Bug #5250
closedosmo-pcu: CSN.1 decoder failure parsing specific RAcap
100%
Description
Seen on a osmo-pcu connected to a third party SGSN+gb-proxy.
Issue reproduced here:
https://gerrit.osmocom.org/c/osmo-pcu/+/25706 WIP: CSN1 RAcap decoding failure
Fix still needs to be worked on.
Files
Related issues
Updated by pespin over 2 years ago
The failing RAcap is actually added here here:
https://gerrit.osmocom.org/c/osmo-pcu/+/25716
Updated by pespin over 2 years ago
pycrate decoding:
$ python Python 3.9.7 (default, Aug 31 2021, 13:28:12) [GCC 11.1.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> from pycrate_csn1dir.ms_ra_capability_value_part import * >>> data = bytes.fromhex('17b3432b25966200019a42c6620001ba48c662000100') >>> ms_ra_capability_value_part.from_bytes(data) >>> print(ms_ra_capability_value_part.show()) <ms_ra_capability_value_part (CSN1List): [ <(CSN1Ref): <ms_ra_capability_value_part_struct (CSN1List): [ <(CSN1Alt): { 0001 (access_technology_type) : [ <access_capabilities (CSN1Ref): <access_capabilities_struct (CSN1List): [ <length (CSN1Bit): 61> <(CSN1List): [ <access_capabilities (CSN1Ref): <content (CSN1List): [ <rf_power_capability (CSN1Bit): 4> <(CSN1Alt): { 1 : [ <a5_bits (CSN1Ref): <a5_bits (CSN1List): [ <a5_1 (CSN1Bit): 1> <a5_2 (CSN1Bit): 0> <a5_3 (CSN1Bit): 1> <a5_4 (CSN1Bit): 0> <a5_5 (CSN1Bit): 0> <a5_6 (CSN1Bit): 0> <a5_7 (CSN1Bit): 0>]>>]}> <es_ind (CSN1Bit): 1> <ps (CSN1Bit): 1> <vgcs (CSN1Bit): 0> <vbs (CSN1Bit): 0> <(CSN1Alt): { 1 : [ <multislot_capability (CSN1Ref): <multislot_capability_struct (CSN1List): [ <(CSN1Alt): { 0 : []}> <(CSN1Alt): { 1 : [ <gprs_multislot_class (CSN1Bit): 12> <gprs_extended_dynamic_allocation_capability (CSN1Bit): 1>]}> <(CSN1Alt): { 0 : []}> <(CSN1Alt): { 0 : []}> <(CSN1Alt): { 1 : [ <egprs_multislot_class (CSN1Bit): 12> <egprs_extended_dynamic_allocation_capability (CSN1Bit): 1>]}> <(CSN1Alt): { 0 : []}>]>>]}> <(CSN1Alt): { 1 : [ <_8psk_power_capability (CSN1Bit): 2>]}> <compact_interference_measurement_capability (CSN1Bit): 0> <revision_level_indicator (CSN1Bit): 1> <umts_fdd_radio_access_technology_capability (CSN1Bit): 1> <umts_3_84_mcps_tdd_radio_access_technology_capability (CSN1Bit): 0> <cdma_2000_radio_access_technology_capability (CSN1Bit): 0> <umts_1_28_mcps_tdd_radio_access_technology_capability (CSN1Bit): 0> <geran_feature_package_1 (CSN1Bit): 1> <(CSN1Alt): { 0 : []}> <modulation_based_multislot_class_support (CSN1Bit): 0> <(CSN1Alt): { 0 : []}> <(CSN1Val): 0> <gmsk_multislot_power_profile (CSN1Bit): 0> <_8_psk_multislot_power_profile (CSN1Bit): 0> <multiple_tbf_capability (CSN1Bit): 0> <downlink_advanced_receiver_performance (CSN1Bit): 0> <extended_rlc_mac_control_message_segmentation_capability (CSN1Bit): 0> <dtm_enhancements_capability (CSN1Bit): 0> <(CSN1Alt): { 0 : []}> <ps_handover_capability (CSN1Bit): 0> <dtm_handover_capability (CSN1Bit): 0>]>> <(CSN1Ref): []>]>]>>]}> <(CSN1Alt): { 1 : [ <(CSN1SelfRef): <ms_ra_capability_value_part_struct (CSN1List): [ <(CSN1Alt): { 0011 (access_technology_type) : [ <access_capabilities (CSN1Ref): <access_capabilities_struct (CSN1List): [ <length (CSN1Bit): 36> <(CSN1List): [ <access_capabilities (CSN1Ref): <content (CSN1List): [ <rf_power_capability (CSN1Bit): 1> <(CSN1Alt): { 0 : []}> <es_ind (CSN1Bit): 1> <ps (CSN1Bit): 1> <vgcs (CSN1Bit): 0> <vbs (CSN1Bit): 0> <(CSN1Alt): { 0 : []}> <(CSN1Alt): { 1 : [ <_8psk_power_capability (CSN1Bit): 2>]}> <compact_interference_measurement_capability (CSN1Bit): 0> <revision_level_indicator (CSN1Bit): 1> <umts_fdd_radio_access_technology_capability (CSN1Bit): 1> <umts_3_84_mcps_tdd_radio_access_technology_capability (CSN1Bit): 0> <cdma_2000_radio_access_technology_capability (CSN1Bit): 0> <umts_1_28_mcps_tdd_radio_access_technology_capability (CSN1Bit): 0> <geran_feature_package_1 (CSN1Bit): 1> <(CSN1Alt): { 0 : []}> <modulation_based_multislot_class_support (CSN1Bit): 0> <(CSN1Alt): { 0 : []}> <(CSN1Val): 0> <gmsk_multislot_power_profile (CSN1Bit): 0> <_8_psk_multislot_power_profile (CSN1Bit): 0> <multiple_tbf_capability (CSN1Bit): 0> <downlink_advanced_receiver_performance (CSN1Bit): 0> <extended_rlc_mac_control_message_segmentation_capability (CSN1Bit): 0> <dtm_enhancements_capability (CSN1Bit): 0> <(CSN1Alt): { 0 : []}> <ps_handover_capability (CSN1Bit): 0> <dtm_handover_capability (CSN1Bit): 0>]>> <(CSN1Ref): []>]>]>>]}> <(CSN1Alt): { 1 : [ <(CSN1SelfRef): <ms_ra_capability_value_part_struct (CSN1List): [ <(CSN1Alt): { 0111 (access_technology_type) : [ <access_capabilities (CSN1Ref): <access_capabilities_struct (CSN1List): [ <length (CSN1Bit): 36> <(CSN1List): [ <access_capabilities (CSN1Ref): <content (CSN1List): [ <rf_power_capability (CSN1Bit): 4> <(CSN1Alt): { 0 : []}> <es_ind (CSN1Bit): 1> <ps (CSN1Bit): 1> <vgcs (CSN1Bit): 0> <vbs (CSN1Bit): 0> <(CSN1Alt): { 0 : []}> <(CSN1Alt): { 1 : [ <_8psk_power_capability (CSN1Bit): 2>]}> <compact_interference_measurement_capability (CSN1Bit): 0> <revision_level_indicator (CSN1Bit): 1> <umts_fdd_radio_access_technology_capability (CSN1Bit): 1> <umts_3_84_mcps_tdd_radio_access_technology_capability (CSN1Bit): 0> <cdma_2000_radio_access_technology_capability (CSN1Bit): 0> <umts_1_28_mcps_tdd_radio_access_technology_capability (CSN1Bit): 0> <geran_feature_package_1 (CSN1Bit): 1> <(CSN1Alt): { 0 : []}> <modulation_based_multislot_class_support (CSN1Bit): 0> <(CSN1Alt): { 0 : []}> <(CSN1Val): 0> <gmsk_multislot_power_profile (CSN1Bit): 0> <_8_psk_multislot_power_profile (CSN1Bit): 0> <multiple_tbf_capability (CSN1Bit): 0> <downlink_advanced_receiver_performance (CSN1Bit): 0> <extended_rlc_mac_control_message_segmentation_capability (CSN1Bit): 0> <dtm_enhancements_capability (CSN1Bit): 0> <(CSN1Alt): { 0 : []}> <ps_handover_capability (CSN1Bit): 0> <dtm_handover_capability (CSN1Bit): 0>]>> <(CSN1Ref): []>]>]>>]}> <(CSN1Alt): { 0 : []}>]>>]}>]>>]}>]>> <(CSN1Ref): [<spare_bits (CSN1Bit): [0, 0, 0, 0, 0, 0, 0]>]>]>
Updated by pespin over 2 years ago
I fixed a CSN1 definition which was wrong in related place, but it's not really the one causing the CSN1 decoding issue:
https://gerrit.osmocom.org/c/osmo-pcu/+/25718 rlcmac: Fix CSN1 definition for DownlinkDualCarrierCapability_r7_t in MS RA cap
I think the issue comes from the fact that our CSN1 decoder keeps decoding "MS RA capability 1" even after going through "Length in bits: 0x3d (61)", hence taking the bit "1" as part of "MS RA capability 1" when in reality it's from next one? Not sure really. This needs to be counted manually I guess.
Updated by pespin over 2 years ago
- Related to Bug #4955: CSN1 Error observed: NEED_MORE BITS TO UNPACK (-5) at DL_DualCarrierForDTM added
Updated by keith over 2 years ago
This CSN decoder is some strange stuff to get one's head around....
With the attached pcap, maybe it helps to take a look at these filters:
gsm_rlcmac.ms_ra_capability_value_choice ==7 || (!gsmtap_log.string == "Choice MS_RA_capability_value_Choice = 7 | " && gsmtap_log.string contains "Choice MS_RA_capability")
or indeed:
gsm_rlcmac.ms_ra_capability_value_choice !=7 || (!gsmtap_log.string == "Choice MS_RA_capability_value_Choice = 7 | " && gsmtap_log.string contains "Choice MS_RA_capability")
There are no RA CAP packets that wireshark decodes with anything other than ms_ra_capability_value_choice 7 yet we log various of them.
Similar:
gsmtap_log.string == "Exist_EGPRS_multislot_class = 0 | " || gsm_rlcmac.ul.egprs_multislot_class_exist == 0
Again, all packets are decoded with gsm_rlcmac.ul.egprs_multislot_class_exist 1, Yet we have two Log messages of Exist_EGPRS_multislot_class = 0
I think these two Log message also apply to the only two packets that match:
gsmtap_log.string == "u.Content length = 53 | "
Updated by pespin over 2 years ago
Attaching pcap file containing only 1 packet, the one containing the problematic RAcap.
Updated by pespin over 2 years ago
I submitted a patch for wireshark porting one of the fixes I did so far (doesn't solve the issue at hand on its own):
https://gitlab.com/wireshark/wireshark/-/merge_requests/4706
Updated by pespin over 2 years ago
Should be fixed by following commits:
https://gerrit.osmocom.org/c/osmo-pcu/+/25716 csn1: Add unit test showing RadioAccess Capability decoding failure
https://gerrit.osmocom.org/c/osmo-pcu/+/25830 csn1: Avoid failing if optional DownlinkDualCarrierCapability_r7 is missing
https://gerrit.osmocom.org/c/osmo-pcu/+/25831 csn1: Avoid storing existance bit as true if content was actually NULL
Once merged, we should port those to wireshark.
Updated by keith over 2 years ago
With these patches I am no longer seeing the CSN1 errors on a site where they were prominent
Updated by pespin over 2 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 90
I submitted a port for those patches in wireshark's gitlab:
https://gitlab.com/wireshark/wireshark/-/merge_requests/4736
Updated by pespin over 2 years ago
- Status changed from Feedback to Resolved
- % Done changed from 90 to 100
wireshark PR merged. Done here, closing ticket.