Update 3/07/2025 #2
Merged
+10,063
−3,327
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The issue was that the PLMN-ID of the TAI was incorrectly being retrieved from the PLMN-ID of the EUTRAN_CGI. As a result, when the PLMN-IDs of the TAI and EUTRAN_CGI were improperly set, the MME would crash. All issues have now been resolved.
I wanted to let you know that I have modified the SMF configuration to send S2b PGW GTP-U instead of S5/S8 PGW GTP-U in WLAN. This adjustment should ensure that the correct interface type is used, as per the specifications.
I have modified the PAA's IPv6 prefix length from 8 to 64. This adjustment ensures that the prefix length now correctly reflects the standard /64 notation, in accordance with the specifications.
Decrement the Packet Filter Identifier by 1 before sending it to the UE during GSM message construction. This correction ensures proper synchronization between the UE and SMF, allowing `smf_pf_find_by_identifier()` to accurately locate the corresponding `pf` context without adjusting the identifier during the search. This fix aligns the 5GC implementation with the EPC behavior, where the identifier was correctly decremented before transmission to the UE, preventing mismatches and synchronization issues.
This reverts commit f82fc85.
…3505) - **Correct Packet Filter Identifier Handling:** Remove the addition of +1 when searching for the packet filter context using `smf_pf_find_by_identifier()` in the 5G Core SMF. According to 3GPP TS24.008 Section 10.5.6.12 and TS24.501 Section 9.11.4.13, the Packet Filter Identifier should range from 1 to 15 (or 0 to 15) depending on the operation and should be used directly as received from the UE. - **Adjust Maximum Number of Packet Filter Identifiers:** Change the maximum number of Packet Filter Identifiers from **16** to **15** in the SMF to comply with the 3GPP specifications. The standards specify that the number of packet filters shall be greater than 0 and less than or equal to 15 for certain operations. **Background:** In the current 5GC implementation, the SMF incorrectly adds +1 to the identifier received from the UE and allows up to 16 identifiers, leading to mismatches and potential communication issues. These discrepancies cause the SMF to fail in correctly locating the packet filter context, resulting in improper QoS rule enforcement. **Changes Made:** - **For Packet Filter Identifier Handling:** - Updated the SMF code to use the identifier received from the UE directly without modification: ```c // Corrected code for 5GC: pf = smf_pf_find_by_identifier( qos_flow, qos_rule[i].pf[j].identifier); ``` - **For Maximum Number of Packet Filter Identifiers:** - Adjusted the code to enforce a maximum of 15 packet filters as per the specifications. **Impact:** - **Compliance:** - Ensures that the 5GC implementation of Open5GS adheres to the 3GPP TS24.008 and TS24.501 specifications regarding Packet Filter Identifier handling and limits. - **Functionality:** - Corrects the mapping and management of packet filters between the UE and SMF in 5GC, preventing potential communication issues and misconfigurations. - **EPC Implementation:** - The EPC implementation remains unaffected by these changes. EPC correctly handles the Packet Filter Identifier by decrementing it by 1 before sending it to the UE and adding +1 when searching for the packet filter context. **Conclusion:** By making these adjustments, we ensure proper synchronization between the UE and SMF in the 5G Core and maintain compliance with the 3GPP specifications. This fix resolves the mismatches caused by incorrect identifier handling and enforces the correct limit on the number of packet filters, enhancing the reliability and standards compliance of the 5GC implementation without impacting the existing correct behavior in EPC.
1. Set packet filter identifier values to 0 when the UE requests to: - Create new QoS rule - Modify existing QoS rule and replace all packet filters - Modify existing QoS rule and add packet filters - As specified in TS24.501, section 9.11.4.13, Table 9.11.4.13.1. 2. Revise QoS rule modification logic: - Instead of replacing packet filters based on their identifiers (EPC approach), update the implementation to delete all existing packet filters within the QoS rule and add new ones. - This ensures that when modifying an existing QoS rule to replace all packet filters, the packet filters are correctly reset and updated per 5G Core requirements.
This commit fixes an issue where the system would crash due to improper memory release after receiving crafted PFCP packets from UEs.
Added UE's current TAI and E-CGI to SGsAP-LOCATION-UPDATE-REQUEST message as per TS 29.118 5.2.2.2.1
1. Fix SGW-U/UPF bug by comparing QFI only when PDI's QFI is present Resolved an issue where the QoS Flow Identifier in the GTP-U Extension Header was incorrectly compared regardless of the presence of PDI's QFI. Updated the implementation to perform the comparison only when PDI's QFI is present. 2. Add Outer Header Removal settings to SGW's PDR where necessary Addressed the absence of Outer Header Removal in the SGW's PDR by adding it to all required locations, ensuring proper header handling. 3. Remove unnecessary GTP-U Extension Header Removals Eliminated all instances of GTP-U Extension Header Removal since they should only be used during handover from 5GS to EPS. This cleanup prevents improper header removals in other scenarios. 4. Delete unnecessary usage of Network Interface and UE IP Address Removed all redundant references to Network Interface and UE IP Address, streamlining the codebase and reducing potential confusion. 5. Change precedence so that Control has higher priority than Data Adjusted the precedence settings to ensure that Control messages are given higher priority over Data, enhancing the system's efficiency and responsiveness.
This field was previously omitted, which could lead to improper handling of interface-specific logic in certain scenarios. The addition of the 3GPP Interface Type ensures correct behavior in compliance with the 3GPP standards for PFCP message handling.
…uest for SMF Diameter S6b Routing (#3507) Implement support for Node-Identifier IE in GTPv2 S2b Create-Session-Request to SMF for Diameter S6b integration This patch adds support for processing the Node-Identifier IE within GTPv2 Create-Session-Request messages sent via the S2b interface to the SMF. When the ePDG includes the Node-Identifier IE containing both host and realm of the AAA-Server, the SMF now uses this information to populate the Destination-Realm and Destination-Host AVPs in the Diameter S6b AAR message. This enables seamless integration and allows the SMF to route requests directly to the appropriate AAA-Server, enhancing interoperability in setups where the host and realm data are required by the Diameter network.
The memory leaks occurring in specific exception handling scenarios have been resolved. For instance, when an HTTP2 connection closes, memory associated with objects like response messages was not being freed properly. This update addresses and fixes these issues.
Previously, the global configuration section was required for NF to start, which differed from earlier versions where it was optional. This commit modifies the implementation to make the global section optional again, allowing NF to start without explicitly defining global settings. This change restores the previous behavior and improves usability for users who do not need to customize global settings.
Fixed an issue in SCP TLS communication for Open5GS where omitted port numbers in HTTP/HTTPS URIs (e.g., "https://scp.localdomain" implying port 443) were not handled correctly. Updated the code to ensure that during FQDN and port comparisons, cases where the port number is set to 0 are accounted for. This fix resolves the problem with indirect SBI communication over SCP using TLS allowing proper connectivity between network functions like BSF and NRF.
While experimenting with CSFB, it was observed that when the UE returns to E-UTRAN after a CS call, the UE performs a Tracking Area Update with a combined Tracking Area/Location Area update and IMSI attach. Currently, Open5GS's MME simply responds with a TAU Accept message but does not inform the MSC/VLR. As a result, no further MT (Mobile Terminated) CS/SMS services are possible in cases where the MSC/VLR only attempts paging on GERAN. However, some MSC/VLR implementations with fast fallback may still attempt paging on E-UTRAN, allowing MT CS/SMS services to function intermittently. According to 3GPP TS 29.118 Section 5.2.2 Procedures in the MME, specifically Section 5.2.2.2.1, if the timer Ts6-1 is not running, the MME shall start the location update for non-EPS services procedure upon receiving a combined Tracking Area Update Request indicating combined TA/LA updating with IMSI attach. However, SGs timers are not implemented in Open5GS, which is a separate issue. To comply with the specification and ensure that the MSC/VLR is informed when the UE becomes reachable via SGs, the following changes have been implemented: 1. Delay UEContextReleaseCommand: When the active_flag is set to 0, the UEContextReleaseCommand is now delayed until the MME receives the TAU Complete message from the UE. This ensures that the UE has acknowledged the new P-TMSI before the network releases the context, maintaining proper synchronization between the UE and the network. 2. Include Mobile Identity Only When P-TMSI Changes: The Mobile Identity is now included in the Attach/TAU Accept messages only when the MSC/VLR updates the P-TMSI. This ensures that the UE receives the Mobile Identity information solely when there is an actual change in the P-TMSI, preventing unnecessary or incorrect handling of TAU Complete messages. 3. Send SGsAP-REALLOCATION-COMPLETE Conditionally: The SGsAP-REALLOCATION-COMPLETE message is now sent to the MSC/VLR only upon receiving a Attach/TAU Complete message from the UE. This confirmation indicates that the UE has successfully updated its P-TMSI, ensuring that the MSC/VLR is accurately informed of the change. 4. Handle P-TMSI Confirmation: When the MSC/VLR updates the P-TMSI, Open5GS stores the new P-TMSI in the next field of the mme_ue structure. Upon receiving the TAU Complete message from the UE, indicating acknowledgment of the new P-TMSI, Open5GS confirms the update by transferring the P-TMSI from the next field to the current field. This ensures that the MME maintains an accurate and up-to-date record of the P-TMSI as confirmed by the UE.
) In accordance with TS29.500 Section 5.2.2.2 on mandatory HTTP standard headers, the User-Agent header in HTTP/2 requests is required to include the NF type of the HTTP/2 client. Additionally, it is specified that the content of the User-Agent header may be followed by a hyphen and custom information when needed, providing greater flexibility for identifying the originating NF type or adding other specific details. To accommodate this requirement, I modified the code to allow for additional information to be appended after the NF type in the User-Agent header, separated by a hyphen. This change ensures that the User-Agent header format can be customized as needed for indirect communication scenarios and requests originating from the SCP, improving compliance with the specification and enhancing the adaptability of the header format for HTTP/2 communications.
we modified the ogs_supi_from_suci function to prevent the crash by limiting the number of tokens parsed
``` TS36.413 8.7.3 S1 Setup 8.7.3.4 Abnormal Conditions If the eNB initiates the procedure by sending a S1 SETUP REQUEST message including the PLMN Identity IEs and none of the PLMNs provided by the eNB is identified by the MME, then the MME shall reject the eNB S1 Setup Request procedure with the appropriate cause value, e.g., “Unknown PLMN” ``` Modified code to address abnormal conditions where the eNB initiates the S1 Setup Request with a PLMN Identity IE that is unrecognized by the MME. In this case, the MME now properly rejects the S1 Setup Request with the cause value "Unknown PLMN" in compliance with the 3GPP specification (8.7.3.4).
…3569) Resolved an issue where Handover was failing when attempting to handover from GNB-ID/eNB-ID 1 to GNB-ID/eNB-ID 0. The problem occurred because the hash table managing GNB_ID values would remove any entry with the default GNB-ID/eNB-ID of 0 before re-adding entries. Consequently, any GNB/eNB configured with a GNB-ID/eNB-ID of 0 would be inadvertently deleted whenever another GNB was added. This fix modifies the handling of the hash table to prevent the default GNB-ID/eNB-ID (0) from being removed unintentionally, allowing handovers between GNB-ID/eNB-ID 0 and other GNBs/eNBs to proceed without error.
….yaml in guide02 docs
Break early in case resouce allocation fails.
TS 29.571 - 5.5.2 Simple Data Types defines BitRate type as String representing a bit rate that shall be formatted as follows: Pattern: '^\d+(\.\d+)? (bps|Kbps|Mbps|Gbps|Tbps)$' Examples: "125 Mbps", "0.125 Gbps", "125000 Kbps" Taking the "0.125 Gbps" example, rather than round 0.125 down to 0, parse it as a double-float first before multiplying by 10^9, resulting in 1.25e8 (bps).
This commit introduces a new parameter in the global configuration
to support UPG-VPP UPF. When the following setting is added:
```
global:
parameter:
use_upg_vpp: true
```
The SMF generates PFCP messages specifically tailored for UPG-VPP UPF.
This allows seamless integration and operation with UPG-VPP
by automatically adapting the message structure to its requirements.
This update improves compatibility with newer distributions by modifying dependency declarations in control files, Dockerfiles, and documentation.
to conditionally install `libidn-dev` or `libidn11-dev`, depending on availability, and clarify common dependencies for Debian/Ubuntu.
Previously, the function `udm_nudm_sdm_handle_subscription_create()` would trigger a fatal assertion failure if the maximum number of SDM subscriptions was reached. This commit adds error handling to check if the subscription pool allocation fails. If `udm_sdm_subscription_add()` returns NULL, an appropriate error message is logged, and a 400 Bad Request response is sent back to the client instead of causing a crash.
#3689) This commit adds additional checks in the PFCP receive callback to ensure that a complete PFCP message is received before parsing. A minimum header length check and a total message length validation are now performed. This prevents incomplete, fragmented messages from being processed and avoids potential parsing errors and DoS conditions.
This commit modifies the message length check in ogs_pfcp_recvfrom. Previously, the condition only verified that the received size was less than the expected length, which could allow messages that are too long to be processed. The condition now requires an exact match between the received size and the expected total PFCP message length, ensuring proper message validation.
…nnel responses Replace enb_ue with source_ue to correctly reference the target eNodeB context during handover. Added null checks and assertions to ensure proper session cleanup in both mme-s11-handler.c and s1ap-handler.c.
Previously, policies were configured via YAML files without MongoDB. This update enhances the YAML approach by adding the 'supi_range' key to filter policies based on UE SUPI ranges. When both 'supi_range' and 'plmn_id' are provided, both conditions must be met. Note that PLMN-ID filtering will be deprecated in a future release.
…ponses (#3707) During handover between two gNBs, the AMF enters an invalid state when it receives an unexpected SBI response from the UDM in the process of sending a smf-select-data request. This bug could lead to an AMF crash as the state machine in gmm_state_registration encountered an unknown state. The fix adds explicit handling for SBI messages with resource names such as AM_DATA, SMF_SELECT_DATA, UE_CONTEXT_IN_SMF_DATA, and SDM_SUBSCRIPTIONS. If the HTTP response status is not OK, CREATED, or NO_CONTENT, a warning is logged and the message is ignored. This prevents the AMF from transitioning into an abnormal state and improves overall stability during frequent handovers.
…3710) When a duplicate PDU session establishment is received, the AMF logs a warning and proceeds to update the SM context via the SBI interface. This process eventually calls amf_nsmf_pdusession_build_create_sm_context(), which uses the SUPI to build the SBI URI header. If the SUPI is NULL, then the header's resource component becomes NULL. This leads to a call to ogs_uridup() that asserts on the NULL value, causing a crash. This commit adds a check before invoking the SBI update. If the SUPI is NULL, the update is skipped and a warning is logged. This prevents the invalid URI build process and avoids the subsequent crash in ogs_uridup().
* [UDM][UDR] Add support for nssai resource in nudm-sdm * Resolve Memory Issue * Protect from multiple field entries, remove macros * remove request_from_server, make use of xact state * typo.... * definition cleanup
Test scenario: - start 5G core - wait for 5 minutes after SMF establishes PFCP association to UPF (DNS query refresh interval) - register UE and establish PDU session - crash [upf] DEBUG: upf_state_operational(): UPF_EVT_N4_MESSAGE (../src/upf/upf-sm.c:51) [upf] DEBUG: upf_pfcp_state_associated(): UPF_EVT_N4_MESSAGE (../src/upf/pfcp-sm.c:185) [upf] INFO: [Added] Number of UPF-Sessions is now 1 (../src/upf/context.c:217) [upf] DEBUG: Session Establishment Request (../src/upf/n4-handler.c:66) [gtp] INFO: gtp_connect() [127.0.0.8]:2152 (../lib/gtp/path.c:60) [upf] INFO: UE F-SEID[UP:0x1230 CP:0x5817] APN[local] PDN-Type[1] IPv4[10.46.0.2] IPv6[] (../src/upf/context.c:532) [upf] INFO: UE F-SEID[UP:0x1230 CP:0x5817] APN[local] PDN-Type[1] IPv4[10.46.0.2] IPv6[] (../src/upf/context.c:532) [upf] DEBUG: Session Establishment Response (../src/upf/n4-build.c:36) [pfcp] FATAL: ogs_pfcp_sendto: should not be reached. (../lib/pfcp/path.c:158) [core] FATAL: backtrace() returned 12 addresses (../lib/core/ogs-abort.c:37) /open5gs/build/src/upf/../../lib/pfcp/libogspfcp.so.2(ogs_pfcp_sendto+0x1c8) [0x7f73c5ac0888] /open5gs/build/src/upf/../../lib/pfcp/libogspfcp.so.2(ogs_pfcp_xact_commit+0x170) [0x7f73c5ac3510] /open5gs/./build/src/upf/open5gs-upfd(+0x109eb) [0x55d7f20f99eb] /open5gs/./build/src/upf/open5gs-upfd(+0x12351) [0x55d7f20fb351] /open5gs/build/src/upf/../../lib/core/libogscore.so.2(ogs_fsm_dispatch+0x24) [0x7f73c5b57574] /open5gs/./build/src/upf/open5gs-upfd(+0xc445) [0x55d7f20f5445] /open5gs/build/src/upf/../../lib/core/libogscore.so.2(ogs_fsm_dispatch+0x24) [0x7f73c5b57574] /open5gs/./build/src/upf/open5gs-upfd(+0x77fb) [0x55d7f20f07fb] /open5gs/build/src/upf/../../lib/core/libogscore.so.2(+0xfb05) [0x7f73c5b4cb05] /lib/x86_64-linux-gnu/libc.so.6(+0x9ca94) [0x7f73c551ea94] /lib/x86_64-linux-gnu/libc.so.6(__clone+0x44) [0x7f73c55aba34]
Before this, there were 2 different ways to search for neighbouring NF's: a) in the case AMF was started _before_ UDM, AMF would create subscription to NRF to notify it when a UDM would (un)register. In this case, NF instance would remain in AMF's context indefinitely. b) in the case AMF was started _after_ UDM, AMF would have to use NF discovery mechanism to search for NF's. In this case, NF instance would remain in AMF's context for the duration of Search's validity (defaults to 30 seconds). After validity expires, NF would expire. This means that for heavy traffic situations, AMF would constantly issue discovery requests. [SBI] save only wanted NF instances on NF List Retrieval When retrieving a list of NF Instances from NRF, save only the NF's that we want. Check the NF instance against our subscription list for either the NF type or NF Service. This can still cause a DoS on NRF when NF starts in case there are 100's of NF's in the network, but prevents using too much memory on NF.
) When receiving a PFCP Session Establishment Request with an invalid PDN type(0), the UPF would crash due to a failed assertion. This commit improves error handling by: - Removing the session_type assertion check that caused the crash - Changing warning log to error log for better visibility - Returning CAUSE_SERVICE_NOT_SUPPORTED instead of proceeding with invalid type This prevents potential DoS attacks through malformed PFCP messages.
* Check length of supi/suci * check all the things
* Remove ausf_ue when unknown in UDM * cover both error cases
…SystemInformationTransferType This commit resolves an issue where the system would crash when Inter_SystemInformationTransferType was not present.
In case that NF do not send ProblemDetails in the response. Do not assume that ProblemDetails is always present, to prevent null pointer dereferencing.
Previously, nf_instance pointers were stored in nf_type_array and service_type_array. This led to dangling pointers when an NF instance was removed via ogs_sbi_nf_instance_remove(), causing incomplete cleanup and improper recovery on UDR or other NF restarts. The issue resulted in the system falling back to nf_instance->client with the default port 80, leading to connection failures. To resolve the problem, nf_instance_id is now stored instead of the pointer. The validity of an NF instance is verified using ogs_sbi_nf_instance_find(nf_instance_id), which ensures proper cleanup and correct recovery.
When another NF restarts, curl reuses the existing connection, which in curl 8.9.1 causes the nghttp2 server to send an RST. This commit sends a GOAWAY frame to every active session on shutdown, ensuring a graceful termination and avoiding RST errors. Previous versions such as curl 7.81.0 did not exhibit this behavior.
This commit introduces robust validation for the F-TEID information element in the PFCP message handling. Previously, malformed F-TEID values (such as a zero length, zero TEID, or a TEID exceeding the pool size) could lead to an assertion failure and crash the UPF. The changes ensure that: - The F-TEID length is greater than zero, confirming the IE is present. - The TEID is a non-zero value, as a valid TEID must be positive. - The TEID does not exceed the allowed pool size (max_ue * 4 * 16). If any of these conditions are not met, an error is logged with the F-TEID length and TEID value, and the function returns an error code (OGS_PFCP_CAUSE_MANDATORY_IE_INCORRECT), preventing further processing of the malformed message.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.