/* * Copyright (C) 2019 by Sukchan Lee * * This file is part of Open5GS. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . */ #include "mme-context.h" #include "mme-sm.h" #include "mme-timer.h" #include "s1ap-handler.h" #include "s1ap-path.h" #include "sgsap-path.h" #include "nas-security.h" #include "nas-path.h" #include "emm-handler.h" #include "esm-handler.h" #include "mme-gn-handler.h" #include "mme-gtp-path.h" #include "mme-s11-handler.h" #include "mme-fd-path.h" #include "mme-s6a-handler.h" #include "mme-path.h" void mme_state_initial(ogs_fsm_t *s, mme_event_t *e) { mme_sm_debug(e); ogs_assert(s); OGS_FSM_TRAN(s, &mme_state_operational); } void mme_state_final(ogs_fsm_t *s, mme_event_t *e) { mme_sm_debug(e); ogs_assert(s); } void mme_state_operational(ogs_fsm_t *s, mme_event_t *e) { int rv; char buf[OGS_ADDRSTRLEN]; ogs_sock_t *sock = NULL; ogs_sockaddr_t *addr = NULL; mme_enb_t *enb = NULL; uint16_t max_num_of_ostreams = 0; ogs_s1ap_message_t s1ap_message; ogs_pkbuf_t *pkbuf = NULL; int rc, r; ogs_nas_eps_message_t nas_message; enb_ue_t *enb_ue = NULL; sgw_ue_t *sgw_ue = NULL; mme_ue_t *mme_ue = NULL; mme_bearer_t *bearer = NULL; mme_bearer_t *default_bearer = NULL; mme_sess_t *sess = NULL; ogs_diam_s6a_message_t *s6a_message = NULL; uint8_t emm_cause = 0; ogs_gtp_node_t *gnode = NULL; ogs_gtp_xact_t *xact = NULL; ogs_gtp2_message_t gtp_message; ogs_gtp1_message_t gtp1_message; mme_vlr_t *vlr = NULL; ogs_assert(e); mme_sm_debug(e); ogs_assert(s); switch (e->id) { case OGS_FSM_ENTRY_SIG: break; case OGS_FSM_EXIT_SIG: break; case MME_EVENT_S1AP_LO_ACCEPT: sock = e->sock; ogs_assert(sock); addr = e->addr; ogs_assert(addr); ogs_assert(addr->ogs_sa_family == AF_INET || addr->ogs_sa_family == AF_INET6); ogs_info("eNB-S1 accepted[%s] in master_sm module", OGS_ADDR(addr, buf)); enb = mme_enb_find_by_addr(addr); if (!enb) { enb = mme_enb_add(sock, addr); ogs_assert(enb); } else { ogs_warn("eNB context duplicated with IP-address [%s]!!!", OGS_ADDR(addr, buf)); ogs_sock_destroy(sock); ogs_free(addr); ogs_warn("S1 Socket Closed"); } break; case MME_EVENT_S1AP_LO_SCTP_COMM_UP: sock = e->sock; ogs_assert(sock); addr = e->addr; ogs_assert(addr); ogs_assert(addr->ogs_sa_family == AF_INET || addr->ogs_sa_family == AF_INET6); max_num_of_ostreams = e->max_num_of_ostreams; enb = mme_enb_find_by_addr(addr); if (!enb) { enb = mme_enb_add(sock, addr); ogs_assert(enb); } else { ogs_free(addr); } if (enb->max_num_of_ostreams) enb->max_num_of_ostreams = ogs_min(max_num_of_ostreams, enb->max_num_of_ostreams); else enb->max_num_of_ostreams = max_num_of_ostreams; ogs_info("eNB-S1[%s] max_num_of_ostreams : %d", OGS_ADDR(enb->sctp.addr, buf), enb->max_num_of_ostreams); break; case MME_EVENT_S1AP_LO_CONNREFUSED: sock = e->sock; ogs_assert(sock); addr = e->addr; ogs_assert(addr); ogs_assert(addr->ogs_sa_family == AF_INET || addr->ogs_sa_family == AF_INET6); enb = mme_enb_find_by_addr(addr); if (enb) { ogs_info("eNB-S1[%s] connection refused!!!", OGS_ADDR(addr, buf)); mme_gtp_send_release_all_ue_in_enb( enb, OGS_GTP_RELEASE_S1_CONTEXT_REMOVE_BY_LO_CONNREFUSED); mme_enb_remove(enb); } else { ogs_warn("eNB-S1[%s] connection refused, Already Removed!", OGS_ADDR(addr, buf)); } ogs_free(addr); break; case MME_EVENT_S1AP_MESSAGE: sock = e->sock; ogs_assert(sock); addr = e->addr; ogs_assert(addr); pkbuf = e->pkbuf; ogs_assert(pkbuf); ogs_assert(addr->ogs_sa_family == AF_INET || addr->ogs_sa_family == AF_INET6); enb = mme_enb_find_by_addr(addr); ogs_free(addr); ogs_assert(enb); ogs_assert(OGS_FSM_STATE(&enb->sm)); rc = ogs_s1ap_decode(&s1ap_message, pkbuf); if (rc == OGS_OK) { e->enb = enb; e->s1ap_message = &s1ap_message; ogs_fsm_dispatch(&enb->sm, e); } else { ogs_warn("Cannot decode S1AP message"); r = s1ap_send_error_indication( enb, NULL, NULL, S1AP_Cause_PR_protocol, S1AP_CauseProtocol_abstract_syntax_error_falsely_constructed_message); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); } ogs_s1ap_free(&s1ap_message); ogs_pkbuf_free(pkbuf); break; case MME_EVENT_S1AP_TIMER: enb_ue = e->enb_ue; ogs_assert(enb_ue); switch (e->timer_id) { case MME_TIMER_S1_DELAYED_SEND: enb = e->enb; ogs_assert(enb); pkbuf = e->pkbuf; ogs_assert(pkbuf); r = s1ap_send_to_enb_ue(enb_ue, pkbuf); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); ogs_timer_delete(e->timer); break; case MME_TIMER_S1_HOLDING: ogs_warn("Implicit S1 release"); ogs_warn(" ENB_UE_S1AP_ID[%d] MME_UE_S1AP_ID[%d]", enb_ue->enb_ue_s1ap_id, enb_ue->mme_ue_s1ap_id); s1ap_handle_ue_context_release_action(enb_ue); break; default: ogs_error("Unknown timer[%s:%d]", mme_timer_get_name(e->timer_id), e->timer_id); break; } break; case MME_EVENT_EMM_MESSAGE: enb_ue = e->enb_ue; ogs_assert(enb_ue); pkbuf = e->pkbuf; ogs_assert(pkbuf); if (ogs_nas_emm_decode(&nas_message, pkbuf) != OGS_OK) { ogs_error("ogs_nas_emm_decode() failed"); ogs_pkbuf_free(pkbuf); return; } mme_ue = enb_ue->mme_ue; if (!mme_ue) { mme_ue = mme_ue_find_by_message(&nas_message); if (!mme_ue) { mme_ue = mme_ue_add(enb_ue); if (mme_ue == NULL) { r = s1ap_send_ue_context_release_command(enb_ue, S1AP_Cause_PR_misc, S1AP_CauseMisc_control_processing_overload, S1AP_UE_CTX_REL_S1_CONTEXT_REMOVE, 0); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); ogs_pkbuf_free(pkbuf); return; } MME_UE_CHECK(OGS_LOG_DEBUG, mme_ue); ogs_assert(ECM_IDLE(mme_ue)); } else { /* Here, if the MME_UE Context is found, * the integrity check is not performed * For example, ATTACH_REQUEST, * TRACKING_AREA_UPDATE_REQUEST message * * Now, We will check the MAC in the NAS message*/ ogs_nas_security_header_type_t h; h.type = e->nas_type; if (h.integrity_protected) { /* Decryption was performed in S1AP handler. * So, we disabled 'ciphered' * not to decrypt NAS message */ h.ciphered = 0; if (nas_eps_security_decode(mme_ue, h, pkbuf) != OGS_OK) { ogs_error("nas_security_decode() failed"); ogs_pkbuf_free(pkbuf); return; } } /* If NAS(mme_ue_t) has already been associated with * older S1(enb_ue_t) context */ if (ECM_CONNECTED(mme_ue)) { /* * Issue #2786 * * In cases where the UE sends an Integrity Un-Protected Attach * Request or Service Request, there is an issue of sending * a UEContextReleaseCommand for the OLD ENB Context. * * For example, if the UE switchs off and power-on after * the first connection, the EPC sends a UEContextReleaseCommand. * * However, since there is no ENB context for this on the eNB, * the eNB does not send a UEContextReleaseComplete, * so the deletion of the ENB Context does not function properly. * * To solve this problem, the EPC has been modified to implicitly * delete the ENB Context instead of sending a UEContextReleaseCommand. */ HOLDING_S1_CONTEXT(mme_ue); } } enb_ue_associate_mme_ue(enb_ue, mme_ue); ogs_debug("Mobile Reachable timer stopped for IMSI[%s]", mme_ue->imsi_bcd); CLEAR_MME_UE_TIMER(mme_ue->t_mobile_reachable); } ogs_assert(mme_ue); if (!OGS_FSM_STATE(&mme_ue->sm)) { ogs_fatal("MESSAGE[%d]", nas_message.emm.h.message_type); ogs_fatal("ENB_UE_S1AP_ID[%d] MME_UE_S1AP_ID[%d]", enb_ue ? enb_ue->enb_ue_s1ap_id : 0, enb_ue ? enb_ue->mme_ue_s1ap_id : 0); ogs_fatal("context [%p:%p]", enb_ue, mme_ue); ogs_fatal("cycle [%p:%p]", enb_ue_cycle(enb_ue), mme_ue_cycle(mme_ue)); ogs_fatal("IMSI [%s]", mme_ue ? mme_ue->imsi_bcd : "No MME_UE"); ogs_assert_if_reached(); } ogs_assert(OGS_FSM_STATE(&mme_ue->sm)); e->mme_ue = mme_ue; e->nas_message = &nas_message; ogs_fsm_dispatch(&mme_ue->sm, e); if (OGS_FSM_CHECK(&mme_ue->sm, emm_state_exception)) { mme_send_delete_session_or_mme_ue_context_release(mme_ue); } ogs_pkbuf_free(pkbuf); break; case MME_EVENT_EMM_TIMER: mme_ue = e->mme_ue; ogs_assert(mme_ue); ogs_assert(OGS_FSM_STATE(&mme_ue->sm)); ogs_fsm_dispatch(&mme_ue->sm, e); break; case MME_EVENT_ESM_MESSAGE: mme_ue = e->mme_ue; ogs_assert(mme_ue); pkbuf = e->pkbuf; ogs_assert(pkbuf); if (ogs_nas_esm_decode(&nas_message, pkbuf) != OGS_OK) { ogs_error("ogs_nas_esm_decode() failed"); ogs_pkbuf_free(pkbuf); break; } #define ESM_MESSAGE_CHECK \ do { \ ogs_error("emm_state_exception"); \ ogs_error("nas_type:%d, create_action:%d", \ e->nas_type, e->create_action); \ ogs_error("esm.message[EBI:%d,PTI:%d,TYPE:%d]", \ nas_message.esm.h.eps_bearer_identity, \ nas_message.esm.h.procedure_transaction_identity, \ nas_message.esm.h.message_type); \ } while(0) /* * Because a race condition can occur between S6A Diameter and S1AP message, * the following error handling code has been added. * * 1. InitialUEMessage + Attach Request + PDN Connectivity request * 2. Authentication-Information-Request/Authentication-Information-Answer * 3. Authentication Request/Response * 4. Security-mode command/complete * 5. Update-Location-Request/Update-Location-Answer * 6. Detach request/accept * * In the ULR/ULA process in step 6, the PDN Connectivity request is * pushed to the queue as an ESM_MESSAGE because the NAS-Type is still * an Attach Request. * * See the code below in 'mme-s6a-handler.c' for where the queue is pushed. * * if (mme_ue->nas_eps.type == MME_EPS_TYPE_ATTACH_REQUEST) { * rv = nas_eps_send_emm_to_esm(mme_ue, * &mme_ue->pdn_connectivity_request); * if (rv != OGS_OK) { * ogs_error("nas_eps_send_emm_to_esm() failed"); * return OGS_NAS_EMM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED; * } * } else if (mme_ue->nas_eps.type == MME_EPS_TYPE_TAU_REQUEST) { * r = nas_eps_send_tau_accept(mme_ue, * S1AP_ProcedureCode_id_InitialContextSetup); * ogs_expect(r == OGS_OK); * ogs_assert(r != OGS_ERROR); * } else { * ogs_error("Invalid Type[%d]", mme_ue->nas_eps.type); * return OGS_NAS_EMM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED; * } * * If you perform step 7 Detach request/accept here, * the NAS-Type becomes Detach Request and the EMM state changes * to emm_state_de_registered(). * * Since the PDN, which is an ESM message that was previously queued, * should not be processed in de_registered, the message is ignored * through error handling below. * * Otherwise, MME will crash because there is no active bearer * in the initial_context_setup_request build process. * * See the code below in 's1ap-build.c' for where the crash occurs. * ogs_list_for_each(&mme_ue->sess_list, sess) { * ogs_list_for_each(&sess->bearer_list, bearer) { * ... * if (mme_ue->nas_eps.type == MME_EPS_TYPE_ATTACH_REQUEST) { * } else if (OGS_FSM_CHECK(&bearer->sm, esm_state_inactive)) { * ogs_warn("No active EPS bearer [%d]", bearer->ebi); * ogs_warn(" IMSI[%s] NAS-EPS Type[%d] " * "ENB_UE_S1AP_ID[%d] MME_UE_S1AP_ID[%d]", * mme_ue->imsi_bcd, mme_ue->nas_eps.type, * enb_ue->enb_ue_s1ap_id, enb_ue->mme_ue_s1ap_id); * continue; * } * ... * } * } */ if (OGS_FSM_CHECK(&mme_ue->sm, emm_state_de_registered)) { ESM_MESSAGE_CHECK; MME_UE_CHECK(OGS_LOG_ERROR, mme_ue); ogs_pkbuf_free(pkbuf); break; } else if (OGS_FSM_CHECK(&mme_ue->sm, emm_state_authentication)) { ESM_MESSAGE_CHECK; MME_UE_CHECK(OGS_LOG_ERROR, mme_ue); ogs_pkbuf_free(pkbuf); break; } else if (OGS_FSM_CHECK(&mme_ue->sm, emm_state_security_mode)) { ESM_MESSAGE_CHECK; MME_UE_CHECK(OGS_LOG_ERROR, mme_ue); ogs_pkbuf_free(pkbuf); break; } else if (OGS_FSM_CHECK(&mme_ue->sm, emm_state_initial_context_setup)) { } else if (OGS_FSM_CHECK(&mme_ue->sm, emm_state_registered)) { } else if (OGS_FSM_CHECK(&mme_ue->sm, emm_state_exception)) { ESM_MESSAGE_CHECK; MME_UE_CHECK(OGS_LOG_ERROR, mme_ue); ogs_pkbuf_free(pkbuf); break; } bearer = mme_bearer_find_or_add_by_message( mme_ue, &nas_message, e->create_action); if (!bearer) { ogs_pkbuf_free(pkbuf); break; } sess = bearer->sess; ogs_assert(sess); default_bearer = mme_default_bearer_in_sess(sess); ogs_assert(default_bearer); e->bearer = bearer; e->nas_message = &nas_message; ogs_fsm_dispatch(&bearer->sm, e); if (OGS_FSM_CHECK(&bearer->sm, esm_state_bearer_deactivated)) { if (default_bearer->ebi == bearer->ebi) { /* if the bearer is a default bearer, * remove all session context linked the default bearer */ MME_SESS_CLEAR(sess); } else { /* if the bearer is not a default bearer, * just remove the bearer context */ mme_bearer_remove(bearer); } } else if (OGS_FSM_CHECK(&bearer->sm, esm_state_pdn_did_disconnect)) { ogs_assert(default_bearer->ebi == bearer->ebi); MME_SESS_CLEAR(sess); } else if (OGS_FSM_CHECK(&bearer->sm, esm_state_exception)) { /* * The UE requested the wrong APN. * * From the Issues #568, MME need to accept further service request. * To do this, we are not going to release UE context. * * Just we'll remove MME session context. */ MME_SESS_CLEAR(sess); } ogs_pkbuf_free(pkbuf); break; case MME_EVENT_ESM_TIMER: bearer = e->bearer; ogs_assert(bearer); ogs_assert(OGS_FSM_STATE(&bearer->sm)); ogs_fsm_dispatch(&bearer->sm, e); break; case MME_EVENT_S6A_MESSAGE: s6a_message = e->s6a_message; ogs_assert(s6a_message); /* * A race condition can occur in the following situations. * In conclusion, we can use this situation to determine * whether or not the UE Context has been removed and avoiding a crash. * * For example, suppose a UE Context is removed in the followings. * * 1. Attach Request * 2. Authentication-Information-Request * 3. Authentication-Information-Answer * 4. Authentication Request * 5. Authentication Response(MAC Failed) * 6. Authentication Reject * 7. UEContextReleaseCommand * 8. UEContextReleaseComplete * * The MME then sends a Purge-UE-request to the HSS and deletes * the UE context as soon as it receives a Purge-UE-Answer. * * Suppose an Attach Request is received from the same UE * between Purge-UE-Request/Answer, then the MME and HSS start * the Authentication-Information-Request/Answer process. * * This can lead to the following situations. * * 1. Purge-UE-Request * 2. Attach Request * 3. Authentication-Information-Request * 4. Purge-UE-Answer * 5. [UE Context Removed] * 6. Authentication-Information-Answer * * Since the UE Context has already been deleted * when the Authentication-Information-Answer is received, * it cannot be processed properly. * * Therefore, mme_ue_cycle() is used to check * whether the UE Context has been deleted and * decide whether to process or * ignore the Authentication-Information-Answer as shown below. */ mme_ue = mme_ue_cycle(e->mme_ue); if (!mme_ue) { ogs_error("UE(mme-ue) context has already been removed"); goto cleanup; } enb_ue = enb_ue_cycle(e->enb_ue); /* * The 'enb_ue' context is not checked * because the status is checked in the sending routine. */ switch (s6a_message->cmd_code) { case OGS_DIAM_S6A_CMD_CODE_AUTHENTICATION_INFORMATION: ogs_debug("OGS_DIAM_S6A_CMD_CODE_AUTHENTICATION_INFORMATION"); emm_cause = mme_s6a_handle_aia(mme_ue, s6a_message); if (emm_cause != OGS_NAS_EMM_CAUSE_REQUEST_ACCEPTED) { ogs_info("[%s] Attach reject [OGS_NAS_EMM_CAUSE:%d]", mme_ue->imsi_bcd, emm_cause); r = nas_eps_send_attach_reject( enb_ue, mme_ue, emm_cause, OGS_NAS_ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); r = s1ap_send_ue_context_release_command(enb_ue, S1AP_Cause_PR_nas, S1AP_CauseNas_normal_release, S1AP_UE_CTX_REL_UE_CONTEXT_REMOVE, 0); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); } break; case OGS_DIAM_S6A_CMD_CODE_UPDATE_LOCATION: ogs_debug("OGS_DIAM_S6A_CMD_CODE_UPDATE_LOCATION"); emm_cause = mme_s6a_handle_ula(mme_ue, s6a_message); if (emm_cause != OGS_NAS_EMM_CAUSE_REQUEST_ACCEPTED) { if (mme_ue->nas_eps.type == MME_EPS_TYPE_ATTACH_REQUEST) { ogs_info("[%s] Attach reject [OGS_NAS_EMM_CAUSE:%d]", mme_ue->imsi_bcd, emm_cause); r = nas_eps_send_attach_reject( enb_ue, mme_ue, emm_cause, OGS_NAS_ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); } else if (mme_ue->nas_eps.type == MME_EPS_TYPE_TAU_REQUEST) { ogs_info("[%s] TAU reject [OGS_NAS_EMM_CAUSE:%d]", mme_ue->imsi_bcd, emm_cause); r = nas_eps_send_tau_reject( enb_ue, mme_ue, emm_cause); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); } else ogs_error("Invalid Type[%d]", mme_ue->nas_eps.type); r = s1ap_send_ue_context_release_command(enb_ue, S1AP_Cause_PR_nas, S1AP_CauseNas_normal_release, mme_ue_cycle(enb_ue->mme_ue) ? S1AP_UE_CTX_REL_UE_CONTEXT_REMOVE : S1AP_UE_CTX_REL_S1_CONTEXT_REMOVE, 0); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); } break; case OGS_DIAM_S6A_CMD_CODE_PURGE_UE: ogs_debug("OGS_DIAM_S6A_CMD_CODE_PURGE_UE"); mme_s6a_handle_pua(mme_ue, s6a_message); break; case OGS_DIAM_S6A_CMD_CODE_CANCEL_LOCATION: ogs_debug("OGS_DIAM_S6A_CMD_CODE_CANCEL_LOCATION"); mme_s6a_handle_clr(mme_ue, s6a_message); break; case OGS_DIAM_S6A_CMD_CODE_INSERT_SUBSCRIBER_DATA: ogs_debug("OGS_DIAM_S6A_CMD_CODE_INSERT_SUBSCRIBER_DATA"); mme_s6a_handle_idr(mme_ue, s6a_message); break; default: ogs_error("Invalid Type[%d]", s6a_message->cmd_code); break; } cleanup: ogs_subscription_data_free(&s6a_message->idr_message.subscription_data); ogs_subscription_data_free(&s6a_message->ula_message.subscription_data); ogs_free(s6a_message); break; case MME_EVENT_S11_MESSAGE: pkbuf = e->pkbuf; ogs_assert(pkbuf); if (ogs_gtp2_parse_msg(>p_message, pkbuf) != OGS_OK) { ogs_error("ogs_gtp2_parse_msg() failed"); ogs_pkbuf_free(pkbuf); break; } gnode = e->gnode; ogs_assert(gnode); rv = ogs_gtp_xact_receive(gnode, >p_message.h, &xact); if (rv != OGS_OK) { ogs_pkbuf_free(pkbuf); break; } /* * 5.5.2 in spec 29.274 * * If a peer's TEID is not available, the TEID field still shall be * present in the header and its value shall be set to "0" in the * following messages: * * - Create Session Request message on S2a/S2b/S5/S8 * * - Create Session Request message on S4/S11, if for a given UE, * the SGSN/MME has not yet obtained the Control TEID of the SGW. * * - If a node receives a message and the TEID-C in the GTPv2 header of * the received message is not known, it shall respond with * "Context not found" Cause in the corresponding response message * to the sender, the TEID used in the GTPv2-C header in the response * message shall be then set to zero. * * - If a node receives a request message containing protocol error, * e.g. Mandatory IE missing, which requires the receiver to reject * the message as specified in clause 7.7, it shall reject * the request message. For the response message, the node should * look up the remote peer's TEID and accordingly set the GTPv2-C * header TEID and the message cause code. As an implementation * option, the node may not look up the remote peer's TEID and * set the GTPv2-C header TEID to zero in the response message. * However in this case, the cause code shall not be set to * "Context not found". */ if (gtp_message.h.teid_presence && gtp_message.h.teid != 0) { /* Cause is not "Context not found" */ mme_ue = mme_ue_find_by_s11_local_teid(gtp_message.h.teid); } else if (xact->local_teid) { /* rx no TEID or TEID=0 */ /* 3GPP TS 29.274 5.5.2: we receive TEID=0 under some * conditions, such as cause "Session context not found". In those * cases, we still want to identify the local session which * originated the message, so try harder by using the TEID we * locally stored in xact when sending the original request: */ mme_ue = mme_ue_find_by_s11_local_teid(xact->local_teid); } switch (gtp_message.h.type) { case OGS_GTP2_ECHO_REQUEST_TYPE: mme_s11_handle_echo_request(xact, >p_message.echo_request); break; case OGS_GTP2_ECHO_RESPONSE_TYPE: mme_s11_handle_echo_response(xact, >p_message.echo_response); break; case OGS_GTP2_CREATE_SESSION_RESPONSE_TYPE: if (!gtp_message.h.teid_presence) ogs_error("No TEID"); mme_s11_handle_create_session_response( xact, mme_ue, >p_message.create_session_response); break; case OGS_GTP2_MODIFY_BEARER_RESPONSE_TYPE: if (!gtp_message.h.teid_presence) ogs_error("No TEID"); mme_s11_handle_modify_bearer_response( xact, mme_ue, >p_message.modify_bearer_response); break; case OGS_GTP2_DELETE_SESSION_RESPONSE_TYPE: if (!gtp_message.h.teid_presence) ogs_error("No TEID"); mme_s11_handle_delete_session_response( xact, mme_ue, >p_message.delete_session_response); break; case OGS_GTP2_CREATE_BEARER_REQUEST_TYPE: mme_s11_handle_create_bearer_request( xact, mme_ue, >p_message.create_bearer_request); break; case OGS_GTP2_UPDATE_BEARER_REQUEST_TYPE: mme_s11_handle_update_bearer_request( xact, mme_ue, >p_message.update_bearer_request); break; case OGS_GTP2_DELETE_BEARER_REQUEST_TYPE: mme_s11_handle_delete_bearer_request( xact, mme_ue, >p_message.delete_bearer_request); break; case OGS_GTP2_RELEASE_ACCESS_BEARERS_RESPONSE_TYPE: if (!gtp_message.h.teid_presence) ogs_error("No TEID"); mme_s11_handle_release_access_bearers_response( xact, mme_ue, >p_message.release_access_bearers_response); break; case OGS_GTP2_DOWNLINK_DATA_NOTIFICATION_TYPE: mme_s11_handle_downlink_data_notification( xact, mme_ue, >p_message.downlink_data_notification); break; case OGS_GTP2_CREATE_INDIRECT_DATA_FORWARDING_TUNNEL_RESPONSE_TYPE: if (!gtp_message.h.teid_presence) ogs_error("No TEID"); mme_s11_handle_create_indirect_data_forwarding_tunnel_response( xact, mme_ue, >p_message.create_indirect_data_forwarding_tunnel_response); break; case OGS_GTP2_DELETE_INDIRECT_DATA_FORWARDING_TUNNEL_RESPONSE_TYPE: if (!gtp_message.h.teid_presence) ogs_error("No TEID"); mme_s11_handle_delete_indirect_data_forwarding_tunnel_response( xact, mme_ue, >p_message.delete_indirect_data_forwarding_tunnel_response); break; case OGS_GTP2_BEARER_RESOURCE_FAILURE_INDICATION_TYPE: if (!gtp_message.h.teid_presence) ogs_error("No TEID"); mme_s11_handle_bearer_resource_failure_indication( xact, mme_ue, >p_message.bearer_resource_failure_indication); break; default: ogs_warn("Not implemented(type:%d)", gtp_message.h.type); break; } ogs_pkbuf_free(pkbuf); break; case MME_EVENT_S11_TIMER: sgw_ue = e->sgw_ue; ogs_assert(sgw_ue); mme_ue = sgw_ue->mme_ue; ogs_assert(mme_ue); switch (e->timer_id) { case MME_TIMER_S11_HOLDING: GTP_COUNTER_CLEAR(mme_ue, GTP_COUNTER_DELETE_SESSION_BY_PATH_SWITCH); ogs_list_for_each(&mme_ue->sess_list, sess) { GTP_COUNTER_INCREMENT( mme_ue, GTP_COUNTER_DELETE_SESSION_BY_PATH_SWITCH); ogs_assert(OGS_OK == mme_gtp_send_delete_session_request( sgw_ue, sess, OGS_GTP_DELETE_IN_PATH_SWITCH_REQUEST)); } break; default: ogs_error("Unknown timer[%s:%d]", mme_timer_get_name(e->timer_id), e->timer_id); } break; case MME_EVENT_GN_MESSAGE: pkbuf = e->pkbuf; ogs_assert(pkbuf); if (ogs_gtp1_parse_msg(>p1_message, pkbuf) != OGS_OK) { ogs_error("ogs_gtp1_parse_msg() failed"); ogs_pkbuf_free(pkbuf); break; } gnode = e->gnode; ogs_assert(gnode); rv = ogs_gtp1_xact_receive(gnode, >p1_message.h, &xact); if (rv != OGS_OK) { ogs_pkbuf_free(pkbuf); break; } if (gtp1_message.h.teid != 0) { /* Cause is not "Context not found" */ mme_ue = mme_ue_find_by_gn_local_teid(gtp1_message.h.teid); } else if (xact->local_teid) { /* rx no TEID or TEID=0 */ /* Try harder by using the TEID we locally stored in xact when *sending the original request: */ mme_ue = mme_ue_find_by_gn_local_teid(xact->local_teid); } switch (gtp1_message.h.type) { case OGS_GTP1_ECHO_REQUEST_TYPE: mme_gn_handle_echo_request(xact, >p1_message.echo_request); break; case OGS_GTP1_ECHO_RESPONSE_TYPE: mme_gn_handle_echo_response(xact, >p1_message.echo_response); break; case OGS_GTP1_SGSN_CONTEXT_REQUEST_TYPE: mme_gn_handle_sgsn_context_request(xact, >p1_message.sgsn_context_request); break; case OGS_GTP1_SGSN_CONTEXT_RESPONSE_TYPE: /* 3GPP TS 23.401 Figure D.3.6-1 step 5 */ rv = mme_gn_handle_sgsn_context_response(xact, mme_ue, >p1_message.sgsn_context_response); if (rv == OGS_GTP1_CAUSE_ACCEPT) { OGS_FSM_TRAN(&mme_ue->sm, &emm_state_initial_context_setup); } else if (rv == OGS_GTP1_CAUSE_REQUEST_IMEI) { OGS_FSM_TRAN(&mme_ue->sm, &emm_state_security_mode); } else { OGS_FSM_TRAN(&mme_ue->sm, &emm_state_exception); } break; case OGS_GTP1_SGSN_CONTEXT_ACKNOWLEDGE_TYPE: mme_gn_handle_sgsn_context_acknowledge(xact, mme_ue, >p1_message.sgsn_context_acknowledge); break; case OGS_GTP1_RAN_INFORMATION_RELAY_TYPE: mme_gn_handle_ran_information_relay(xact, >p1_message.ran_information_relay); break; default: ogs_warn("Not implemented(type:%d)", gtp1_message.h.type); break; } ogs_pkbuf_free(pkbuf); break; case MME_EVENT_GN_TIMER: mme_ue = e->mme_ue; ogs_assert(mme_ue); sgw_ue = mme_ue->sgw_ue; ogs_assert(sgw_ue); switch (e->timer_id) { case MME_TIMER_GN_HOLDING: /* 3GPP TS 23.401 Annex D.3.5 "Routing Area Update": * Step 13. "When the timer started in step 2) (see mme_gn_handle_sgsn_context_request()) expires the old MME * releases any RAN and Serving GW resources. If the PLMN has configured Secondary RAT usage data reporting, * the MME first releases RAN resource before releasing Serving GW resources." */ GTP_COUNTER_CLEAR(mme_ue, GTP_COUNTER_DELETE_SESSION_BY_PATH_SWITCH); ogs_list_for_each(&mme_ue->sess_list, sess) { GTP_COUNTER_INCREMENT( mme_ue, GTP_COUNTER_DELETE_SESSION_BY_PATH_SWITCH); ogs_assert(OGS_OK == mme_gtp_send_delete_session_request( sgw_ue, sess, OGS_GTP_DELETE_IN_PATH_SWITCH_REQUEST)); } break; default: ogs_error("Unknown timer[%s:%d]", mme_timer_get_name(e->timer_id), e->timer_id); } break; case MME_EVENT_SGSAP_LO_SCTP_COMM_UP: sock = e->sock; ogs_assert(sock); addr = e->addr; ogs_assert(addr); ogs_assert(addr->ogs_sa_family == AF_INET || addr->ogs_sa_family == AF_INET6); max_num_of_ostreams = e->max_num_of_ostreams; vlr = mme_vlr_find_by_addr(addr); ogs_free(addr); ogs_assert(vlr); ogs_assert(OGS_FSM_STATE(&vlr->sm)); vlr->max_num_of_ostreams = ogs_min(max_num_of_ostreams, vlr->max_num_of_ostreams); ogs_debug("VLR-SGs SCTP_COMM_UP[%s] Max Num of Outbound Streams[%d]", OGS_ADDR(vlr->addr, buf), vlr->max_num_of_ostreams); e->vlr = vlr; ogs_fsm_dispatch(&vlr->sm, e); break; case MME_EVENT_SGSAP_LO_CONNREFUSED: sock = e->sock; ogs_assert(sock); addr = e->addr; ogs_assert(addr); ogs_assert(addr->ogs_sa_family == AF_INET || addr->ogs_sa_family == AF_INET6); vlr = mme_vlr_find_by_addr(addr); ogs_free(addr); ogs_assert(vlr); ogs_assert(OGS_FSM_STATE(&vlr->sm)); if (OGS_FSM_CHECK(&vlr->sm, sgsap_state_connected)) { e->vlr = vlr; ogs_fsm_dispatch(&vlr->sm, e); ogs_info("VLR-SGs[%s] connection refused!!!", OGS_ADDR(vlr->addr, buf)); } else { ogs_warn("VLR-SGs[%s] connection refused, Already Removed!", OGS_ADDR(vlr->addr, buf)); } break; case MME_EVENT_SGSAP_MESSAGE: sock = e->sock; ogs_assert(sock); addr = e->addr; ogs_assert(addr); pkbuf = e->pkbuf; ogs_assert(pkbuf); ogs_assert(addr->ogs_sa_family == AF_INET || addr->ogs_sa_family == AF_INET6); vlr = mme_vlr_find_by_addr(addr); ogs_free(addr); ogs_assert(vlr); ogs_assert(OGS_FSM_STATE(&vlr->sm)); e->vlr = vlr; ogs_fsm_dispatch(&vlr->sm, e); ogs_pkbuf_free(pkbuf); break; case MME_EVENT_SGSAP_TIMER: vlr = e->vlr; ogs_assert(vlr); ogs_assert(OGS_FSM_STATE(&vlr->sm)); ogs_fsm_dispatch(&vlr->sm, e); break; default: ogs_error("No handler for event %s", mme_event_get_name(e)); break; } }