pespin has submitted this change. (
https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/37872?usp=email )
Change subject: sgsn: Introduce test TC_attach_rau_a_b_wrong_old_ra
......................................................................
sgsn: Introduce test TC_attach_rau_a_b_wrong_old_ra
This test reproduces a crash in osmo-sgsn, and fixed in
osmo-sgsn.git Change-Id I5a4328c6e945b85dd815215724feecadba59c435.
Related: OS#6441
Change-Id: I3ce02f30a1e5becb80ab2a29f6bf5d08dd45b79c
---
M sgsn/SGSN_Tests.ttcn
M sgsn/expected-results.xml
2 files changed, 55 insertions(+), 2 deletions(-)
Approvals:
pespin: Looks good to me, approved
fixeria: Looks good to me, but someone else must approve
Jenkins Builder: Verified
laforge: Looks good to me, but someone else must approve
diff --git a/sgsn/SGSN_Tests.ttcn b/sgsn/SGSN_Tests.ttcn
index cbf50dd..9a50297 100644
--- a/sgsn/SGSN_Tests.ttcn
+++ b/sgsn/SGSN_Tests.ttcn
@@ -18,6 +18,7 @@
import from Osmocom_Types all;
import from GSM_Types all;
import from Native_Functions all;
+import from Misc_Helpers all;
import from NS_Types all;
import from NS_Emulation all;
import from BSSGP_Types all;
@@ -1904,7 +1905,6 @@
f_detach_mo(c_GMM_DTT_MO_GPRS, true, true);
}
-
testcase TC_attach_rau_a_a() runs on test_CT {
/* MS <-> SGSN: Successful Attach
* MS -> SGSN: Routing Area Update Request
@@ -1936,7 +1936,6 @@
f_detach_mo(c_GMM_DTT_MO_GPRS, true, true, 1);
}
-
testcase TC_attach_rau_a_b() runs on test_CT {
/* MS <-> SGSN: Successful Attach
* MS -> SGSN: Routing Area _a_ Update Request
@@ -1953,6 +1952,55 @@
f_cleanup();
}
+/* MS fills wrong Old RA during 2nd RAU. SGSN rejects it. */
+private function f_TC_attach_rau_a_b_wrong_old_ra(charstring id) runs on
BSSGP_ConnHdlr {
+ var integer ran_index := 1;
+ f_TC_attach(id);
+
+ log("attach complete sending rau");
+ f_routing_area_update(g_pars.ra);
+
+ log("rau complete unregistering");
+ f_bssgp_client_unregister(g_pars.imsi);
+ f_bssgp_client_register(g_pars.imsi, g_pars.tlli, BSSGP_PROC[1]);
+
+ log("sending second RAU via different RA with wrong Old RA");
+ var RoutingAreaIdentificationV wrong_old_ra := g_pars.ra;
+ wrong_old_ra.rac := int2oct((oct2int(wrong_old_ra.rac) + 5) / 3, 1);
+ f_send_l3(ts_GMM_RAU_REQ(f_mi_get_lv(), GPRS_UPD_T_RA, old_ra :=
wrong_old_ra), ran_index);
+
+ timer T := 2.0;
+ T.start;
+ alt {
+ [] BSSGP[ran_index].receive(tr_GMM_RAU_REJECT);
+ [] BSSGP[ran_index].receive(tr_LLC_XID_MT_CMD(?, ?)) {
+ /* Ignore XID Reset */
+ repeat;
+ }
+ [] T.timeout {
+ setverdict(fail, "Timeout rx RAU Reject");
+ mtc.stop;
+ }
+ }
+
+ f_detach_mo(c_GMM_DTT_MO_GPRS, true, true, ran_index := ran_index);
+}
+testcase TC_attach_rau_a_b_wrong_old_ra() runs on test_CT {
+ /* MS <-> SGSN: Successful Attach
+ * MS -> SGSN: Routing Area _a_ Update Request
+ * MS <- SGSN: Routing Area _a_ Update Accept
+ * MS -> SGSN: Routing Area _b_ Update Request (Wrong Old Routing Area)
+ * MS <- SGSN: Routing Area _b_ Update Reject
+ * MS -> SGSN: Detach (PowerOff)
+ */
+ var BSSGP_ConnHdlr vc_conn;
+ f_init();
+ f_sleep(1.0);
+ vc_conn := f_start_handler(refers(f_TC_attach_rau_a_b_wrong_old_ra),
testcasename(), g_gb, 39);
+ vc_conn.done;
+ f_cleanup();
+}
+
private function f_TC_attach_gmm_attach_req_while_gmm_attach(charstring id)
runs on BSSGP_ConnHdlr {
var integer count_req := 0;
var MobileIdentityLV mi;
@@ -3177,6 +3225,10 @@
execute( TC_attach_rau() );
execute( TC_attach_rau_a_a() );
execute( TC_attach_rau_a_b() );
+ if (Misc_Helpers.f_osmo_repo_is("nightly")) {
+ /* Will double-free and crash osmo-sgsn <= 1.12.0 */
+ execute( TC_attach_rau_a_b_wrong_old_ra() );
+ }
execute( TC_attach_usim_resync() );
execute( TC_attach_usim_a54_a54() );
execute( TC_attach_usim_a54_a53() );
diff --git a/sgsn/expected-results.xml b/sgsn/expected-results.xml
index a29467d..40b6592 100644
--- a/sgsn/expected-results.xml
+++ b/sgsn/expected-results.xml
@@ -37,6 +37,7 @@
<testcase classname='SGSN_Tests' name='TC_attach_rau' time='MASKED'/>
<testcase classname='SGSN_Tests' name='TC_attach_rau_a_a' time='MASKED'/>
<testcase classname='SGSN_Tests' name='TC_attach_rau_a_b' time='MASKED'/>
+ <testcase classname='SGSN_Tests' name='TC_attach_rau_a_b_wrong_old_ra'
time='MASKED'/>
<testcase classname='SGSN_Tests' name='TC_attach_usim_resync' time='MASKED'/>
<testcase classname='SGSN_Tests' name='TC_attach_usim_a54_a54'
time='MASKED'/>
<testcase classname='SGSN_Tests' name='TC_attach_usim_a54_a53'
time='MASKED'/>
--
To view, visit https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/37872?usp=email
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings?usp=email
Gerrit-MessageType: merged
Gerrit-Project: osmo-ttcn3-hacks
Gerrit-Branch: master
Gerrit-Change-Id: I3ce02f30a1e5becb80ab2a29f6bf5d08dd45b79c
Gerrit-Change-Number: 37872
Gerrit-PatchSet: 3
Gerrit-Owner: pespin <[email protected]>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: daniel <[email protected]>
Gerrit-Reviewer: fixeria <[email protected]>
Gerrit-Reviewer: laforge <[email protected]>
Gerrit-Reviewer: lynxis lazus <[email protected]>
Gerrit-Reviewer: pespin <[email protected]>
