From d999e54aa264254a66de425ccf7edcd68f8420f2 Mon Sep 17 00:00:00 2001 From: Daniel Willmann Date: Thu, 30 Jan 2020 12:30:40 +0100 Subject: gprs_gmm: Check for RAT change and ensure this only happens for RAU/ATT Change-Id: I38cb31907eddeade5350cdb648df179408d908d2 Related: OS#3727 --- src/sgsn/gprs_gmm.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) (limited to 'src/sgsn/gprs_gmm.c') diff --git a/src/sgsn/gprs_gmm.c b/src/sgsn/gprs_gmm.c index f62d0d1f2..c574dac5f 100644 --- a/src/sgsn/gprs_gmm.c +++ b/src/sgsn/gprs_gmm.c @@ -1099,6 +1099,16 @@ static inline void ptmsi_update(struct sgsn_mm_ctx *ctx) osmo_fsm_inst_dispatch(ctx->gmm_fsm, E_GMM_COMMON_PROC_INIT_REQ, NULL); } +/* Detect if RAT has changed */ +static bool mmctx_did_rat_change(struct sgsn_mm_ctx *mmctx, struct msgb *msg) +{ + if (MSG_IU_UE_CTX(msg) && mmctx->ran_type != MM_CTX_T_UTRAN_Iu) + return true; + if (!MSG_IU_UE_CTX(msg) && mmctx->ran_type != MM_CTX_T_GERAN_Gb) + return true; + return false; +} + /* 3GPP TS 24.008 ยง 9.4.1 Attach request */ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg, struct gprs_llc_llme *llme) @@ -1944,6 +1954,23 @@ int gsm0408_rcv_gmm(struct sgsn_mm_ctx *mmctx, struct msgb *msg, return rc; } + /* A RAT change is only expected/allowed for RAU/Attach Req */ + if (mmctx && mmctx_did_rat_change(mmctx, msg)) { + switch (gh->msg_type) { + case GSM48_MT_GMM_RA_UPD_REQ: + case GSM48_MT_GMM_ATTACH_REQ: + break; + default: + /* This shouldn't happen with other message types and + * we need to error out to prevent a crash */ + LOGMMCTXP(LOGL_NOTICE, mmctx, "Dropping GMM %s which was received on different " + "RAT (mmctx ran_type=%u, msg_iu_ue_ctx=%p\n", + get_value_string(gprs_msgt_gmm_names, gh->msg_type), + mmctx->ran_type, MSG_IU_UE_CTX(msg)); + return -EINVAL; + } + } + /* * For a few messages, mmctx may be NULL. For most, we want to ensure a * non-NULL mmctx. At the same time, we want to keep the message -- cgit v1.2.3