forked from acouzens/open5gs
3f0979dab2
Because a race condition can occur between S6A Diameter and S1AP message,
the following error handling code has been added.
1. InitialUEMessage + Attach Request + PDN Connectivity request
2. Authentication-Information-Request/Authentication-Information-Answer
3. Authentication Request/Response
4. Security-mode command/complete
5. Update-Location-Request/Update-Location-Answer
6. Detach request/accept
In the ULR/ULA process in step 6, the PDN Connectivity request is
pushed to the queue as an ESM_MESSAGE because the NAS-Type is still
an Attach Request.
See the code below in 'mme-s6a-handler.c' for where the queue is pushed.
if (mme_ue->nas_eps.type == MME_EPS_TYPE_ATTACH_REQUEST) {
rv = nas_eps_send_emm_to_esm(mme_ue,
&mme_ue->pdn_connectivity_request);
if (rv != OGS_OK) {
ogs_error("nas_eps_send_emm_to_esm() failed");
return OGS_NAS_EMM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED;
}
} else if (mme_ue->nas_eps.type == MME_EPS_TYPE_TAU_REQUEST) {
r = nas_eps_send_tau_accept(mme_ue,
S1AP_ProcedureCode_id_InitialContextSetup);
ogs_expect(r == OGS_OK);
ogs_assert(r != OGS_ERROR);
} else {
ogs_error("Invalid Type[%d]", mme_ue->nas_eps.type);
return OGS_NAS_EMM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED;
}
If you perform step 7 Detach request/accept here,
the NAS-Type becomes Detach Request and the EMM state changes
to emm_state_de_registered().
Since the PDN, which is an ESM message that was previously queued,
should not be processed in de_registered, the message is ignored
through error handling below.
Otherwise, MME will crash because there is no active bearer
in the initial_context_setup_request build process.
See the code below in 's1ap-build.c' for where the crash occurs.
ogs_list_for_each(&mme_ue->sess_list, sess) {
ogs_list_for_each(&sess->bearer_list, bearer) {
...
if (mme_ue->nas_eps.type == MME_EPS_TYPE_ATTACH_REQUEST) {
} else if (OGS_FSM_CHECK(&bearer->sm, esm_state_inactive)) {
ogs_warn("No active EPS bearer [%d]", bearer->ebi);
ogs_warn(" IMSI[%s] NAS-EPS Type[%d] "
"ENB_UE_S1AP_ID[%d] MME_UE_S1AP_ID[%d]",
mme_ue->imsi_bcd, mme_ue->nas_eps.type,
enb_ue->enb_ue_s1ap_id, enb_ue->mme_ue_s1ap_id);
continue;
}
...
}
}
|
||
|---|---|---|
| .. | ||
| app-init.c | ||
| emm-build.c | ||
| emm-build.h | ||
| emm-handler.c | ||
| emm-handler.h | ||
| emm-sm.c | ||
| esm-build.c | ||
| esm-build.h | ||
| esm-handler.c | ||
| esm-handler.h | ||
| esm-sm.c | ||
| meson.build | ||
| metrics.c | ||
| metrics.h | ||
| mme-context.c | ||
| mme-context.h | ||
| mme-event.c | ||
| mme-event.h | ||
| mme-fd-path.c | ||
| mme-fd-path.h | ||
| mme-gn-build.c | ||
| mme-gn-build.h | ||
| mme-gn-handler.c | ||
| mme-gn-handler.h | ||
| mme-gtp-path.c | ||
| mme-gtp-path.h | ||
| mme-init.c | ||
| mme-path.c | ||
| mme-path.h | ||
| mme-s6a-handler.c | ||
| mme-s6a-handler.h | ||
| mme-s11-build.c | ||
| mme-s11-build.h | ||
| mme-s11-handler.c | ||
| mme-s11-handler.h | ||
| mme-sm.c | ||
| mme-sm.h | ||
| mme-timer.c | ||
| mme-timer.h | ||
| nas-path.c | ||
| nas-path.h | ||
| nas-security.c | ||
| nas-security.h | ||
| s1ap-build.c | ||
| s1ap-build.h | ||
| s1ap-handler.c | ||
| s1ap-handler.h | ||
| s1ap-path.c | ||
| s1ap-path.h | ||
| s1ap-sctp.c | ||
| s1ap-sm.c | ||
| sbc-handler.c | ||
| sbc-handler.h | ||
| sbc-message.h | ||
| sgsap-build.c | ||
| sgsap-build.h | ||
| sgsap-conv.c | ||
| sgsap-conv.h | ||
| sgsap-handler.c | ||
| sgsap-handler.h | ||
| sgsap-path.c | ||
| sgsap-path.h | ||
| sgsap-sctp.c | ||
| sgsap-sm.c | ||
| sgsap-types.h | ||