Regenerate the S1AP and NGAP ASN.1 sources from the R19 specifications
using the updated asn1c generator.
The newer generator represents several constructed ASN.1 values as
pointers, including CHOICE alternatives, protocolIEs containers, and
SEQUENCE OF/SET OF list wrappers. Update MME, AMF, and related tests to
allocate these members explicitly, assign pointer-backed alternatives,
and access ASN.1 lists through OGS_ASN_LIST_COUNT() and
OGS_ASN_LIST_GET().
Add helper routines for descriptor-based allocation of constructed ASN.1
values and protocolIEs containers, so protocol code no longer depends on
the old embedded-structure layout.
- Update OpenAPI models to Release-19 specifications
- Refactor SBI handling to use OpenAPI_service_name_e
- Replace service type based logic with service name based handling
- Introduce service_name_array for per-service NF instance caching
- Add support for special/internal service names (e.g. namf-callback)
- Update NRF discovery handling across all NFs
- Validate SearchResult fields before processing
- Remove legacy service-type dependencies
This change aligns the SBI implementation with Release-19
specifications and simplifies service name based routing.
The AK value is 6 bytes long, but it was logged using OGS_KEY_LEN (16 bytes),
which causes the hexdump to read beyond the end of the buffer. Replace
OGS_KEY_LEN with OGS_AK_LEN to ensure correct logging and avoid potential
out-of-bounds reads.
This issue is similar to the fix applied in hss-cx-path.c for CVE-2025-15555.
Issues: #4177, #4389
AMF crashes when receiving crafted NGAP messages with an oversized
AMF-UE-NGAP-ID (e.g., 0xc0ffffffff). The value exceeds the 3GPP spec
maximum (2^40-1) and causes ngap_send_error_indication() to fail,
triggering ogs_assert().
Added MAX_AMF_UE_NGAP_ID (0xffffffffffULL) range check after
asn_INTEGER2uint64() in all NGAP handlers.
Issues: #4371, #4375, #4376, #4377, #4378, #4379
This patch improves robustness of several GTPv1/v2 parsing paths by
adding explicit length validation and replacing assert-based checks
on network-controlled data with graceful error handling.
Changes include:
- GTPv1 MM Context parser:
Add bounds checks for xres_len, autn_len and num_vectors to prevent
stack overflows when decoding authentication quintuplets.
- SMF Gn handler:
Validate IMEI(SV) IE length before memcpy to prevent heap overflow
in smf_ue->imeisv.
- SMF Gn handler:
Validate Common Flags IE length before dereferencing to avoid
out-of-bounds reads when malformed IE is received.
- GTPv1 ULI parser:
Replace ogs_assert-based length checks with proper validation and
error return to prevent abort() on truncated User Location
Information IE.
- SMF fd-path:
Replace assertions on ULI payload presence with runtime checks
to avoid process termination on malformed input.
These changes ensure malformed or truncated network messages are
handled gracefully instead of triggering process aborts.
When mme_ue_set_imsi() updates an existing UE IMSI, the previous
code overwrote mme_ue->imsi before removing the old hash entry.
As a result, the old IMSI key could remain in imsi_ue_hash and keep
pointing to the same mme_ue object. After the UE context was removed,
a later lookup by the stale IMSI key could return an invalid context
and trigger a fatal path during re-attach handling.
Remove the old IMSI hash entry before updating mme_ue->imsi, then
register the new IMSI after the update.
Issues: #4357
This patch addresses a potential subscription_data pool exhaustion
issue observed during repeated NF re-registration with the NRF.
Two improvements are introduced:
1) Prevent duplicate NF status subscriptions
Before sending a new NF status subscription request, the code now
checks whether an equivalent subscription already exists in the
local subscription_data list. If a matching subscription (based on
req_nf_instance_id and subscr_cond) is found and it is not already
marked with DELETE_SENT, the new subscription request is skipped.
This prevents repeated subscription creation during re-registration
loops.
2) Ensure local cleanup after DELETE response
When handling HTTP DELETE responses for NF status subscriptions,
the local subscription_data entry is now removed regardless of the
response status. Previously, the entry was only removed on
HTTP 204 (No Content), which could leave stale entries in the local
list when the NRF returned other statuses (e.g., 404).
Keeping stale entries could lead to unbounded growth of
subscription_data and eventual pool exhaustion.
Additionally, successful DELETE operations are logged to improve
debugging visibility.
This change affects all NF state machines that handle subscription
DELETE responses (AMF, AUSF, BSF, NSSF, PCF, SCP, SEPP, SMF, UDM, UDR,
and AF test code).
Issues: #4207
mme_find_served_tai() incorrectly compares the PLMN-ID of TAC range
entries using list0->tai[j].plmn_id instead of list1->tai[j].plmn_id.
When TAC ranges are configured in mme.tai (e.g. tac: [1-11]), the range
entries are stored in list1. However, the lookup logic mistakenly reads
the PLMN from list0 while validating list1 entries, which can cause the
Served TAI match to fail even though the TAC is within the configured
range.
As a result, eNB S1 Setup may fail with:
Cannot find Served TAI. Check 'mme.tai' configuration
This patch fixes the comparison to use list1->tai[j].plmn_id so that TAC
range entries are matched correctly.
Fixes TAC range configuration such as:
tac: [1-11]
Issues: #4345
In smf_gx_cca_cb(), smf_gy_cca_cb(), and S6b CCA callbacks, the code
assumed that a Diameter session always exists when processing a CCA
message and enforced this invariant with:
ogs_assert(new == 0);
However, if a malicious or misbehaving Diameter peer sends a
Credit-Control-Answer containing an unknown or mismatched Session-Id,
fd_msg_sess_get() returns new=1, indicating that the session does not
exist locally. The assertion then triggers ogs_abort(), terminating
the entire SMF process.
This allows a single malformed CCA message to cause a denial-of-service
by crashing the SMF and dropping all active UE sessions.
Replace the assertion with a runtime check. If the session does not
exist (new != 0), the message is logged and discarded via the existing
cleanup path instead of aborting the process.
Affected callbacks:
- smf_gx_cca_cb()
- smf_gy_cca_cb()
- smf_s6b_aaa_cb()
- smf_s6b_sta_cb()
This ensures that unexpected or malicious Diameter answers do not
terminate the SMF process and are handled gracefully.
Issues: #4343
When a UE sends TAU Request with active_flag=1 and a Bearer Context
Status that mismatches MME state, the BCS cleanup deletes all sessions
but the stored procedure remains InitialContextSetup. Building an
Initial Context Setup Request with zero E-RABs returns NULL, hitting
ogs_assert and killing the process — disconnecting all eNBs.
Guard in mme_send_tau_accept_and_check_release(): if no sessions remain
after BCS cleanup, downgrade to DownlinkNASTransport so TAU Accept is
delivered without requiring bearers.
The MME terminated with abort() when processing IDR or ULA messages
containing a malformed Served-Party-IP-Address (AVP 848) or
MIP-Home-Agent-Address (AVP 334).
In mme_s6a_subscription_data_from_avp(), the return value of
fd_msg_avp_value_interpret() was checked using ogs_assert(ret == 0).
However, this function may legitimately return an error if the Address
AVP contains an invalid encoding (e.g., invalid address family or
length mismatch). Since freeDiameter treats Address AVPs as raw
OctetString during decoding, malformed values can reach this code path.
As a result, receiving such an AVP caused ogs_assert() → ogs_abort() →
abort(), terminating the entire MME process.
Fix this by replacing the assertion with proper error handling.
If fd_msg_avp_value_interpret() fails, the malformed AVP is ignored
with a warning log and processing continues.
This prevents a malformed or malicious Diameter message from crashing
the MME while preserving normal operation for valid data.
Issues: #4334
Some UEs and fuzzing inputs may send a Registration Request with
registration_type.value set to 0. According to TS 24.501 Table 9.11.3.7.1,
unused registration-type encodings shall be interpreted by the network
as "initial registration". Without normalization, the invalid value may
propagate into subsequent logic and lead to unexpected behavior during
UE context transfer handling.
This patch normalizes registration_type.value == 0 to
OGS_NAS_5GS_REGISTRATION_TYPE_INITIAL early in
gmm_handle_registration_request() so that later procedures operate on
a valid registration type.
Additionally, improve robustness in
gmm_registration_request_from_old_amf() by ignoring placeholder
5G-GUTIs where AMF-ID and M-TMSI are zero. Some devices (and fuzzing
tools) send such values even though they do not represent a valid
previous AMF context. Treating them as actionable may incorrectly
trigger N14 UE Context Transfer attempts.
With this change, placeholder GUTIs are treated as non-actionable and
the AMF falls back to normal registration / identity procedures.
Issues: #4321
Previously, the MME aborted when receiving a Cancel-Location-Request
(CLR) with an unsupported Cancellation-Type. The default case logged
a fatal message and called ogs_assert_if_reached(), which terminated
the process.
However, Cancellation-Type values such as UPDATE_PROCEDURE_IWF (3)
and INITIAL_ATTACH_PROCEDURE (4) are defined in 3GPP TS 29.272 but are
not implemented in Open5GS. Since this field originates from external
Diameter input, the MME must not crash when encountering unsupported
values.
Replace ogs_fatal() and ogs_assert_if_reached() with ogs_error() so the
MME logs the issue and continues running instead of aborting.
This prevents a potential denial-of-service condition where a malformed
or unexpected CLR message could terminate the MME.
Issues: #4309
Two issues (#4277, #4278) reported crashes caused by malformed or
unexpected inputs.
In the TLV parser, several ogs_assert() checks could be triggered by
malformed TLV blocks, resulting in process termination. These checks
are replaced with proper error handling: the parser now logs the error,
limits hexdump size, frees allocated TLVs, and returns NULL instead of
aborting.
In the SMF S5-C Create Session Request handler, additional validation
is introduced for Bearer Context handling. The implementation now
rejects requests containing multiple Bearer Contexts, missing mandatory
fields (EBI or Bearer QoS), duplicate EBI values, or invalid TEID/IP
information. Several ogs_assert() calls that could be triggered by
malformed messages are also replaced with explicit error handling.
These changes prevent crashes caused by malformed TLV blocks or
unexpected Bearer Context structures and ensure the SMF rejects such
requests gracefully.
Issues: #4277, #4278
Several users reported intermittent AMF crashes when SM Context Update
procedures overlap with NG context release or a new Registration
procedure. In these situations the RAN-UE associated with a session may
change before the asynchronous SBI response arrives.
Typical trigger scenarios include:
* UEContextReleaseRequest followed by a new Registration Request
* PDU Session Update overlapping with UE deactivation or handover
* Registration Request arriving while a previous Service Request is
still being processed
In these cases the AMF may send an Update SM Context request to the SMF
while the NG context is being released or replaced. When the asynchronous
SBI response arrives later, the AMF uses the session's current ran_ue
pointer. However, that pointer may already have been switched to a new
RAN-UE or cleared due to the release procedure.
As a result, the AMF may reference the wrong RAN-UE context or an
inconsistent state, eventually triggering an assertion such as:
amf_nsmf_pdusession_handle_update_sm_context:
Assertion `ran_ue->deactivation.group' failed
The root cause is that SBI client transactions do not preserve the
RAN-UE association at the time the request was sent. Because SBI
operations are asynchronous, the session context may change before the
response is processed.
This patch introduces a generic mechanism to attach user-defined context
to an SBI transaction:
- Add `user_data` and `user_data_free` to `ogs_sbi_xact_t`
- Allow NF-specific code to store per-transaction context
- Ensure the memory is released automatically when the transaction
is removed
The AMF now stores a snapshot of the RAN-UE ID in the SBI transaction
when sending an Update SM Context request. When the SBI response is
processed, the AMF retrieves the RAN-UE using this snapshot instead of
the session's current ran_ue pointer. This guarantees that the response
is associated with the correct RAN context even if the session state has
changed in the meantime.
This approach avoids race conditions between asynchronous SBI responses
and NG context lifecycle events, preventing the AMF from accessing an
incorrect or partially released RAN-UE context.
Reported-by:
multiple users on v2.7.6 environments
Issues: #4174, #4274
Replace assertion-based checks on network-derived values with
validation and proper GTP error handling.
- Handle ogs_gtp1_gsn_addr_to_ip() and ogs_gtp1_eua_to_ip() failures
without aborting SMF
- Fix incorrect log message for End User Address failure
- Handle PFCP outer_header_creation failure gracefully instead of assert
Prevents SMF crash triggered by malformed Gn CreatePDPContextRequest.
Issues: #4285
Replace fatal asserts in mme_s11_handle_create_session_response() with
validation and a unified failure path.
- Reject malformed/invalid IEs (Cause, TEID, PAA, AMBR, Bearer QoS)
instead of aborting the MME process
- Fix Bearer QoS length handling: treat mismatch as invalid IE and fail
gracefully
- Consolidate error handling via mme_s11_create_session_fail() and goto fail
This prevents remote crashes triggered by malformed GTPv2-C
CreateSessionResponse messages on S11.
Issues: #4284
The MME trusted the PDN Address Allocation (PAA) IE length from
CreateSessionResponse (S11) without proper bounds validation.
An attacker-controlled or malicious SGW could forge an oversized
PAA IE length (e.g., 200 bytes), causing the MME to copy the
payload into sess->paa using the attacker-supplied length.
This leads to memory corruption and a SIGSEGV crash (remote DoS).
This patch adds explicit length validation for the PAA IE:
- Rejects PAA lengths smaller than OGS_PAA_IPV4_LEN
- Rejects PAA lengths larger than OGS_PAA_IPV4V6_LEN
- Sets cause to OGS_GTP2_CAUSE_INVALID_LENGTH on malformed IE
As a result, malformed or oversized PAA IEs are safely rejected,
and the MME no longer crashes.
Issues: #4283
Validate the PDN Address Allocation (PAA) IE length in
sgwc_s5c_handle_create_session_response() before copying it
into sess->paa.
Previously, the code directly performed:
memcpy(&sess->paa, rsp->pdn_address_allocation.data,
rsp->pdn_address_allocation.len);
without validating the IE length. A malicious or malformed
CreateSessionResponse (S5-C) from a PGW with an oversized
PAA IE length could trigger a buffer overflow and crash
SGW-C (remote DoS).
This patch adds explicit length validation and rejects
responses with invalid PAA IE length, returning
OGS_GTP2_CAUSE_INVALID_LENGTH instead of proceeding.
Issue originally reported in #4282.
An initial fix was submitted in PR #4330 but was reverted
in #4331 due to issues. This commit provides a corrected
and validated implementation.
Fixes: #4282
When traffic from UE is destined to an other UE on the same UPF, the packet shouldn't be sent to the TUN interface, but should be re-encapsulated and forwarded via the destination UE's GTP-U tunnel.
Before, in the gtp-path.c, there was a TODO placeholder for this. Logic:
- Look up the destination UE session by inner packet dest IP
- Find a matching downlink PDR with FAR
- Fall back to lowest precedence PDR
- URR accounting
- Buffering and dowlink data reporting
Additionally, the multi-ue-test was extended with each UE pinging the next UE.
Signed-off-by: akos011221 <orbanakos2001@gmail.com>
open5gs doesn't support the "SMS in MME" (3GPP TS 23.272 Annex C) yet,
so better announce that we support SGs interface than giving no
information the the HSS.
Add validation for PDU Session Identity (PSI) when handling
SMF Registration resource requests in UDM.
Previously, the PSI value extracted from the SBI resource
path was used directly to locate the session context.
If the value corresponded to
OGS_NAS_PDU_SESSION_IDENTITY_UNASSIGNED (0), the lookup
would proceed with an invalid identifier.
This could lead to inconsistent session handling and
unexpected error paths.
This patch introduces an explicit validation step:
- Detect PSI == OGS_NAS_PDU_SESSION_IDENTITY_UNASSIGNED
- Log an error with the received PSI value
- Return HTTP 400 Bad Request via SBI error response
- Abort further processing of the request
This ensures that only valid, assigned PSI values are
processed and improves protocol compliance and robustness
against malformed SBI requests.
Issues: #4255
Fix a crash triggered by SCP NFProfile registrations that do not
provide any usable endpoint information.
Previously, ogs_sbi_client_associate() asserted that a client must
exist after association. However, malformed or incomplete NFProfiles
(e.g., scpInfo containing only scpDomainInfoList without scpPorts or
instance/service endpoints) could bypass endpoint validation and
result in no client being created.
This led to an assertion failure in:
ogs_sbi_client_associate()
-> ogs_assert(client)
Root causes addressed:
1. Association safety
- Remove hard assertion on missing instance-level client.
- Perform association only when a client exists.
- Improve logging for missing instance/service endpoints.
2. Endpoint validation refactor
- Move endpoint validation after client association.
- Introduce nf_instance_has_usable_client() helper to verify:
* Instance-level client, or
* Any service-level client.
3. Registration rejection
- Reject NFProfile registrations that lack usable endpoints
with HTTP 400 instead of allowing inconsistent state.
4. SCP info handling
- Treat domain-only SCP registrations as valid nf_info inputs
when num_of_domain is present.
Impact:
- Prevents assertion crashes in NRF triggered by malformed SCP
registrations.
- Ensures NF instances are accepted only when at least one usable
endpoint is available.
- Improves diagnostic logging for operator troubleshooting.
Tested with:
- SCP registration containing only scpDomainInfoList
- Registrations with instance-level endpoints
- Registrations with service-level endpoints
Issues: #4243, #4248
When an NF loses heartbeat and enters re-registration, existing
NRF subscription states tied to the previous NF instance remain
both remotely (NRF) and locally (subscription_data pool).
In environments with repeated heartbeat loss or timing races
(e.g., docker-compose deployments), this leads to continuous
re-subscription loops and unbounded growth of
subscription_data entries, eventually exhausting the pool and
triggering assertion failures in ogs_sbi_subscription_data_add().
This patch introduces a pre-registration cleanup mechanism:
- Send DELETE requests for all subscriptions associated with
the NF instance before re-registration.
- Perform asynchronous local cleanup in the unsubscribe
response handler (avoiding use-after-free and double free).
- Add duplicate DELETE guard using subscription flags.
- Improve logging visibility for subscription cleanup flow.
This ensures that stale NRF subscription states are removed
and prevents subscription_data pool exhaustion during
re-registration loops.
Issues: #4207
Problem
When the implicit detach timer expires, the MME may initiate local
UE context removal if no S1 context exists.
In the previous implementation, mme_ue_remove() could be triggered
directly from mme_send_delete_session_or_detach() in this path.
This leads to a structural issue:
- The UE context may be freed while the EMM FSM is still processing
the implicit detach timer event.
- Subsequent FSM operations (state transition, ENTRY/EXIT signals)
may access the freed mme_ue.
- This results in assertion failures or crashes such as:
emm_state_registered: Assertion `mme_ue' failed
Analysis
Implicit detach handling executes within the EMM FSM context.
Immediate UE context removal from this path violates the FSM
lifecycle assumption that the context remains valid until the
event handling and state transition complete.
This creates a use-after-free risk and can also cause double-free
depending on concurrent removal paths.
Solution
Introduce deferred UE context removal via FSM:
1. Add a new flag:
mme_ue->ue_context_will_remove
2. Modify mme_send_delete_session_or_detach():
- If no S1 context exists, do not remove immediately.
- Set ue_context_will_remove = true instead.
3. In implicit detach timer handling:
- Check the flag and select the next state accordingly.
4. Introduce a new FSM state:
emm_state_ue_context_will_remove
- UE context removal is performed safely on ENTRY_SIG.
This ensures:
- UE context is not freed inside the original EMM handler.
- FSM lifecycle is preserved.
- Removal happens after state transition.
Impact
- Prevents crashes caused by use-after-free during implicit detach.
- Avoids double-free scenarios.
- Aligns UE context lifecycle with FSM design.
This change only affects implicit detach paths where S1 context
does not exist and does not alter normal detach procedures.
Fixes: #4298
When bearer contexts are migrated between MME-UE objects during UE
context relocation (OLD UE -> NEW UE), the existing ogs_pool-based
EBI tracking could become inconsistent.
In mme_ue_set_imsi(), bearer->ebi_node was freed from the old UE pool
without reserving the same EBI in the new UE context. This allowed
duplicate allocations and eventually exhausted the EBI pool (5..15),
triggering a fatal assertion in mme_bearer_add().
This patch replaces the pool-node based EBI handling with a bitmap
allocator, which is safe across UE context migration and supports
explicit EBI reservation.
Also update related test cases to match the new allocation order.
Fixes: #4294
When handling Create Indirect Data Forwarding Tunnel Request,
SGW-C unconditionally sent a PFCP Session Modification Request
with OGS_PFCP_MODIFY_INDIRECT|CREATE.
However, some session contexts do not contain any indirect
DL/UL forwarding tunnel information, which leads to assertion
failures inside PFCP handling.
This patch checks whether a session actually has an indirect
forwarding tunnel before sending the PFCP modification request,
and logs detailed context information otherwise.
This is the same class of issue previously observed with
Delete Indirect Tunnel handling in issue #4073.
Fixes: #4073
Fix an AMF crash when a UE sends a new Registration Request immediately
after UE-initiated Deregistration.
In this scenario, SM Context release and SDM subscription DELETE requests
are triggered during deregistration, but their SBI responses may arrive
later while the AMF is already handling a subsequent Registration Request
(Integrity Protected).
Previously, late SDM_SUBSCRIPTIONS DELETE responses were processed in
unexpected GMM states (registered, authentication, initial-context-setup),
leading to ogs_assert_if_reached() and AMF crashes.
This commit changes the behavior to explicitly ignore late
SDM_SUBSCRIPTIONS DELETE responses in such states, treating them as stale
and non-actionable. Fatal assertions in these paths are replaced with
warnings to prevent crashes caused by valid out-of-order SBI responses.
The fix is covered by a new regression test reproducing issue #4209,
including scenarios with and without active PDU sessions.
Limit authentication retries on repeated synchronization failures.
When the UE reports consecutive authentication failures with
"synchronization failure" cause, AMF and MME now track the failure
count per authentication procedure and send AUTHENTICATION REJECT
after two attempts, instead of retrying indefinitely.
The counter is reset on authentication state entry.
This aligns the behavior with 3GPP authentication procedures and
prevents infinite authentication loops caused by persistent
synchronization failures.
Issues: #4238
Handle BearerResourceFailureIndication arriving after the associated
S11 transaction has already expired.
Look up the associated S11 transaction before committing the S5-C
transaction, and gracefully drop the indication if the S11 transaction
no longer exists, instead of asserting and crashing.
This prevents a possible remote DoS caused by delayed S5-C failure
indications.
Issues: #4268
When handling ModifyBearerResponse in the OI (Operation Indication) path,
SGW-C assumed that the PGW S5U tunnel address was always initialized.
If the Bearer Context was not parsed and ul_tunnel->remote_ip remained
unset, building the S11 CreateSessionResponse could trigger an assertion
failure and crash the SGW-C process.
Add a defensive check in sgwc_s5c_handle_modify_bearer_response() to
validate the UL tunnel remote IP before proceeding, and return a proper
GTP error instead of aborting. Also replace an assertion with graceful
error handling in the SxA session modification response path.
This prevents a remotely triggerable SGW-C crash (DoS) caused by malformed
or incomplete ModifyBearerResponse messages.
Issues: #4257
SGW-C could be forced to abort when handling a crafted or delayed
S5-C response (Create/Modify/Delete Session) if the associated S11
transaction no longer exists.
The S5-C handler assumed that the corresponding S11 transaction is
always present and unconditionally asserted its existence, leading
to a process abort and denial-of-service.
This change removes the fatal assertion and safely handles the case
where the associated S11 transaction cannot be found by logging an
error and ignoring the response.
Issues: #4226
Prevent SGW-C and SMF from aborting when receiving late or orphan
GTPv2 bearer responses (Create/Update/Delete Bearer).
This change removes fatal assertions on missing UE/session contexts
and instead treats such cases as "Context Not Found" per 3GPP
TS 29.274.
In addition, improve FSM-level UE/session lookup by retrying context
identification using the locally stored TEID when the received TEID
is missing, zero, or no longer valid. This aligns the behavior with
TS 29.274 §5.5.2 and allows graceful handling of late responses after
context cleanup.
Together, these changes ensure that late or orphan GTPv2 responses
never crash SGW-C or SMF and are handled gracefully.
Issues: #4225
Handle late or out-of-order ESM/NAS events more safely by removing
assert-based assumptions on runtime UE/S1 contexts.
Replace fatal assertions with defensive runtime checks in ESM, NAS,
GTP, and S11 paths so that late messages received after bearer/session
or eNB-UE context release do not terminate the MME process.
This allows ongoing GTP/S11 procedures to continue or clean up safely
while gracefully handling missing S1 context, improving robustness
under real-world race conditions.
Issues: #4236
Add explicit error handling for missing EPS Bearer ID and S5/S8 U F-TEID
in Create Session Response processing. Instead of breaking out of the
loop, immediately send an appropriate GTPv2 error response and abort
processing.
Also handle the case where the referenced bearer context does not exist
by returning CONTEXT_NOT_FOUND, and add missing error logs for failed
F-TEID to IP conversion.
These changes prevent silent failures and ensure correct GTP error
signaling toward the MME.
Issues: #4224
Replace ogs_assert() and ogs_fatal() with runtime checks when allocating
UE contexts, transactions, and timers.
Handle pool and timer exhaustion gracefully by logging errors, cleaning
up partially created objects, and returning NULL instead of aborting
the process, improving control-plane robustness under high load or
resource limits.
Issues: #4220, #4221
Do not abort SGW-C when a Downlink Data Notification Ack arrives
after the related bearer or session has already been released.
Replace assert-based assumptions with runtime checks and logging,
and always commit the S11 transaction safely to prevent process
termination on late or malformed ACK messages.
Remove hard assertions in GTPv2 Bearer QoS and Flow QoS parsers and
replace them with defensive length validation. Invalid IEs are now
gracefully rejected by the caller instead of aborting the process.
Update SGW-C and SMF handlers to validate parser results and return
appropriate GTP-C error causes, preventing daemon crashes on malformed
GTPv2 messages.
Issues: #4217
