search

HewlettPackard / PacketRusher

High performance 5G UE/gNB Simulator and CP/UP load tester.
Apache License 2.0
117 stars 26 forks source link

[BUG] PacketRusher crashes when UE has an MNC with 3 digits #98

Closed rjaksa closed 8 months ago

rjaksa commented 8 months ago

Describe the bug When the UE's IMSI is constructed with a 3-digit MNC, PacketRusher crashes.

To Reproduce Steps to reproduce the behavior:

  1. In the config.yml UE section, you can construct a UE with a 3-digit MNC. To accommodate the 3-digit MNC, the MSIN must be reduced by one digit (so the IMSI is a total of 15 digits). E.g.

ue: msin: "123456789" key: "00010203..." opc: "00112233..." amf: "8000" sqn: "00000000" dnn: "internet" routingindicator: "0000" hplmn: mcc: "789" mnc: "123" snssai:

  1. When running PacketRusher, the gNodeB is created properly with a 3-digit MNC (see bug fix 84). But in "func SimulateSingleUE" starting around line 113 in the file internal/common/tools/tools.go, it can be seen that the UE's MSIN is prepended with an extra '0'. For example, I added several "log.info" debug lines in tools.go as shown below. In the output from those, you can see that a zero is prepended to the MSIN for the UE only.

log.Info("[TESTER] TESTING REGISTRATION - DEBUG 1", ueCfg, " xxx") log.Info("[TESTER] TESTING REGISTRATION - DEBUG 2", simConfig, " yyy") log.Info("[TESTER] TESTING REGISTRATION - DEBUG 3", simConfig.Gnbs[gnbIdGen(0)], " zzz")

with corresponding output of:

INFO[0001] [TESTER] TESTING REGISTRATION - DEBUG 1 {{{xx.yy.zz.ww 9487} {xx.yy.zz.ww 2152} {789 123 0228BC 0F423c} {01 ffffff}} {0123456789 00010203... 00112233... 8000 00000000 internet 0000 {789 123} {1 } {false false true false} {true false true false} 2} {xx.yy.zz.qq 38412} {4}} xxx

INFO[0001] [TESTER] TESTING REGISTRATION - DEBUG 2 {1 map[0F423c:0xc0001e6300] {{{xx.yy.zz.ww 9487} {xx.yy.zz.ww 2152} {789 123 0228BC 0F423c} {01 ffffff}} {123456789 00010203... 00112233... 8000 00000000 internet 0000 {789 123} {1 } {false false true false} {true false true false} 2} {xx.yy.zz.qq 38412} {4}} 0xc000306000 0 0 0 0 0 1} yyy

INFO[0001] [TESTER] TESTING REGISTRATION - DEBUG 3 <nil> zzz

Note the two MSINs shown in bold for ueCfg and simConfig. The ueCfg MSIN has "10" digits (which is incorrect) and simConfig MSIN has "9" digits.

  1. Consequently simConfig.Gnbs[gnbIdGen(0)] returns return a NULL pointer and the system crashes (see the nil in the 3rd debug line shown above).

Expected behavior PacketRusher UE handling needs to be corrected to handle 3 digit MNCs (and 9 digit MSINs).

linouxis9 commented 8 months ago

Hi @rjaksa,

Thanks a lot for the detailed report!

I'll take a look.

Cheers, Valentin

linouxis9 commented 8 months ago

Hi @rjaksa, MSIN encoding issue when MNC has 3 digits has been fixed, and verified to be fixed by another party. If you are still stumbling upon your NIL crash on the latest commit of master, please open another bug with pcap / logs and I'll swiftly take a look at it. Thanks a lot! Cheers, Valentin

rjaksa commented 8 months ago

Sounds good. I will re-check it soon. Thanks!

rjaksa commented 8 months ago

I found the problem that causes my NIL crash. It occurs when/if you use a gNodeB id with a hex digit (e.g. 00000F). I will collect information and open another bug report.