Malformed S1AP NAS-PDU

asked 2018-12-12 18:35:22 +0000

dandreye
23 ●6 ●10 ●12

updated 2018-12-12 19:44:48 +0000

Hi All,

I'm getting "Malformed Packet: NAS-PDU" when trying to decode my S1AP Initial UE Message (Attach Request): https://drive.google.com/file/d/1Pg0k...

Item #1 NAS-PDU appears to include (besides several others) the last IE 40 05 70 40 26 00 00, which looks formatted as TLV with IEI=0x40, Length = 5 and Value = 70 40 26 00 00. What type of IE is that and why is it not decoding? I briefly checked 24.007 and 24.008 and didn't come across IEI 0x040 although pretty sure I'm overlooking it. My Wireshark version is 2.4.5 (v2.4.5-0-g153e867ef1).

Many thanks in advance!

edit retag flag offensive close merge delete

add a comment

answered 2018-12-12 20:29:38 +0000

Pascal Quantin
5846 ●63 ●65

Hi,

IEI 0x40 is the Supported Codecs one.

Wireshark triggers a malformed packet because the previous IE (MS Classmark 3) is malformed, leading to the parsing error in Wireshark.

I will probably modify Wireshark to explicitly flag the MS Classmark 3 as having a length too short compared to the payload parsing.

But the Supported Codecs IE is also malformed...

edit flag offensive delete link

Comments

Hi Pascal - thank you,

the MS Classmark 3 as having a length too short

Not sure if I got the idea right but looks like manually changing its current length 03 to 0A makes the whole message decode correctly, so I'm wondering if that 40 05 70 40 26 00 00 is Supported Codecs IE indeed or rather it's just part of MS Classmark 3.. https://drive.google.com/file/d/1jYGR...

Please let me know if you want me to file a bug/enhacement on it anyway.

Thanks & Regards,

Dmitriy

dandreye ( 2018-12-12 21:09:13 +0000 )edit

Manually modifying the IE length allows you to hide the problem, but still the MS Classmark 3 content is suspicious (spare bit set to 1, A5/7 algorithm supported while it does not exist), so I doubt it is valid.

Anyway I added an extra check in this commit: https://code.wireshark.org/review/#/c...

It will trigger another malformed error but with a more meaningful message.

Pascal Quantin ( 2018-12-12 22:06:21 +0000 )edit

Thank you: I'm checking NAS-EPS PDU encoding with our Engineering team in parallel.

dandreye ( 2018-12-12 22:11:01 +0000 )edit

Hi Pascal, sorry could you please explain why exactly Wireshark used to consider my MS Classmark 3 "as having a length too short compared to the payload parsing"? After Item 1 ID code 0x26 (id-NAS-PDU) and 0x00 (criticality=reject) goes 0x37, which looks like a valid length of the remainder as it covers it exactly incl Supported Codecs IE. Meanwhile MS Classmark 3 IE itself has allowed length 0x03 (which can be 1-32 octets as per 3gpp 48.008), same as MS Classmark 2 IE. So I'm struggling to understand why Wireshark used to consider Supported Codecs IE as the continuation of MS Classmark 3 before the changes you've made. Meanwhile how can I obtain the build with the changes? Thanks in advance, Dmitriy

dandreye ( 2018-12-15 16:05:35 +0000 )edit

You need to check the MS Classmark 3 encoding in 3GPP 24.008 spec and do the decoding manually. You will see that the parsing of the bits goes beyond the 3 bytes indicated in the IE, which is an encoding error. You an find builds with my change here: https://www.wireshark.org/download/au... But again it simply gives a better error message, it does not solve anything as the message is not properly encoded.

Pascal Quantin ( 2018-12-15 19:32:40 +0000 )edit

see more comments

Malformed S1AP NAS-PDU

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Malformed S1AP NAS-PDU edit

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Malformed S1AP NAS-PDU