Project

General

Profile

Actions

Bug #5241

open

GTP: Malformed Packet pdp ctx response.

Added by keith over 2 years ago. Updated about 2 years ago.

Status:
Feedback
Priority:
Low
Assignee:
Category:
libgtp
Target version:
-
Start date:
09/29/2021
Due date:
03/18/2022 (over 2 years late)
% Done:

50%

Spec Reference:

Description

I have some Alcatel 1066G feature phones.

I notice they do have a "browser" and they are Class 12 devices.

I don't see any IP traffic from them though, when using the browser.

Wireshark notes a "Malformed Packet" in the create pdp ctx response, however this only happens with GTP version 1.

(Wireshark can't parse the QoS IE, even though it is the same IE as the one in the pdp ctx request)

  • These phones do have some strange behaviour - for example:
  • When choosing the "Network Account" (APN) to use for the browser, it doesn't always respect what you set, even after power cycle.
  • It doesn't always delete the PDP context on shutdown.
  • The APN profiles have an option for IP v4/v6/both, but it doesn't respect it and always asks for IPv4v6

Maybe some of the above behaviour may be due to error from the network?
I don't care about getting data working on this device, but maybe it's pointing out a bug in libgtp to us?

THe main difference I can see in the pdp ctx requests/response with this and other phones is the length, with this alcatel QoS IE length is 11, with others it is 14.


Files

pdp_ctx_malformed.pcap pdp_ctx_malformed.pcap 438 Bytes keith, 09/29/2021 07:47 PM
xid-l3_par.pcapng xid-l3_par.pcapng 92.6 KB keith, 03/22/2022 08:30 PM
Actions #1

Updated by keith over 2 years ago

  • Description updated (diff)
Actions #2

Updated by pespin about 2 years ago

  • Assignee set to keith

Hi keith ,

this maybe related to the fact that SGSN was sending wrongly formatted Qos Profile IE when translating the IE received from MS towards GGSN in GTP Create PDP Context Request. See osmo-sgsn.git 938ebfb129eaa6daec5ac2c1b8c59d2c756d1873.

Please, if possible test again with that patch applied, and provide pcap file if this issue is still not solved.

PS: Please add me as watcher next time you have an issue with GTP, I was not aware of this ticket.

Actions #3

Updated by keith about 2 years ago

  • Due date set to 03/18/2022
  • % Done changed from 0 to 50

Thanks pespin I'll test again next time I have access to that phone, which will not be for about 10 days or so.

Actions #4

Updated by keith about 2 years ago

Hi Pespin, I tested with this alcaltel phone and I see the PDP Context Accept now, and wireshark decodes it fine.

The length of the QoS IE in the request is 11 and in the response it is 14.

After the phone gets the PDP context it doesn't seem to want to do anything else, there's no more data on BSSGP. The "browser" on the device keeps apparently loading, but there's nothing received over the air, nothing in the PCU log, the TBF detaches normally and nothing more.

It's not something I care to loose a lot of sleep over :) Maybe this cheapo phone GPRS "browser" doesn't even work.

Actions #5

Updated by keith about 2 years ago

For what it's worth. I do notice that after the Context Accept, We send XID Params N201-U and N201-I and this phone comes back with those two plus the L3_PAR.
That jogged my memory - see #3426

I wonder if it's waiting for that XID to be echoed.

Actions #6

Updated by pespin about 2 years ago

  • Status changed from New to Feedback

keith please provide a new pcap file.
lynxis I think knows more about the XID stuff.

Actions #8

Updated by pespin about 2 years ago

  • Assignee changed from keith to lynxis

keith wrote in #note-5:

For what it's worth. I do notice that after the Context Accept, We send XID Params N201-U and N201-I and this phone comes back with those two plus the L3_PAR.
That jogged my memory - see #3426

I wonder if it's waiting for that XID to be echoed.

I see we send the DL XID in frame 318 and we get the answer in frame 342, that's more than 4 seconds afterwards, it looks like a lot. Specially since immediately after that the MS seems to try to request a new PDP context so it doesn't seem like he expects more from the network?

I don't know how that XID part works tbh, maybe in frame 409 it expects to receive an answer from us?
Assigning to lynxis he may have some idea.

Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)