https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15838
Pascal Quantin <pas...@wireshark.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |pas...@wireshark.org
Status|UNCONFIRMED |RESOLVED
Resolution|--- |NOTOURBUG
--- Comment #1 from Pascal Quantin <pas...@wireshark.org> ---
Hi Kris,
Wireshark is using v15.3.0 ASN.1 description.
The Security Context IE is defined as:
SecurityContext ::= SEQUENCE {
nextHopChainingCount NextHopChainingCount,
nextHopNH SecurityKey,
iE-Extensions ProtocolExtensionContainer {
{SecurityContext-ExtIEs} } OPTIONAL,
...
}
SecurityContext-ExtIEs NGAP-PROTOCOL-EXTENSION ::= {
...
}
In the bit stream you provided, the optional iE-Extensions bit is set to 1,
pretending that the ie-Extensions field is present:
SecurityContext
0... .... Extension Bit: False
.1.. .... Optional Field Bit: True (iE-Extensions is present)
Min: 0
Range: 8
Bitfield length: 3
Bits: ..11 1... decimal value: 7
nextHopChainingCount: 7
nextHopNH: 26a9baa87f1c4f3009551a8684cd7601778454452f813782… [bit length
256]
But the 33 bytes of the SecurityContext IE are already consumed by the
nextHopChainingCount and nextHopNH fields: there is no payload left for an open
type extension afterwards.
If I manually fix this bit so taht the payload is
000d0080ed00000c000a00020001001d000140000f40020800006e000c105d21dba0004002540be40000770009000028001100020000005d00213826a9baa87f1c4f3009551a8684cd7601778454452f813382301768525517e94100290001000025000a000821851d0a01f800000049004300000501803d0000040082000a0c05c81a403002cd29c0008b000a01f0e30101c8000000020086000100008800150105428000001f0250be014000000000000000002800004002000000650028276004000390000040000000000000000005000000000000000000000162f2100011223300000130001c000700139184dc118a,
I get the following decoding:
NG Application Protocol
NGAP-PDU: initiatingMessage (0)
initiatingMessage
procedureCode: id-HandoverResourceAllocation (13)
criticality: reject (0)
value
HandoverRequest
protocolIEs: 12 items
Item 0: id-AMF-UE-NGAP-ID
ProtocolIE-Field
id: id-AMF-UE-NGAP-ID (10)
criticality: reject (0)
value
AMF-UE-NGAP-ID: 1
Item 1: id-HandoverType
ProtocolIE-Field
id: id-HandoverType (29)
criticality: reject (0)
value
HandoverType: eps-to-5gs (2)
Item 2: id-Cause
ProtocolIE-Field
id: id-Cause (15)
criticality: ignore (1)
value
Cause: radioNetwork (0)
radioNetwork:
ng-inter-system-handover-triggered (32)
Item 3: id-UEAggregateMaximumBitRate
ProtocolIE-Field
id: id-UEAggregateMaximumBitRate (110)
criticality: reject (0)
value
UEAggregateMaximumBitRate
uEAggregateMaximumBitRateDL:
400000000000bits/s
uEAggregateMaximumBitRateUL:
10000000000bits/s
Item 4: id-UESecurityCapabilities
ProtocolIE-Field
id: id-UESecurityCapabilities (119)
criticality: reject (0)
value
UESecurityCapabilities
nRencryptionAlgorithms: 0001 [bit
length 16, 0000 0000 0000 0001 decimal value 1]
0... .... .... .... = 128-NEA1: Not
supported
.0.. .... .... .... = 128-NEA2: Not
supported
..0. .... .... .... = 128-NEA3: Not
supported
...0 0000 0000 0001 = Reserved:
0x0001
nRintegrityProtectionAlgorithms: 8001
[bit length 16, 1000 0000 0000 0001 decimal value 32769]
1... .... .... .... = 128-NIA1:
Supported
.0.. .... .... .... = 128-NIA2: Not
supported
..0. .... .... .... = 128-NIA3: Not
supported
...0 0000 0000 0001 = Reserved:
0x0001
eUTRAencryptionAlgorithms: 2000 [bit
length 16, 0010 0000 0000 0000 decimal value 8192]
0... .... .... .... = 128-EEA1: Not
supported
.0.. .... .... .... = 128-EEA2: Not
supported
..1. .... .... .... = 128-EEA3:
Supported
...0 0000 0000 0000 = Reserved:
0x0000
eUTRAintegrityProtectionAlgorithms:
8000 [bit length 16, 1000 0000 0000 0000 decimal value 32768]
1... .... .... .... = 128-EIA1:
Supported
.0.. .... .... .... = 128-EIA2: Not
supported
..0. .... .... .... = 128-EIA3: Not
supported
...0 0000 0000 0000 = Reserved:
0x0000
Item 5: id-SecurityContext
ProtocolIE-Field
id: id-SecurityContext (93)
criticality: reject (0)
value
SecurityContext
nextHopChainingCount: 7
nextHopNH:
26a9baa87f1c4f3009551a8684cd7601778454452f813382… [bit length 256]
Item 6: id-NewSecurityContextInd
ProtocolIE-Field
id: id-NewSecurityContextInd (41)
criticality: reject (0)
value
NewSecurityContextInd: true (0)
Item 7: id-NASC
ProtocolIE-Field
id: id-NASC (37)
criticality: reject (0)
value
NAS-PDU: <MISSING>
Item 8: id-PDUSessionResourceSetupListHOReq
ProtocolIE-Field
id: id-PDUSessionResourceSetupListHOReq (73)
criticality: reject (0)
value
PDUSessionResourceSetupListHOReq: 1 item
Item 0
PDUSessionResourceSetupItemHOReq
pDUSessionID: 5
s-NSSAI
sST: 0c
handoverRequestTransfer:
0000040082000a0c05c81a403002cd29c0008b000a01f0e3…
PDUSessionResourceSetupRequestTransfer
protocolIEs: 4 items
Item 0:
id-PDUSessionAggregateMaximumBitRate
ProtocolIE-Field
id:
id-PDUSessionAggregateMaximumBitRate (130)
criticality: reject (0)
value
PDUSessionAggregateMaximumBitRate
pDUSessionAggregateMaximumBitRateDL: 97000000bits/s
pDUSessionAggregateMaximumBitRateUL: 47000000bits/s
Item 1:
id-UL-NGU-UP-TNLInformation
ProtocolIE-Field
id:
id-UL-NGU-UP-TNLInformation (139)
criticality: reject (0)
value
UPTransportLayerInformation: gTPTunnel (0)
gTPTunnel
transportLayerAddress: e30101c8 [bit length 32, 1110 0011 0000 0001 0000 0001
1100 1000 decimal value 3808494024]
TransportLayerAddress (IPv4): 227.1.1.200
gTP-TEID: 00000002
Item 2:
id-PDUSessionType
ProtocolIE-Field
id:
id-PDUSessionType (134)
criticality: reject (0)
value
PDUSessionType: ipv4 (0)
Item 3:
id-QosFlowSetupRequestList
ProtocolIE-Field
id:
id-QosFlowSetupRequestList (136)
criticality: reject (0)
value
QosFlowSetupRequestList: 1 item
Item 0
QosFlowSetupRequestItem
qosFlowIdentifier: 5
qosFlowLevelQosParameters
qosCharacteristics: dynamic5QI (1)
dynamic5QI
priorityLevelQos: 1
packetDelayBudget: 15.5ms (31)
packetErrorRate
pERScalar: 1
pERExponent: 5
fiveQI: 190
allocationAndRetentionPriority
priorityLevelARP: 1
pre-emptionCapability: may-trigger-pre-emption (1)
pre-emptionVulnerability: pre-emptable (1)
gBR-QosInformation
maximumFlowBitRateDL: 0bits/s
maximumFlowBitRateUL: 0bits/s
guaranteedFlowBitRateDL: 0bits/s
guaranteedFlowBitRateUL: 0bits/s
e-RAB-ID: 5
Item 9: id-AllowedNSSAI
ProtocolIE-Field
id: id-AllowedNSSAI (0)
criticality: ignore (1)
value
AllowedNSSAI: 1 item
Item 0
AllowedNSSAI-Item
s-NSSAI
sST: 00
Item 10: id-SourceToTarget-TransparentContainer
ProtocolIE-Field
id: id-SourceToTarget-TransparentContainer
(101)
criticality: reject (0)
value
SourceToTarget-TransparentContainer:
600400039000004000000000000000000500000000000000…
SourceNGRANNode-ToTargetNGRANNode-TransparentContainer
rRCContainer: 00039000
pDUSessionResourceInformationList:
1 item
Item 0
PDUSessionResourceInformationItem
pDUSessionID: 0
qosFlowInformationList:
1 item
Item 0
QosFlowInformationItem
qosFlowIdentifier: 0
dRBsToQosFlowsMappingList: 1 item
Item 0
DRBsToQosFlowsMappingItem
dRB-ID: 1
associatedQosFlowList: 1 item
Item 0
AssociatedQosFlowItem
qosFlowIdentifier: 0
e-RABInformationList: 1 item
Item 0
E-RABInformationItem
e-RAB-ID: 5
targetCell-ID: nR-CGI (0)
nR-CGI
pLMNIdentity: 000000
Mobile Country Code
(MCC): Unknown (0)
Mobile Network Code
(MNC): Unknown (000)
nRCellIdentity:
0x0000000000
uEHistoryInformation: 1 item
Item 0
LastVisitedCellItem
lastVisitedCellInformation: nGRANCell (0)
nGRANCell
globalCellID:
nR-CGI (0)
nR-CGI
pLMNIdentity: 62f210
Mobile Country Code (MCC): Germany (262)
Mobile Network Code (MNC): Telekom Deutschland GmbH (01)
nRCellIdentity: 0x0001122330
cellType
cellSize:
verysmall (0)
timeUEStayedInCell: 304s
Item 11: id-GUAMI
ProtocolIE-Field
id: id-GUAMI (28)
criticality: reject (0)
value
GUAMI
pLMNIdentity: 139184
Mobile Country Code (MCC): United
States (311)
Mobile Network Code (MNC): Unknown
(948)
aMFRegionID: dc [bit length 8, 1101
1100 decimal value 220]
aMFSetID: 1180 [bit length 10, 6 LSB
pad bits, 0001 0001 10.. .... decimal value 70]
aMFPointer: 28 [bit length 6, 2 LSB pad
bits, 0010 10.. decimal value 10]
So my initial analysis is that the PDU is not properly encoded and that the
optional iE-Extensions presence bit is wrongly set to 1.
Best regards,
Pascal.
--
You are receiving this mail because:
You are watching all bug changes.
___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe