aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorDaniel Willmann <dwillmann@sysmocom.de>2020-01-30 12:30:40 +0100
committerDaniel Willmann <dwillmann@sysmocom.de>2020-02-04 09:27:20 +0100
commitd999e54aa264254a66de425ccf7edcd68f8420f2 (patch)
tree6f1f2a165cf7d2b20bec62fd219c5124e9eae61c /src
parent394aa533e9e3a744dfe10c2cf01898dabb8d6812 (diff)
gprs_gmm: Check for RAT change and ensure this only happens for RAU/ATT
Diffstat (limited to 'src')
-rw-r--r--src/sgsn/gprs_gmm.c27
1 files changed, 27 insertions, 0 deletions
diff --git a/src/sgsn/gprs_gmm.c b/src/sgsn/gprs_gmm.c
index f62d0d1f..c574dac5 100644
--- a/src/sgsn/gprs_gmm.c
+++ b/src/sgsn/gprs_gmm.c
@@ -1099,6 +1099,16 @@ static inline void ptmsi_update(struct sgsn_mm_ctx *ctx)
osmo_fsm_inst_dispatch(ctx->gmm_fsm, E_GMM_COMMON_PROC_INIT_REQ, NULL);
}
+/* Detect if RAT has changed */
+static bool mmctx_did_rat_change(struct sgsn_mm_ctx *mmctx, struct msgb *msg)
+{
+ if (MSG_IU_UE_CTX(msg) && mmctx->ran_type != MM_CTX_T_UTRAN_Iu)
+ return true;
+ if (!MSG_IU_UE_CTX(msg) && mmctx->ran_type != MM_CTX_T_GERAN_Gb)
+ return true;
+ return false;
+}
+
/* 3GPP TS 24.008 ยง 9.4.1 Attach request */
static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg,
struct gprs_llc_llme *llme)
@@ -1944,6 +1954,23 @@ int gsm0408_rcv_gmm(struct sgsn_mm_ctx *mmctx, struct msgb *msg,
return rc;
}
+ /* A RAT change is only expected/allowed for RAU/Attach Req */
+ if (mmctx && mmctx_did_rat_change(mmctx, msg)) {
+ switch (gh->msg_type) {
+ case GSM48_MT_GMM_RA_UPD_REQ:
+ case GSM48_MT_GMM_ATTACH_REQ:
+ break;
+ default:
+ /* This shouldn't happen with other message types and
+ * we need to error out to prevent a crash */
+ LOGMMCTXP(LOGL_NOTICE, mmctx, "Dropping GMM %s which was received on different "
+ "RAT (mmctx ran_type=%u, msg_iu_ue_ctx=%p\n",
+ get_value_string(gprs_msgt_gmm_names, gh->msg_type),
+ mmctx->ran_type, MSG_IU_UE_CTX(msg));
+ return -EINVAL;
+ }
+ }
+
/*
* For a few messages, mmctx may be NULL. For most, we want to ensure a
* non-NULL mmctx. At the same time, we want to keep the message