Move UE context creation and storage to after successful PDU encoding
to prevent memory leaks if encoding fails. Also add proper PDU cleanup
when AMF fetch fails and use consistent NULL check style.
This ensures UE context is only stored when the operation is guaranteed
to succeed, improving error handling and memory management.
In the current memory management the caller wasn't responsible for freeing
memory they allocate. The ngap_gNB_encode_pdu function was taking ownership
of PDU contents by calling ASN_STRUCT_FREE_CONTENTS_ONLY, while callers
also expected to manage the same memory. This created unclear ownership semantics and
potential double-free bugs.
- Remove ASN_STRUCT_FREE_CONTENTS_ONLY from ngap_gNB_encode_pdu to prevent double-free
- Remove unnecessary ASN_STRUCT_FREE when encode function returns NULL
- Add proper ASN_STRUCT_FREE cleanup for heap-allocated PDUs in ngap_gNB.c functions
- Add ASN_STRUCT_FREE_CONTENTS_ONLY cleanup for stack-allocated PDUs in NAS and context management functions
- Ensure consistent memory cleanup patterns across all NGAP encoder callers
- Fix potential memory leaks in all ngap_gNB_encode_pdu call sites
This prevents double-free bugs and ensures proper cleanup of ASN.1 structures
in both heap and stack allocation scenarios.
These libraries depend on the logging module, so add the right
dependency log_headers. Indirectly, this will fulfill the condition of
T. I consider the prior usage of generate_T or {T_LIB} incorrect,
because basically none of these libraries actually, actively use T, but
rather only the logging module, which pulls in T. The dependency of
log_headers will also take care of generating and including T headers,
which is a dependency of the logging module.
For conf2uedata and related, fulfill the dependency
through conf2uedata_lib (on which the rest depends).
We don't use JER. This avoids compilation problems, such as:
/usr/bin/ld: openair3/NRPPA/MESSAGES/libasn1_nrppa.a(INTEGER_jer.c.o): in function `INTEGER_decode_jer':
tmp.MtrwVDhQqY/openair3/NRPPA/MESSAGES/INTEGER_jer.c:186:(.text+0x5b8): undefined reference to `jer_decode_primitive
- Replace error handling for impossible ID mismatches with DevAssert statements
- If ngap_get_ue_context() succeeds, returned context must have matching NGAP gNB UE IDs by definition
- This catches potential bugs in the lookup function immediately
- Affects: handover_required, handover_notify, handover_cancel, ul_ran_status_transfer
These checks were logically impossible since we looked up the context using
the same IDs we were then checking for mismatch.
* There is no IE corresponding to PDU sessions failed to release
in the PDU SESSION RESOURCE RELEASE RESPONSE message. This was removed
and the corresponding code was refactored and cleaned up.
* In the Release Command handler, only established PDU Session are set to be
released. The Response message is filled accordingly.
- Move QoS-related enums and structures from ngap_messages_types.h to 5g_platform_types.h
- Replace ngap_* QoS types with generic qos_* types for better reusability
- Update field names from allocation_retention_priority to arp for consistency
- Update all references across RRC and NGAP modules to use new type names
- Remove duplicate QoS type definitions from NGAP-specific header
This improves code organization by centralizing QoS parameter definitions
in a common platform types header and eliminates NGAP-specific naming
in favor of more generic, reusable type definitions.
Previously, the RRC layer was incorrectly allocating stack memory for the ho_required_transfer field and passing it to NGAP, however it was not used. The IE is mandatory but contains only 1 optional IE, therefore is encoded in the NG message with empty content.
Changes:
- Remove unnecessary ho_required_transfer field from pdusession_resource_t definition, the IE is encoded anyway with empty content. If Direct Forwarding Path Availability is needed at any stage in the future it can be added to pdusession_resource_t and filled in RRC.
- Add clarifying comment about empty HandoverRequiredTransfer structure
This commit completes the NGAP Mobility Management procedure for N2 handover.
Upon failure on source gNB the Handover Cancel message is sent to the AMF which
in return responds with an ack.
According to 4.9.1.3.3 of 3GPP TS 23.502:
> 2a. - 2c. The S-RAN sends the Uplink RAN Status Transfer message to the S-AMF,
> as specified in TS 36.300 [46] and TS 38.300 [9]. The S-RAN may omit sending
> this message if none of the radio bearers of the UE shall be treated with PDCP status preservation.
TS 38.300 says:
> For DRBs not configured with DAPS, the source gNB sends the SN STATUS TRANSFER message to the target
> gNB to convey the uplink PDCP SN receiver status and the downlink PDCP SN transmitter status of DRBs for
> which PDCP status preservation applies (i.e. for RLC AM). The uplink PDCP SN receiver status includes at
> least the PDCP SN of the first missing UL PDCP SDU and may include a bit map of the receive status of the out
> of sequence UL PDCP SDUs that the UE needs to retransmit in the target cell, if any. The downlink PDCP SN
> transmitter status indicates the next PDCP SN that the target gNB shall assign to new PDCP SDUs, not having a
> PDCP SN yet.
i.e., for DRBs for which PDCP status preservation applies (i.e. for RLC AM), which is is our case.
This commit introduces full support for NG-RAN Status Transfer message handling
(TS 38.413 §9.2.3.13-14) in CU. It enables correct state transfer of PDCP COUNT
values (SN + HFN) during mobility or recovery scenarios.
Summary of changes - NGAP:
* Added encoding/decoding support for UL/DL RAN Status Transfer message
* Defined structures for: ngap_drb_count_value_t, ngap_drb_status_t,
ngap_ran_status_container_t, ngap_ran_status_transfer_t
This commit introduces the NG Mobility Management Procedure known as
Handover Notification. The outbound message is sent by the target NG-RAN
and is known as Handover Notify. The procedure is used to indicate to
the AMF that the UE has arrived to the target cell and the NG-based
handover has been successfully completed
* after RRCReconfiguration complete, in the N2 callback for HO success
* add NGAP encoder for the message
* RRC callback to trigger Handover Notify message
Co-authored-by: batuhan duyuler <batuhan.duyuler@firecell.io>
* add NG Handover Command message decoder
* process in RRC: encode RRCReconfiguration message
from the received HandoverCommandMessage
* trigger RRCReconfiguration for handover
Co-authored-by: batuhan duyuler <batuhan.duyuler@firecell.io>
This commit completes the NG Mobility Management Procedure known as
Handover Resource Allocation. The outbound message is sent by the
target NG-RAN and is known as Handover Request Acknowledge.
Major changes:
* add RRC callback to trigger the generation of NG Handover
Request Acknowledge on the target NG-RAN
* add NG Handover Request Acknowledge encoder
Co-authored-by: batuhan duyuler <batuhan.duyuler@firecell.io>
This commit introduces the NG Mobility Management Procedure known as
Handover Resource Allocation. The inbound message is sent by the AMF
and is known as Handover Request.
Major changes:
(0) Add Handover Resource Allocation initiating message decoding
* add case for NGAP initiating message and unsuccessful message decoding
(1) handle Handover Request on the target NG-RAN
(2) decode NG Handover Request message
(3) process payload, e.g. create UE context,
store IDs, set UP security and trigger bearer setup
Co-authored-by: batuhan duyuler <batuhan.duyuler@firecell.io>
This message is sent from the Target NG-RAN to the AMF.
The commit introduces:
* NGAP encoding function
* N2 callback for the target gNB
* handle the failure in RRC, inform NGAP
* send NGAP message to AMF via SCTP
Note: UE context in NGAP is fetched from the amf_ue_ngap_id
Co-authored-by: batuhan duyuler <batuhan.duyuler@firecell.io>
This commit introduces the NG Mobility Management Procedure known as
Handover Preparation. The outbound message is sent by the source NG-RAN
and is known as Handover Required.
* introduce NGAP library for Mobility Management
* introduce NGAP IEs encoder functions for Handover Required and relevant common IEs
* handle RRC trigger in NGAP and Send NGAP Handover Required to the AMF
Co-authored-by: batuhan duyuler <batuhan.duyuler@firecell.io>
some work for better interoperability with srsRAN DU
Just add the minimum to get some user plane traffic going on.
When doing user plane traffic, in the CU logs we have a lot of:
[GTPU] NR-RAN container type: 1 not supported
That will be fixed in another MR, not here.
This is in 3GPP TS 38.425.
Because it was not done, there was a problem of interoperability
between openair CU and srsran DU. No DL traffic was reaching the UE.
A new GTPU API function is introduced: gtpv1uSendDirectWithNRUSeqNum().
It is only used in the gNB CU, in PDCP. So it was decided to not add a
new parameter to gtpv1uSendDirect() but instead add a new API function.
Add a CU-UP load tester and improve GTP performance
This adds a simple tester program for the CU-UP. It sets up a number of
UEs/bearers in the CU-UP via the E1 interface, then streams data in
downlink/uplink (as seen by the CU-UP). More information is available in
tests/nr-cuup/README.md.
Includes some fixes to properly verify that SCTP is installed, and use
"the right cmake way" to use it in cmake code (see commit for details).
Make a common pattern, which makes it simpler to find them in gNB logs,
and, maybe more importantly, link tunnel creation and update (the update
message was missing the "incoming" TEID, so it is not easy to link to
creation apart from the UE ID, but even then the UE might have multiple
tunnels).
Reuse the gtpv1u_bearer_t for internal functions. Hopefully this will
also simplify implementation of IPv6, as it encapsulates IP address
handling within gtpv1u_bearer_t.
The (remote) port number of the GTP module is configured during
initialization. It is therefore not required when calling
newGtpuCreateTunnel(), and could even lead to bugs (if another port
number is used than specified during GTP init).
remove specific directory for LTE SIM management tools
This is very old code has never been integrated with the "main" OAI
cmake infrastructure and more recent libraries.
This MR integrates the three binaries for LTE virtual sim management in
the regular build process and log system
Avoid the include gtpv1_u_messages_types.h, as this pulls in e.g., LTE
RRC definitions. The CU-UP load tester integrated in one of the
following commits should be able to build without LTE RRC, if it was for
GTP. Unfortunately, ITTI also pulls in LTE RRC, so it's also somewhat
useless...
Put some forward declarations instead. That also shows that the API is
unnecessarily complex, and would need some cleanup.
Tell strncpy() the size including the NULL byte to make sure we copy all
data.
This just fixes these warnings:
openair3/NAS/TOOLS/conf_usim.c: In function ‘gen_usim_data’:
openair3/NAS/TOOLS/conf_usim.c:191:17: warning: ‘strncpy’ output truncated before terminating nul copying as many bytes from a string as its length [-Wstringop-truncation]
openair3/NAS/TOOLS/conf_usim.c:190:53: note: length computed here
openair3/NAS/TOOLS/conf_usim.c:195:17: warning: ‘strncpy’ output truncated before terminating nul copying as many bytes from a string as its length [-Wstringop-truncation]
openair3/NAS/TOOLS/conf_usim.c:194:54: note: length computed here
add copy with limited size and truncate properly with null C string termination.
As clang-format doesn't handle tab indented files and as it is not the
OAI coding rule, the entire file is re-indented with present OAI coding
rule.
Remove the --usim-test option: to my knowledge, it's not used by users,
and is misleadingly placed in various places where there should not be a
difference w.r.t. USIM configuration.
When making the changes, I assumed that --usim-test would be 0 (the
default), which is the case in all executables when not specified in
options except for the nr_dlsim, nr_pbchsmi, nr_ulsim simulators.
The only exception is the initialization of PDCP from the MAC, which is
not correct (the PDCP is in the CU, so it does not make sense to call it
from the MAC which is in the DU). Instead, always initialize from main,
even in the NSA case (NSA was covered by the incorrect initialization
from MAC).
This in turn let to some more cleanup around function du_rlc_data_req().
After receiving GTP packets at the DU, they were given to the PDCP to
enqueue the packet at RLC. This does not work anymore, since the PDCP is
not initialized; it also does not seem necessary, as this enqueue
functionality is necessary to decouple PDCP and RLC to avoid deadlocks
in monolithic, but in split-mode, this cannot happen. Instead, call
directly into the RLC when receiving GTP packets.
bugfix: UE AMBR is optional
This was a problem with open5gs and more than one PDU session. The core network
sets UE AMBR only once, leading to failure in the gNB for the second PDU session.
(A proper handling of AMBR has to be develop at some point in the gNB.)
This was a problem with open5gs and more than one PDU session.
The core network sets UE AMBR only once, leading to failure in the gNB
for the second PDU session.
(A proper handling of AMBR has to be develop at some point in the gNB.)
bugfix: read msg_type only after deciphering
There was a problem with accessing msg_type from the input buffer before
deciphering, giving obviously wrong value.
CI team: we should add a test in the CI with NAS ciphering + integrity
(connection to the core) set to not null (I suggest nea2/nia2). With
openair's core, this is done by setting this in the amf config file
(nia1 and nea2 at the top of the list):
supported_integrity_algorithms:
- "NIA2"
- "NIA1"
- "NIA0"
supported_encryption_algorithms:
- "NEA2"
- "NEA1"
- "NEA0"
And also put full security in the AS. This is done with this in the gnb
config file:
security = {
ciphering_algorithms = ( "nea2", "nea0" );
integrity_algorithms = ( "nia2", "nia1", "nia0" );
drb_ciphering = "yes";
drb_integrity = "yes"
};
Ideally we should test this with both openair UE and cots UE. But as a
strict minimum do for openair UE (this is where the bug was).
No need to do much traffic, a few ping is enough. But if you want to
check throughput with full security, why not.