gbproxy: Reset IMSI acquisition and free stored messages in tlli_info

Currently the stored messages are only removed, when IMSI acquisition has succeeded. In addition, receiving two ATTACH_REQ messages in sequence (e.g. due to loss of a Identity Req/Resp message) will not restart the IMSI acquisition procedure. This patch adds gbproxy_tlli_info_discard_messages() to clean up the message list and calls it from gbproxy_delete_tlli() fixing a potential memory leak. It is also called when an Attach Request message has been received. In that case the imsi_acq_pending flag is cleared, too. This would (re-)trigger the IMSI acquisition procedure at each of these messages. If an Ident Response has been lost, resending the Ident Request with the same N(U) will not work. Therefore the N(U) gets incremented on each Ident Request generated by the gbproxy. The first N(U) used is 256 which shouldn't collide with the V(UT) used by the SGSN given that P-TMSI patching is enabled (since a new random TLLI is used initially on every new (no tlli_info) connection and V(U) starts with zero then). Ticket: OW#1261 Sponsored-by: On-Waves ehf
2014-09-03 11:59:48 +02:00 · 2014-09-03 11:59:48 +02:00 · 31591142e9
parent ea1698e322
commit 31591142e9
4 changed files with 58 additions and 10 deletions
--- a/openbsc/include/openbsc/gb_proxy.h
+++ b/openbsc/include/openbsc/gb_proxy.h
@ -150,6 +150,7 @@ struct gbproxy_tlli_info {

 	int imsi_acq_pending;
 	struct llist_head stored_msgs;
+	int imsi_acq_retries;

 	int enable_patching;
 };
@ -197,6 +198,7 @@ void gbproxy_update_tlli_state_after(
 int gbproxy_remove_stale_tllis(struct gbproxy_peer *peer, time_t now);
 void gbproxy_delete_tlli(struct gbproxy_peer *peer,
 			 struct gbproxy_tlli_info *tlli_info);
+void gbproxy_tlli_info_discard_messages(struct gbproxy_tlli_info *tlli_info);

 struct gbproxy_tlli_info *gbproxy_register_tlli(
 	struct gbproxy_peer *peer, uint32_t tlli,
--- a/openbsc/src/gprs/gb_proxy.c
+++ b/openbsc/src/gprs/gb_proxy.c
@ -253,6 +253,22 @@ uint32_t gbproxy_make_sgsn_tlli(struct gbproxy_peer *peer,
 	return sgsn_tlli;
 }

+/* Returns != 0 iff IMSI acquisition was in progress */
+int gbproxy_reset_imsi_acquisition(struct gbproxy_tlli_info* tlli_info)
+{
+	int in_progress = 0;
+	if (!tlli_info)
+		return 0;
+
+	if (tlli_info->imsi_acq_pending)
+		in_progress = 1;
+
+	gbproxy_tlli_info_discard_messages(tlli_info);
+	tlli_info->imsi_acq_pending = 0;
+
+	return in_progress;
+}
+
 /* patch BSSGP message */
 static int gbprox_process_bssgp_ul(struct gbproxy_config *cfg,
 				   struct msgb *msg,
@ -315,10 +331,21 @@ static int gbprox_process_bssgp_ul(struct gbproxy_config *cfg,
 	gbprox_update_current_raid(parse_ctx.bssgp_raid_enc, peer,
 				   parse_ctx.llc_msg_name);

+	gprs_gb_log_parse_context(&parse_ctx, "BSSGP");
+
+	tlli_info = gbproxy_update_tlli_state_ul(peer, now, &parse_ctx);
+
 	if (parse_ctx.g48_hdr) {
 		switch (parse_ctx.g48_hdr->msg_type) {
 		case GSM48_MT_GMM_ATTACH_REQ:
 			rate_ctr_inc(&peer->ctrg->ctr[GBPROX_PEER_CTR_ATTACH_REQS]);
+			if (gbproxy_reset_imsi_acquisition(tlli_info)) {
+				LOGP(DLLC, LOGL_INFO,
+				     "NSEI=%d(BSS) IMSI acquisition was in progress "
+				     "when receiving an ATTACH_REQ.\n",
+				     msgb_nsei(msg));
+				tlli_info->imsi_acq_retries += 1;
+			}
 			break;

 		default:
@ -326,10 +353,6 @@ static int gbprox_process_bssgp_ul(struct gbproxy_config *cfg,
 		}
 	}

-	gprs_gb_log_parse_context(&parse_ctx, "BSSGP");
-
-	tlli_info = gbproxy_update_tlli_state_ul(peer, now, &parse_ctx);
-
 	if (tlli_info && cfg->route_to_sgsn2 && gbproxy_check_tlli(peer, tlli_info)) {
 		sgsn_nsei = cfg->nsip_sgsn2_nsei;
 		send_msg_directly = 1;
@ -415,8 +438,15 @@ static int gbprox_process_bssgp_ul(struct gbproxy_config *cfg,
 		/* Send IDENT REQ */
 		idreq_msg = gsm48_msgb_alloc();
 		gprs_put_identity_req(idreq_msg, GSM_MI_TYPE_IMSI);
+		/* Workaround to avoid N(U) collisions and to enable a restart
+		 * of the IMSI acquisition procedure. This will work unless the
+		 * SGSN has an initial V(UT) within [256-32, 256+n_retries]
+		 * (see GSM 04.64, 8.4.2).
+		 * TODO: Check whether it is sensible to rely on this, it might
+		 * be an issue when P-TMSI patching is _not_ enabled and the SGSN
+		 * doesn't reset V(UT) after a detach. */
 		gprs_push_llc_ui(idreq_msg, 0, GPRS_SAPI_GMM,
-				 /* TODO: use a real N(U) */0);
+				 (tlli_info->imsi_acq_retries + 256) % 512);
 		gprs_push_bssgp_dl_unitdata(idreq_msg, tlli_info->tlli.current);
 		gbprox_relay2peer(idreq_msg, peer, msgb_bvci(msg));
 		msgb_free(idreq_msg);
--- a/openbsc/src/gprs/gb_proxy_tlli.c
+++ b/openbsc/src/gprs/gb_proxy_tlli.c
@ -98,11 +98,23 @@ struct gbproxy_tlli_info *gbproxy_find_tlli_by_mi(
 	return NULL;
 }

+void gbproxy_tlli_info_discard_messages(struct gbproxy_tlli_info *tlli_info)
+{
+	struct msgb *msg, *nxt;
+
+	llist_for_each_entry_safe(msg, nxt, &tlli_info->stored_msgs, list) {
+		llist_del(&msg->list);
+		msgb_free(msg);
+	}
+}
+
 void gbproxy_delete_tlli(struct gbproxy_peer *peer,
 			 struct gbproxy_tlli_info *tlli_info)
 {
 	struct gbproxy_patch_state *state = &peer->patch_state;

+	gbproxy_tlli_info_discard_messages(tlli_info);
+
 	llist_del(&tlli_info->list);
 	talloc_free(tlli_info);
 	state->enabled_tllis_count -= 1;
--- a/openbsc/tests/gbproxy/gbproxy_test.ok
+++ b/openbsc/tests/gbproxy/gbproxy_test.ok
@ -2617,7 +2617,7 @@ CALLBACK, event 0, msg length 75, bvci 0x1002

 NS UNITDATA MESSAGE to BSS, BVCI 0x1002, msg length 24 (gprs_ns_sendmsg)
 MESSAGE to BSS at 0x01020304:1111, msg length 28
-00 00 10 02 00 80 00 de ad 00 50 20 16 82 02 58 0e 00 09 41 c0 01 08 15 01 ff 6c ba 
+00 00 10 02 00 80 00 de ad 00 50 20 16 82 02 58 0e 00 09 41 c4 01 08 15 01 b7 f8 36 

 result (ATTACH REQUEST) = 0

@ -3008,7 +3008,7 @@ CALLBACK, event 0, msg length 75, bvci 0x1002

 NS UNITDATA MESSAGE to BSS, BVCI 0x1002, msg length 24 (gprs_ns_sendmsg)
 MESSAGE to BSS at 0x01020304:1111, msg length 28
-00 00 10 02 00 80 00 de ad 00 50 20 16 82 02 58 0e 00 09 41 c0 01 08 15 01 ff 6c ba 
+00 00 10 02 00 80 00 de ad 00 50 20 16 82 02 58 0e 00 09 41 c4 01 08 15 01 b7 f8 36 

 result (ATTACH REQUEST) = 0

@ -3018,6 +3018,10 @@ PROCESSING ATTACH REQUEST from 0x01020304:1111
 CALLBACK, event 0, msg length 75, bvci 0x1002
 00 00 10 02 01 80 00 de ad 00 00 04 08 88 00 f1 99 00 63 60 12 34 00 80 0e 00 34 01 c0 19 08 01 02 f5 e0 21 08 02 05 f4 fb c5 46 79 11 22 33 40 50 60 19 18 b3 43 2b 25 96 62 00 60 80 9a c2 c6 62 00 60 80 ba c8 c6 62 00 60 80 00 b6 33 df 

+NS UNITDATA MESSAGE to BSS, BVCI 0x1002, msg length 24 (gprs_ns_sendmsg)
+MESSAGE to BSS at 0x01020304:1111, msg length 28
+00 00 10 02 00 80 00 de ad 00 50 20 16 82 02 58 0e 00 09 41 c4 05 08 15 01 8f 47 9e 
+
 result (ATTACH REQUEST) = 0

 Peers:
@ -3030,7 +3034,7 @@ Peers:
    Attach Request count            : 3
    TLLI cache size                 : 1
    TLLI-Cache: 1
-      TLLI 8000dead -> 7eb52dfb, IMSI (none), AGE 0, STORED 2, IMSI acquisition in progress
+      TLLI 8000dead -> 7eb52dfb, IMSI (none), AGE 0, STORED 1, IMSI acquisition in progress
 Gbproxy global:
    Invalid Routing Area Identifier : 1
    BSSGP protocol error      (SGSN): 1
@ -3270,7 +3274,7 @@ CALLBACK, event 0, msg length 75, bvci 0x1002

 NS UNITDATA MESSAGE to BSS, BVCI 0x1002, msg length 24 (gprs_ns_sendmsg)
 MESSAGE to BSS at 0x01020304:1111, msg length 28
-00 00 10 02 00 80 00 de ad 00 50 20 16 82 02 58 0e 00 09 41 c0 01 08 15 01 ff 6c ba 
+00 00 10 02 00 80 00 de ad 00 50 20 16 82 02 58 0e 00 09 41 c4 01 08 15 01 b7 f8 36 

 result (ATTACH REQUEST) = 0

@ -3573,7 +3577,7 @@ CALLBACK, event 0, msg length 75, bvci 0x1002

 NS UNITDATA MESSAGE to BSS, BVCI 0x1002, msg length 24 (gprs_ns_sendmsg)
 MESSAGE to BSS at 0x01020304:1111, msg length 28
-00 00 10 02 00 80 00 be ef 00 50 20 16 82 02 58 0e 00 09 41 c0 01 08 15 01 ff 6c ba 
+00 00 10 02 00 80 00 be ef 00 50 20 16 82 02 58 0e 00 09 41 c4 01 08 15 01 b7 f8 36 

 result (ATTACH REQUEST) = 0