Bug #3426

gprs_llc_process_xid_ind() does not echo L3_PAR, breaks PDP activation for Motorola KRZR

Added by keith about 2 years ago. Updated over 1 year ago.

In Progress
Target version:
Start date:
Due date:
% Done:


Spec Reference:


In gprs_llc_process_xid_ind()
(at the time of writing)

We check if (xid_field->type != GPRS_LLC_XID_T_L3_PAR)
before echoing the XID to the MS

The Motorola KRZR responds by sending the XID list again and repeats 4 times before giving up and sending PDP deactivate context, with a cause 25 "LLC or SNDCP Failure"

Removing the check for xid_field->type != GPRS_LLC_XID_T_L3_PAR and echoing the L3 parameter back results in PDP activation success and GPRS session works.

Why this check? Why do we not echo all the xid fields back? Did it break with some other phone?

krzr_llc.pre_patch.pcap krzr_llc.pre_patch.pcap 1.6 KB keith, 04/29/2019 05:44 PM
krzr_llc.post_patch.pcap krzr_llc.post_patch.pcap 1.11 KB keith, 04/29/2019 05:44 PM


#1 Updated by laforge about 2 years ago

I purchased a KRZR 3 for the sysmocom lab. Not sure when somebody will be able to try to reproduce, but at least we should be able to do now.

#2 Updated by keith about 2 years ago

I've been running SGSN now for some weeks with this patch in place to allow the KRZR to attach and I have not seen any related problems. (with any other phone)

#3 Updated by keith about 2 years ago

TS 04.06 [EDIT correction TS 04.64 ] is kind of confusing here.

On the one had it says:
As an optimisation, parameters confirming the requested values may be omitted from the XID response.


The responding side may respond with parameters that were not included in the XID command. A parameter that was
not included in the XID command shall in this case be treated as if the current value of the parameter was included in
the XID command. The responding side shall include such a parameter in every XID response until the parameter has
been explicitly negotiated
, either by responding to an XID command that included the parameter, or by explicitly
including the parameter the next time an XID command is transmitted.


Negotiated XID parameters shall apply to the LLE identified by the DLCI of the XID frames used, except Version,
Reset, and IOV-UI that applies to an LLME (i.e., a TLLI), and except Layer-3 Parameters that apply to the layer 3
above the LLE

So from that I understand that while we may not actually be applying this L3 param to the LLE identified by the DLCI (to be honest, I haven't even looked up what the dlci is), we still MUST include it in the response.

Maybe this is a mis understanding that is the origin of this

if (xid_field->type != GPRS_LLC_XID_T_L3_PAR)

in the code?


#4 Updated by keith over 1 year ago

  • Assignee set to dexter

#5 Updated by keith over 1 year ago

note to self: attach patch and .pcap

#6 Updated by laforge over 1 year ago

The point is that the L3 parameters are handled in SNDCP, and not in LLC. So the LLC code is correct to only handle the non-L3. The behavioral difference (and possible bug) hence is in the SNDCP XID handling.

What we need is a pcap file showing request and response for both the modified and the unmodified code.

#7 Updated by laforge over 1 year ago

#8 Updated by lynxis over 1 year ago

The interesting function might be the sndcp_sn_xid_ind() in the sgsn.

#10 Updated by keith over 1 year ago

  • Assignee changed from dexter to keith

#11 Updated by laforge over 1 year ago

  • Status changed from New to In Progress

I'm writing a testcase for this. It should be reasonably simple to send a MO XID with empty L3, and check the response.

note: We don't really have reasonable XID related tests yet.

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)