forked from acouzens/open5gs
3f0979dab2
Because a race condition can occur between S6A Diameter and S1AP message,
the following error handling code has been added.
1. InitialUEMessage + Attach Request + PDN Connectivity request
2. Authentication-Information-Request/Authentication-Information-Answer
3. Authentication Request/Response
4. Security-mode command/complete
5. Update-Location-Request/Update-Location-Answer
6. Detach request/accept
In the ULR/ULA process in step 6, the PDN Connectivity request is
pushed to the queue as an ESM_MESSAGE because the NAS-Type is still
an Attach Request.
See the code below in 'mme-s6a-handler.c' for where the queue is pushed.
if (mme_ue->nas_eps.type == MME_EPS_TYPE_ATTACH_REQUEST) {
rv = nas_eps_send_emm_to_esm(mme_ue,
&mme_ue->pdn_connectivity_request);
if (rv != OGS_OK) {
ogs_error("nas_eps_send_emm_to_esm() failed");
return OGS_NAS_EMM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED;
}
} else if (mme_ue->nas_eps.type == MME_EPS_TYPE_TAU_REQUEST) {
r = nas_eps_send_tau_accept(mme_ue,
S1AP_ProcedureCode_id_InitialContextSetup);
ogs_expect(r == OGS_OK);
ogs_assert(r != OGS_ERROR);
} else {
ogs_error("Invalid Type[%d]", mme_ue->nas_eps.type);
return OGS_NAS_EMM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED;
}
If you perform step 7 Detach request/accept here,
the NAS-Type becomes Detach Request and the EMM state changes
to emm_state_de_registered().
Since the PDN, which is an ESM message that was previously queued,
should not be processed in de_registered, the message is ignored
through error handling below.
Otherwise, MME will crash because there is no active bearer
in the initial_context_setup_request build process.
See the code below in 's1ap-build.c' for where the crash occurs.
ogs_list_for_each(&mme_ue->sess_list, sess) {
ogs_list_for_each(&sess->bearer_list, bearer) {
...
if (mme_ue->nas_eps.type == MME_EPS_TYPE_ATTACH_REQUEST) {
} else if (OGS_FSM_CHECK(&bearer->sm, esm_state_inactive)) {
ogs_warn("No active EPS bearer [%d]", bearer->ebi);
ogs_warn(" IMSI[%s] NAS-EPS Type[%d] "
"ENB_UE_S1AP_ID[%d] MME_UE_S1AP_ID[%d]",
mme_ue->imsi_bcd, mme_ue->nas_eps.type,
enb_ue->enb_ue_s1ap_id, enb_ue->mme_ue_s1ap_id);
continue;
}
...
}
}
|
||
|---|---|---|
| .. | ||
| abts.c | ||
| abts.h | ||
| arc4random.c | ||
| meson.build | ||
| ogs-abort.c | ||
| ogs-abort.h | ||
| ogs-compat.h | ||
| ogs-conv.c | ||
| ogs-conv.h | ||
| ogs-core.c | ||
| ogs-core.h | ||
| ogs-env.c | ||
| ogs-env.h | ||
| ogs-epoll.c | ||
| ogs-errno.c | ||
| ogs-errno.h | ||
| ogs-file.c | ||
| ogs-file.h | ||
| ogs-fsm.c | ||
| ogs-fsm.h | ||
| ogs-getopt.c | ||
| ogs-getopt.h | ||
| ogs-hash.c | ||
| ogs-hash.h | ||
| ogs-kqueue.c | ||
| ogs-list.h | ||
| ogs-log.c | ||
| ogs-log.h | ||
| ogs-macros.h | ||
| ogs-memory.c | ||
| ogs-memory.h | ||
| ogs-misc.c | ||
| ogs-misc.h | ||
| ogs-notify.c | ||
| ogs-notify.h | ||
| ogs-pkbuf.c | ||
| ogs-pkbuf.h | ||
| ogs-poll-private.h | ||
| ogs-poll.c | ||
| ogs-poll.h | ||
| ogs-pool.h | ||
| ogs-process.c | ||
| ogs-process.h | ||
| ogs-queue.c | ||
| ogs-queue.h | ||
| ogs-rand.c | ||
| ogs-rand.h | ||
| ogs-rbtree.c | ||
| ogs-rbtree.h | ||
| ogs-select.c | ||
| ogs-signal.c | ||
| ogs-signal.h | ||
| ogs-sockaddr.c | ||
| ogs-sockaddr.h | ||
| ogs-socket.c | ||
| ogs-socket.h | ||
| ogs-socknode.c | ||
| ogs-socknode.h | ||
| ogs-sockopt.c | ||
| ogs-sockopt.h | ||
| ogs-sockpair.c | ||
| ogs-sockpair.h | ||
| ogs-strings.c | ||
| ogs-strings.h | ||
| ogs-tcp.c | ||
| ogs-tcp.h | ||
| ogs-thread.c | ||
| ogs-thread.h | ||
| ogs-time.c | ||
| ogs-time.h | ||
| ogs-timer.c | ||
| ogs-timer.h | ||
| ogs-tlv-msg.c | ||
| ogs-tlv-msg.h | ||
| ogs-tlv.c | ||
| ogs-tlv.h | ||
| ogs-udp.c | ||
| ogs-udp.h | ||
| ogs-uuid.c | ||
| ogs-uuid.h | ||