From eddebaad92516009a82dbe016ffeaa8b17e6ec0a Mon Sep 17 00:00:00 2001
From: Vadim Yanitskiy <axilirator@gmail.com>
Date: Sat, 28 Dec 2019 17:45:34 +0100
Subject: MSC_Tests.ttcn: introduce TC_mm_id_resp_no_identity

While investigating OS#4340, it was discovered that a malformed
MM Identity Request with MI Type '111'B crashes OsmoMSC.

Unfortunately, I could not find a way to encode such an invalid
message in TITAN (because value '111'B is reserved), so I
figured out that '000'B also crashes OsmoMSC.

MM Identity Request is triggered by initiating an Update Location
Request with reserved TMSI value 'FFFFFFFF'O (unknown to the MSC).

Change-Id: I62f23355eb91df2edf9dc837c928cb86b530b743
Related: OS#4340
---
 msc/MSC_Tests.ttcn | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

(limited to 'msc/MSC_Tests.ttcn')

diff --git a/msc/MSC_Tests.ttcn b/msc/MSC_Tests.ttcn
index e0d9c7ff..c2a5bbb9 100644
--- a/msc/MSC_Tests.ttcn
+++ b/msc/MSC_Tests.ttcn
@@ -5778,6 +5778,43 @@ testcase TC_invalid_mgcp_crash() runs on MTC_CT {
 	vc_conn.done;
 }
 
+friend function f_tc_mm_id_resp_no_identity(charstring id, BSC_ConnHdlrPars pars)
+runs on BSC_ConnHdlr {
+	pars.tmsi := 'FFFFFFFF'O;
+	f_init_handler(pars);
+
+	f_create_gsup_expect(hex2str(g_pars.imsi));
+
+	/* Initiate Location Updating using an unknown TMSI */
+	f_bssap_compl_l3(f_build_lu_tmsi(pars.tmsi));
+
+	/* Expect an Identity Request, send response with no identity */
+	BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_MM_ID_Req(CM_ID_TYPE_IMSI)));
+	BSSAP.send(ts_PDU_DTAP_MO(ts_ML3_MO_MM_ID_Rsp({
+		lengthIndicator := 1,
+		mobileIdentityV := {
+			typeOfIdentity := '000'B,
+			oddEvenInd_identity := {
+				no_identity := {
+					oddevenIndicator := '0'B,
+					fillerDigits := '00000'H
+				}
+			}
+		}
+	})));
+
+	f_expect_lu_reject();
+	f_expect_clear();
+}
+testcase TC_mm_id_resp_no_identity() runs on MTC_CT {
+	var BSC_ConnHdlr vc_conn;
+
+	f_init();
+
+	vc_conn := f_start_handler(refers(f_tc_mm_id_resp_no_identity), 7);
+	vc_conn.done;
+}
+
 control {
 	execute( TC_cr_before_reset() );
 	execute( TC_lu_imsi_noauth_tmsi() );
@@ -5910,6 +5947,7 @@ control {
 		execute( TC_lu_and_mt_call_osmux() );
 	}
 	execute( TC_invalid_mgcp_crash() );
+	execute( TC_mm_id_resp_no_identity() );
 }
 
 
-- 
cgit v1.2.3