Pr mocn support #3
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 4 commits
December 22, 2025 22:53
Summary: add gNB multiple PLMNs broadcasting and simulated UE selection logic. Now if gNB broadcast {46011, 20893}, UE can choose 20893 (from configuration), successfully connect to 5GC and get ip and ping successfully (ping -I oaitun_ue1 10.10.4.2).
Major changes:
- Fix UE PLMN selection: use correct index (j instead of i) from plmn_IdentityList
- Add multi-PLMN support in gNB configuration
- Add debugging scripts for uftrace function tracing
- Update configuration files for MOCN testing
Bug fix:
- openair2/RRC/NR_UE/rrc_UE.c: Fixed selectedPLMN_Identity to use inner list index
This resolves the issue where PLMN list order affected UE registration
Scripts added:
- cyh_build_oai.sh: Normal build script
- cyh_rebuild_with_instrument.sh: Build with uftrace instrumentation
- cyh_start_ue.sh: UE startup helper
- cyh_trace_full_workflow.sh: Complete uftrace workflow
- test_uftrace.sh: uftrace functionality test
- UFTRACE_QUICKSTART.md: Documentation for function tracing
- 添加双UE配置和启动脚本 (ue2.conf, cyh_start_ue1/ue2_in_namespace.sh)(没用脚本,下面的也只是暂存,除了最后一行确实) - 添加完整的namespace网络架构文档和数据包流程分析 - 添加OAI编译指南和多UE故障排查文档 - 添加UE注册流程分析和追踪工具对比文档 - 添加多个辅助脚本用于追踪、分析和重新编译 - 修改telnetsrv和build脚本以支持telnet库编译
- Remove all personal helper scripts (cyh_*.sh) - Remove personal documentation files (*.md) - Remove debug log statements from core code - Keep only essential MOCN feature code changes - Minor whitespace cleanup in config_libconfig.c This prepares the branch for upstream pull request submission.
…NG.md - Delete OAI_BUILD_GUIDE.md (personal documentation) - Delete test_uftrace.sh (personal test script) - Restore CONTRIBUTING.md (OAI official contribution guide) - Clean up whitespace in config_libconfig.c
rpousa
pushed a commit
to rpousa/OAI_EWOC
that referenced
this pull request
Jan 14, 2026
- Replace asn1cFreeStruc with ASN_STRUCT_FREE in MAC layer cleanup
- Fixes improper memory management of NR_CellGroupConfig structures
Root cause: asn1cFreeStruc only calls ASN_STRUCT_RESET + free(), which doesn't properly free nested ASN.1 allocations. ASN_STRUCT_FREE frees all nested structures completely.
AddressSanitizer leak trace:
Direct leak of 288 byte(s) in 1 object(s) allocated from:
/#0 0x7fb72bab4a57 in __interceptor_calloc
/OPENAIRINTERFACE#1 0x593752b28d0d in SEQUENCE_decode_uper
/OPENAIRINTERFACE#2 0x593752b9a546 in SET_OF_decode_uper
/OPENAIRINTERFACE#3 0x593752b2863c in SEQUENCE_decode_uper
/#4 0x593752b47363 in CHOICE_decode_uper
/#5 0x593752b2863c in SEQUENCE_decode_uper
/#6 0x593752b2863c in SEQUENCE_decode_uper
/#7 0x593752b2863c in SEQUENCE_decode_uper
/#8 0x593752b2863c in SEQUENCE_decode_uper
/#9 0x593752b2863c in SEQUENCE_decode_uper
/#10 0x593752b38551 in uper_decode
/#11 0x5937527d859f in nr_rrc_ue_process_masterCellGroup
/#12 0x5937527d9408 in nr_rrc_process_reconfiguration_v1530
/#13 0x5937527dd5bb in nr_rrc_ue_process_rrcReconfiguration
/#14 0x5937527f5e6b in nr_rrc_ue_decode_dcch
/#15 0x5937527ff003 in rrc_nrue
/#16 0x59375280c6de in rrc_nrue_task
rpousa
pushed a commit
to rpousa/OAI_EWOC
that referenced
this pull request
Jan 14, 2026
The leak was caused by improper memory ownership handling in the
dedicatedNAS_MessageList processing. The function was transferring
buffer ownership to NAS messages and then preventing ASN.1 cleanup
from freeing the original allocations by setting
list.count = 0, causing a memory leak.
Leak trace:
Direct leak of 40 byte(s) in 1 object(s) allocated from:
/#0 0x7f2ce3ab4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
/OPENAIRINTERFACE#1 0x567907083f0f in OCTET_STRING_decode_uper /cmake_targets/ran_build/build/openair2/RRC/LTE/MESSAGES/OCTET_STRING_uper.c:89
/OPENAIRINTERFACE#2 0x5679070ed5e6 in SET_OF_decode_uper /cmake_targets/ran_build/build/openair2/RRC/NR/MESSAGES/constr_SET_OF_uper.c:70
/OPENAIRINTERFACE#3 0x56790707b6dc in SEQUENCE_decode_uper /cmake_targets/ran_build/build/openair2/RRC/LTE/MESSAGES/constr_SEQUENCE_uper.c:118
/#4 0x56790707b6dc in SEQUENCE_decode_uper /cmake_targets/ran_build/build/openair2/RRC/LTE/MESSAGES/constr_SEQUENCE_uper.c:118
/#5 0x56790709a403 in CHOICE_decode_uper /cmake_targets/ran_build/build/openair2/RRC/LTE/MESSAGES/constr_CHOICE_uper.c:84
/#6 0x56790707b6dc in SEQUENCE_decode_uper /cmake_targets/ran_build/build/openair2/RRC/LTE/MESSAGES/constr_SEQUENCE_uper.c:118
/#7 0x56790709a403 in CHOICE_decode_uper /cmake_targets/ran_build/build/openair2/RRC/LTE/MESSAGES/constr_CHOICE_uper.c:84
/#8 0x56790709a403 in CHOICE_decode_uper /cmake_targets/ran_build/build/openair2/RRC/LTE/MESSAGES/constr_CHOICE_uper.c:84
/#9 0x56790707b6dc in SEQUENCE_decode_uper /cmake_targets/ran_build/build/openair2/RRC/LTE/MESSAGES/constr_SEQUENCE_uper.c:118
/#10 0x56790708b5f1 in uper_decode /cmake_targets/ran_build/build/openair2/RRC/LTE/MESSAGES/uper_decoder.c:83
/#11 0x567906d44b4b in nr_rrc_ue_decode_dcch /openair2/RRC/NR_UE/rrc_UE.c:2212
/#12 0x567906d520a3 in rrc_nrue /openair2/RRC/NR_UE/rrc_UE.c:2615
/#13 0x567906d5f77e in rrc_nrue_task /openair2/RRC/NR_UE/rrc_UE.c:2501
/#14 0x7f2ce2494ac2 in start_thread nptl/pthread_create.c:442
Fix:
- Copy OCTET_STRING data instead of transferring ownership
- Allow ASN.1 cleanup to properly free original allocations
This fixes the leak that occurred during rrcReconfiguration
message processing when dedicatedNAS_MessageList was present.
Closes #828
rpousa
pushed a commit
to rpousa/OAI_EWOC
that referenced
this pull request
Jan 14, 2026
On error, exit the GTP thread after printing a diagnostic message. This
avoids also an error flagged by address sanitizer for use-after-free.
[GTPU] [91] Recvfrom failed (Bad file descriptor)
=================================================================
==285377==ERROR: AddressSanitizer: heap-use-after-free on address 0x7cd7b7fe5590 at pc 0x0000006a9e18 bp 0x7b97ad4e1d50 sp 0x7b97ad4e1d48
READ of size 4 at 0x7cd7b7fe5590 thread T8
=================================================================
==285377==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 160 byte(s) in 1 object(s) allocated from:
#0 0x0000006a9e17 in gtpv1uReceiver /home/richie/oai/openair3/ocp-gtpu/gtp_itf.cpp:1346
OPENAIRINTERFACE#1 0x7f97b9a28ee5 in asan_thread_start(void*) (/lib64/libasan.so.8+0x28ee5) (BuildId: 10b8ccd49f75c21babf1d7abe51bb63589d8471f)
OPENAIRINTERFACE#2 0x7f97b8e7ff53 in start_thread (/lib64/libc.so.6+0x71f53) (BuildId: 48c4b9b1efb1df15da8e787f489128bf31893317)
OPENAIRINTERFACE#3 0x7f97b8f0332b in __clone3 (/lib64/libc.so.6+0xf532b) (BuildId: 48c4b9b1efb1df15da8e787f489128bf31893317)
#0 0x7f97b9ae60cb in memalign (/lib64/libasan.so.8+0xe60cb) (BuildId: 10b8ccd49f75c21babf1d7abe51bb63589d8471f)
OPENAIRINTERFACE#1 0x000000471039 in newNotifiedFIFO_elt /home/richie/oai/common/utils/threadPool/notified_fifo.h:75
OPENAIRINTERFACE#2 0x000000471039 in tx_func /home/richie/oai/executables/nr-gnb.c:107
OPENAIRINTERFACE#3 0x000000471039 in L1_tx_thread /home/richie/oai/executables/nr-gnb.c:167
#4 0x7f97b9a28ee5 in asan_thread_start(void*) (/lib64/libasan.so.8+0x28ee5) (BuildId: 10b8ccd49f75c21babf1d7abe51bb63589d8471f)
0x7cd7b7fe5590 is located 336 bytes inside of 400-byte region [0x7cd7b7fe5440,0x7cd7b7fe55d0)
freed by thread T0 here:
SUMMARY: AddressSanitizer: 160 byte(s) leaked in 1 allocation(s).
rpousa
pushed a commit
to rpousa/OAI_EWOC
that referenced
this pull request
Jan 14, 2026
The call to snprintf() as was used is wrong: we use the return value to
advance output, but the man page says
> The functions snprintf() and vsnprintf() do not write more than size
> bytes (including the terminating null byte ('\0')). If the output was
> truncated due to this limit, then the return value is the number of
> characters (excluding the terminating null byte) which would have been
> written to the final string if enough space had been available.
> Thus, a return value of size or more means that the output was
> truncated.
Thus, output could go beyond end, and we get a stack overflow. Instead,
encapsulate the call to snprintf() checking this condition, and only
advancing output as intended, limiting to 0 if we are at the end of the
buffer. This avoids this error:
==964825==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7be799f51988 at pc 0x7fe7d66b0d39 bp 0x7be79b825ef0 sp 0x7be79b8256c0
WRITE of size 3 at 0x7be799f51988 thread T24
#0 0x7fe7d66b0d38 in vsnprintf (/lib64/libasan.so.8+0xb0d38) (BuildId: 10b8ccd49f75c21babf1d7abe51bb63589d8471f)
OPENAIRINTERFACE#1 0x7fe7d66b2d44 in snprintf (/lib64/libasan.so.8+0xb2d44) (BuildId: 10b8ccd49f75c21babf1d7abe51bb63589d8471f)
OPENAIRINTERFACE#2 0x0000008fe7c6 in dump_mac_stats /home/richie/w/refactor-dlsch/openair2/LAYER2/NR_MAC_gNB/main.c:183
OPENAIRINTERFACE#3 0x00000092071a in gNB_dlsch_ulsch_scheduler /home/richie/w/refactor-dlsch/openair2/LAYER2/NR_MAC_gNB/gNB_scheduler.c:200
#4 0x0000008f8f78 in run_scheduler_monolithic /home/richie/w/refactor-dlsch/openair2/NR_PHY_INTERFACE/NR_IF_Module.c:399
rpousa
pushed a commit
to rpousa/OAI_EWOC
that referenced
this pull request
Jan 14, 2026
Free memory including the "base pointer". Fix two places in which it was
on the stack to harmonize. The only stack variable is in reception of
new E1 messages (e1ap_handle_message()), which uses
ASN_STRUCT_FREE_CONTENTS_ONLY().
This fixes bugs similar to these logs:
Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x7f418f4e68a3 in calloc (/lib64/libasan.so.8+0xe68a3) (BuildId: 10b8ccd49f75c21babf1d7abe51bb63589d8471f)
OPENAIRINTERFACE#1 0x00000049e367 in calloc_or_fail /home/richie/oai/common/utils/utils.h:74
OPENAIRINTERFACE#2 0x00000049e367 in encode_e1_bearer_context_release_command /home/richie/oai/openair2/E1AP/lib/e1ap_bearer_context_management.c:1235
OPENAIRINTERFACE#3 0x000000482951 in e1apCUCP_send_BEARER_CONTEXT_RELEASE_COMMAND /home/richie/oai/openair2/E1AP/e1ap.c:546
#4 0x000000482951 in E1AP_CUCP_task /home/richie/oai/openair2/E1AP/e1ap.c:856
#5 0x7f418f428ee5 in asan_thread_start(void*) (/lib64/libasan.so.8+0x28ee5) (BuildId: 10b8ccd49f75c21babf1d7abe51bb63589d8471f)
Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x7f418f4e68a3 in calloc (/lib64/libasan.so.8+0xe68a3) (BuildId: 10b8ccd49f75c21babf1d7abe51bb63589d8471f)
OPENAIRINTERFACE#1 0x00000049380a in calloc_or_fail /home/richie/oai/common/utils/utils.h:74
OPENAIRINTERFACE#2 0x00000049380a in encode_E1_bearer_context_setup_request /home/richie/oai/openair2/E1AP/lib/e1ap_bearer_context_management.c:578
OPENAIRINTERFACE#3 0x00000047f6a2 in e1apCUCP_send_BEARER_CONTEXT_SETUP_REQUEST /home/richie/oai/openair2/E1AP/e1ap.c:378
#4 0x0000004829f8 in E1AP_CUCP_task /home/richie/oai/openair2/E1AP/e1ap.c:846
#5 0x7f418f428ee5 in asan_thread_start(void*) (/lib64/libasan.so.8+0x28ee5) (BuildId: 10b8ccd49f75c21babf1d7abe51bb63589d8471f)
Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x7f418f4e68a3 in calloc (/lib64/libasan.so.8+0xe68a3) (BuildId: 10b8ccd49f75c21babf1d7abe51bb63589d8471f)
OPENAIRINTERFACE#1 0x00000046ede7 in calloc_or_fail /home/richie/oai/common/utils/utils.h:74
OPENAIRINTERFACE#2 0x00000046ede7 in encode_e1ap_cuup_setup_response /home/richie/oai/openair2/E1AP/lib/e1ap_interface_management.c:305
OPENAIRINTERFACE#3 0x00000047e412 in e1ap_send_SETUP_RESPONSE /home/richie/oai/openair2/E1AP/e1ap.c:167
#4 0x000000482a68 in E1AP_CUCP_task /home/richie/oai/openair2/E1AP/e1ap.c:836
#5 0x7f418f428ee5 in asan_thread_start(void*) (/lib64/libasan.so.8+0x28ee5) (BuildId: 10b8ccd49f75c21babf1d7abe51bb63589d8471f)
rpousa
pushed a commit
to rpousa/OAI_EWOC
that referenced
this pull request
Jan 14, 2026
Direct leak of 100 byte(s) in 1 object(s) allocated from:
#0 0x7f6585ee6f2b in malloc (/lib64/libasan.so.8+0xe6f2b) (BuildId: 10b8ccd49f75c21babf1d7abe51bb63589d8471f)
OPENAIRINTERFACE#1 0x000000414a0d in malloc_or_fail /home/richie/oai/common/utils/utils.h:86
OPENAIRINTERFACE#2 0x0000004061c9 in main /home/richie/oai/tests/nr-cuup/nr-cuup-load-test.c:544
OPENAIRINTERFACE#3 0x7f6585211574 in __libc_start_call_main (/lib64/libc.so.6+0x3574) (BuildId: 48c4b9b1efb1df15da8e787f489128bf31893317)
#4 0x7f6585211627 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3627) (BuildId: 48c4b9b1efb1df15da8e787f489128bf31893317)
#5 0x000000413034 in _start (/home/richie/oai/build/tests/nr-cuup/nr-cuup-load-test+0x413034) (BuildId: 8af0132792b03fa12ba95b5623865c9a8a5625a3)
Direct leak of 100 byte(s) in 1 object(s) allocated from:
#0 0x7f6585ee6f2b in malloc (/lib64/libasan.so.8+0xe6f2b) (BuildId: 10b8ccd49f75c21babf1d7abe51bb63589d8471f)
OPENAIRINTERFACE#1 0x000000414a0d in malloc_or_fail /home/richie/oai/common/utils/utils.h:86
OPENAIRINTERFACE#2 0x0000004061ff in main /home/richie/oai/tests/nr-cuup/nr-cuup-load-test.c:546
OPENAIRINTERFACE#3 0x7f6585211574 in __libc_start_call_main (/lib64/libc.so.6+0x3574) (BuildId: 48c4b9b1efb1df15da8e787f489128bf31893317)
#4 0x7f6585211627 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3627) (BuildId: 48c4b9b1efb1df15da8e787f489128bf31893317)
#5 0x000000413034 in _start (/home/richie/oai/build/tests/nr-cuup/nr-cuup-load-test+0x413034) (BuildId: 8af0132792b03fa12ba95b5623865c9a8a5625a3)
rpousa
pushed a commit
to rpousa/OAI_EWOC
that referenced
this pull request
Jan 14, 2026
Direct leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x7f7bc7ee68a3 in calloc (/lib64/libasan.so.8+0xe68a3) (BuildId: 10b8ccd49f75c21babf1d7abe51bb63589d8471f)
OPENAIRINTERFACE#1 0x0000004abfa6 in calloc_or_fail /home/richie/oai/common/utils/utils.h:74
OPENAIRINTERFACE#2 0x0000004abfa6 in decode_e1ap_cuup_setup_request /home/richie/oai/openair2/E1AP/lib/e1ap_interface_management.c:219
OPENAIRINTERFACE#3 0x00000046a9f5 in e1apCUCP_handle_SETUP_REQUEST /home/richie/oai/openair2/E1AP/e1ap.c:187
#4 0x000000470b35 in e1ap_handle_message /home/richie/oai/openair2/E1AP/e1ap.c:109
#5 0x000000470b35 in e1_task_handle_sctp_data_ind /home/richie/oai/openair2/E1AP/e1ap.c:120
#6 0x00000047717b in E1AP_CUCP_task /home/richie/oai/openair2/E1AP/e1ap.c:832
#7 0x7f7bc7e28ee5 in asan_thread_start(void*) (/lib64/libasan.so.8+0x28ee5) (BuildId: 10b8ccd49f75c21babf1d7abe51bb63589d8471f)
Direct leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x7f7bc7ee68a3 in calloc (/lib64/libasan.so.8+0xe68a3) (BuildId: 10b8ccd49f75c21babf1d7abe51bb63589d8471f)
OPENAIRINTERFACE#1 0x0000004ac30c in calloc_or_fail /home/richie/oai/common/utils/utils.h:74
OPENAIRINTERFACE#2 0x0000004ac30c in decode_e1ap_cuup_setup_request /home/richie/oai/openair2/E1AP/lib/e1ap_interface_management.c:194
OPENAIRINTERFACE#3 0x00000046a9f5 in e1apCUCP_handle_SETUP_REQUEST /home/richie/oai/openair2/E1AP/e1ap.c:187
#4 0x000000470b35 in e1ap_handle_message /home/richie/oai/openair2/E1AP/e1ap.c:109
#5 0x000000470b35 in e1_task_handle_sctp_data_ind /home/richie/oai/openair2/E1AP/e1ap.c:120
#6 0x00000047717b in E1AP_CUCP_task /home/richie/oai/openair2/E1AP/e1ap.c:832
#7 0x7f7bc7e28ee5 in asan_thread_start(void*) (/lib64/libasan.so.8+0x28ee5) (BuildId: 10b8ccd49f75c21babf1d7abe51bb63589d8471f)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What I have implemented:
What still needs to be done: