From f85fe1c5ac3a630b9b8f3611dce5a141fc8ee8ea Mon Sep 17 00:00:00 2001
From: Pedro Alvarez <pedro.alvarez@softwareradiosystems.com>
Date: Tue, 15 Sep 2020 16:01:40 +0100
Subject: [PATCH] Don't allow S1 setup with mis-matched TA codes between eNB
 and EPC.

---
 srsepc/hdr/mme/s1ap.h             |  6 ++++++
 srsepc/hdr/mme/s1ap_common.h      |  4 ++--
 srsepc/src/mme/s1ap.cc            |  7 +++----
 srsepc/src/mme/s1ap_mngmt_proc.cc | 19 ++++++++++++++++---
 4 files changed, 27 insertions(+), 9 deletions(-)

diff --git a/srsepc/hdr/mme/s1ap.h b/srsepc/hdr/mme/s1ap.h
index f91402bfe..f23dcb7d4 100644
--- a/srsepc/hdr/mme/s1ap.h
+++ b/srsepc/hdr/mme/s1ap.h
@@ -74,6 +74,7 @@ public:
   void print_enb_ctx_info(const std::string& prefix, const enb_ctx_t& enb_ctx);
 
   uint32_t   get_plmn();
+  uint16_t   get_tac();
   uint32_t   get_next_mme_ue_s1ap_id();
   enb_ctx_t* find_enb_ctx(uint16_t enb_id);
   void       add_new_enb_ctx(const enb_ctx_t& enb_ctx, const struct sctp_sndrcvinfo* enb_sri);
@@ -149,5 +150,10 @@ inline uint32_t s1ap::get_plmn()
   return m_plmn;
 }
 
+inline uint16_t s1ap::get_tac()
+{
+  return m_s1ap_args.tac;
+}
+
 } // namespace srsepc
 #endif // SRSEPC_S1AP_H
diff --git a/srsepc/hdr/mme/s1ap_common.h b/srsepc/hdr/mme/s1ap_common.h
index e3e155212..12868c94e 100644
--- a/srsepc/hdr/mme/s1ap_common.h
+++ b/srsepc/hdr/mme/s1ap_common.h
@@ -58,9 +58,9 @@ typedef struct {
   uint16_t                                            mcc, mnc;
   uint32_t                                            plmn;
   uint8_t                                             nof_supported_ta;
-  std::array<uint8_t, MAX_TA>                         tac;
+  std::array<uint16_t, MAX_TA>                        tacs;
   std::array<uint16_t, MAX_BPLMN>                     nof_supported_bplmns;
-  std::array<std::array<uint16_t, MAX_BPLMN>, MAX_TA> bplmns;
+  std::array<std::array<uint32_t, MAX_BPLMN>, MAX_TA> bplmns;
   asn1::s1ap::paging_drx_opts                         drx;
   struct sctp_sndrcvinfo                              sri;
 } enb_ctx_t;
diff --git a/srsepc/src/mme/s1ap.cc b/srsepc/src/mme/s1ap.cc
index 669fc4c42..def91b91d 100644
--- a/srsepc/src/mme/s1ap.cc
+++ b/srsepc/src/mme/s1ap.cc
@@ -582,12 +582,11 @@ void s1ap::print_enb_ctx_info(const std::string& prefix, const enb_ctx_t& enb_ct
   srslte::mcc_to_string(enb_ctx.mcc, &mcc_str);
   srslte::mnc_to_string(enb_ctx.mnc, &mnc_str);
   m_s1ap_log->info("%s - MCC:%s, MNC:%s, PLMN: %d\n", prefix.c_str(), mcc_str.c_str(), mnc_str.c_str(), enb_ctx.plmn);
-  m_s1ap_log->console(
-      "%s - MCC:%s, MNC:%s, PLMN: %d\n", prefix.c_str(), mcc_str.c_str(), mnc_str.c_str(), enb_ctx.plmn);
+  m_s1ap_log->console("%s - MCC:%s, MNC:%s\n", prefix.c_str(), mcc_str.c_str(), mnc_str.c_str());
   for (int i = 0; i < enb_ctx.nof_supported_ta; i++) {
     for (int j = 0; i < enb_ctx.nof_supported_ta; i++) {
-      m_s1ap_log->info("%s - TAC %d, B-PLMN %d\n", prefix.c_str(), enb_ctx.tac[i], enb_ctx.bplmns[i][j]);
-      m_s1ap_log->console("%s - TAC %d, B-PLMN %d\n", prefix.c_str(), enb_ctx.tac[i], enb_ctx.bplmns[i][j]);
+      m_s1ap_log->info("%s - TAC %d, B-PLMN 0x%x\n", prefix.c_str(), enb_ctx.tacs[i], enb_ctx.bplmns[i][j]);
+      m_s1ap_log->console("%s - TAC %d, B-PLMN 0x%x\n", prefix.c_str(), enb_ctx.tacs[i], enb_ctx.bplmns[i][j]);
     }
   }
   m_s1ap_log->console("%s - Paging DRX %s\n", prefix.c_str(), enb_ctx.drx.to_string().c_str());
diff --git a/srsepc/src/mme/s1ap_mngmt_proc.cc b/srsepc/src/mme/s1ap_mngmt_proc.cc
index 5c4f1790a..59a541d21 100644
--- a/srsepc/src/mme/s1ap_mngmt_proc.cc
+++ b/srsepc/src/mme/s1ap_mngmt_proc.cc
@@ -86,11 +86,24 @@ bool s1ap_mngmt_proc::handle_s1_setup_request(const asn1::s1ap::s1_setup_request
   // Log S1 Setup Request Info
   m_s1ap->print_enb_ctx_info(std::string("S1 Setup Request"), enb_ctx);
 
+  // Check for TAC match
+  bool tac_match = false;
+  for (uint8_t tac : enb_ctx.tacs) {
+    if (m_s1ap->get_tac() == tac) {
+      tac_match = true;
+      break;
+    }
+  }
+
   // Check matching PLMNs
   if (enb_ctx.plmn != m_s1ap->get_plmn()) {
     m_s1ap_log->console("Sending S1 Setup Failure - Unknown PLMN\n");
     m_s1ap_log->warning("Sending S1 Setup Failure - Unknown PLMN\n");
     send_s1_setup_failure(asn1::s1ap::cause_misc_opts::unknown_plmn, enb_sri);
+  } else if (!tac_match) {
+    m_s1ap_log->console("Sending S1 Setup Failure - No matching TAC\n");
+    m_s1ap_log->warning("Sending S1 Setup Failure - No matching TAC\n");
+    send_s1_setup_failure(asn1::s1ap::cause_misc_opts::unspecified, enb_sri);
   } else {
     enb_ctx_t* enb_ptr = m_s1ap->find_enb_ctx(enb_ctx.enb_id);
     if (enb_ptr != nullptr) {
@@ -145,9 +158,9 @@ bool s1ap_mngmt_proc::unpack_s1_setup_request(const asn1::s1ap::s1_setup_request
   for (uint16_t i = 0; i < enb_ctx->nof_supported_ta; i++) {
     const asn1::s1ap::supported_tas_item_s& tas = s1_req.supported_tas.value[i];
     // TAC
-    ((uint8_t*)&enb_ctx->tac[i])[0]  = tas.tac[0];
-    ((uint8_t*)&enb_ctx->tac[i])[1]  = tas.tac[1];
-    enb_ctx->tac[i]                  = ntohs(enb_ctx->tac[i]);
+    ((uint8_t*)&enb_ctx->tacs[i])[0] = tas.tac[0];
+    ((uint8_t*)&enb_ctx->tacs[i])[1] = tas.tac[1];
+    enb_ctx->tacs[i]                 = ntohs(enb_ctx->tacs[i]);
     enb_ctx->nof_supported_bplmns[i] = tas.broadcast_plmns.size();
     for (uint32_t j = 0; j < tas.broadcast_plmns.size(); j++) {
       // BPLMNs