE = 5 |
> Exist_ACCESS_TYPE = 1 | ACCESS_TYPE = 0 |  : ID | Choice
> PacketResourceRequestID = 1 | u.TLLI = 0xd99dd008 | : End ID |
> Exist_MS_Radio_Access_capability = 1 |  : MS_Radio_Access_capability |
> MS_RA_capability_value[0] { | Choice MS_RA_capability_value_Choice = 3 |
> u.Content length = 25
>
>  ... at this point, the length of the content is 25 bits:
>
> | RF_Power_Capability = 1 | Exist_A5_bits = 1 | A5_bits = 80 | ES_IND =
> 1 | PS = 1 | VGCS = 0 | VBS = 0 | Exist_Multislot_capability = 1 |  :
> Multislot_capability | Exist_HSCSD_multislot_class = 0 |
> Exist_GPRS_multislot_class = 1 | GPRS_multislot_class = 12 |
> GPRS_Extended_Dynamic_Allocation_Capability = 1 | Exist_SM = 0
>
>  ... at this point all 25 bits are decoded, so the decoder must abort
> decoding of content of Multislot_capability_t (see gsm_rlcmac.cpp).
> instead, it continues with the data found after these 25 bits: (all crap
> from now on)
>
> | Exist_ECSD_multislot_class = 0 | Exist_EGPRS_multislot_class = 0 |
> Exist_DTM_GPRS_multislot_class = 1 | DTM_GPRS_multislot_class = 2 |
> Single_Slot_DTM = 1 |  : DTM_EGPRS_Params |
> Exist_DTM_EGPRS_multislot_class = 0 | : End DTM_EGPRS_Params | : End
> Multislot_capability | Exist_Eight_PSK_Power_Capability = 0 |
> COMPACT_Interference_Measurement_Capability = 1 |
> Revision_Level_Indicator = 0 |
> UMTS_FDD_Radio_Access_Technology_Capability = 0 |
> UMTS_384_TDD_Radio_Access_Technology_Capability = 0 |
> CDMA2000_Radio_Access_Technology_Capability = 0 |
> UMTS_128_TDD_Radio_Access_Technology_Capability = 0 |
> GERAN_Feature_Package_1 = 0 | Exist_Extended_DTM_multislot_class = 0 |
> Modulation_based_multislot_class_support = 0 |
> Exist_HighMultislotCapability = 0 | Exist_GERAN_lu_ModeCapability = 0 |
> GMSK_MultislotPowerProfile = 3 | EightPSK_MultislotProfile = 3 |
> MultipleTBF_Capability = 1 | DownlinkAdvancedReceiverPerformance = 0 |
> ExtendedRLC_MAC_ControlMessageSegmentionsCapability = 1 |
> DTM_EnhancementsCapability = 0 | Exist_DTM_GPRS_HighMultislotClass = 0 |
> PS_HandoverCapability = 1 | MS_RA_capability_value[0] } |
> MS_RA_capability_value[0] { | Choice MS_RA_capability_value_Choice = 0 |
> u.Content length = 0 | RF_Power_Capability = 2 | Exist_A5_bits = 1 |
> A5_bits = 50 | ES_IND = 1 | PS = 0 | VGCS = 1 | VBS = 1 |
> Exist_Multislot_capability = 0 | Exist_Eight_PSK_Power_Capability = 0 |
> COMPACT_Interference_Measurement_Capability = 1 |
> Revision_Level_Indicator = 0 |
> UMTS_FDD_Radio_Access_Technology_Capability = 1 |
> UMTS_384_TDD_Radio_Access_Technology_Capability = 0 |
> CDMA2000_Radio_Access_Technology_Capability = 1 |
> UMTS_128_TDD_Radio_Access_Technology_Capability = 1 |
> GERAN_Feature_Package_1 = 0 | Exist_Extended_DTM_multislot_class = 0 |
> Modulation_based_multislot_class_support = 1 |
> Exist_HighMultislotCapability = 0 | Exist_GERAN_lu_ModeCapability = 1 |
> GERAN_lu_ModeCapability = 6 | GMSK_MultislotPowerProfile = 1 |
> EightPSK_MultislotProfile = 1 | MultipleTBF_Capability = 0 |
> DownlinkAdvancedReceiverPerformance = 3 |
> ExtendedRLC_MAC_ControlMessageSegmentionsCapability = 0 |
> DTM_EnhancementsCapability = 0 | Exist_DTM_GPRS_HighMultislotClass = 1 |
> DTM_GPRS_HighMultislotClass = 2 |  : DTM_EGPRS_HighMultislotClass |
> Exist_DTM_EGPRS_HighMultislotClass = 1 | : End
> DTM_EGPRS_HighMultislotClass | : End MS_Radio_Access_capability |
>
>
> there are two problems with the decoder:
>
> - it does not check if the length has been exceeded while decoding
> Multislot_capability_t content. if the length is lower than all elements
> in Multislot_capabilit_t, the decoder must abort decoding the content.
> this is no bug. (the definition used at that point should be
> M_NEXT_EXIST_OR_NULL instead of M_NEXT_EXIST, see gsm_rlcmac.cpp)
> - even if the correct definition is used, the csn1 decoder will not use
> the length given at "u.Content length" to abort. instead it checks for
> reaching total length of coded data.
>
>
> i played a bit with the code, but could not fix it without breaking
> other things. but decoding with wireshark works. would it be possible to
> port latest wireshark code?
>
> regards,
>
> andreas
>
>
>



-- 
Regards,
Ivan Kluchnikov.
http://fairwaves.ru

More information about the osmocom-net-gprs mailing list