Enviar #805698: Open5GS AMF v2.7.7 Denial of Serviceinformación

Título	Open5GS AMF v2.7.7 Denial of Service
Descripción	### Open5GS Release, Revision, or Tag v2.7.7 ### Description AMF aborts if an SMF returns `200 OK` or `204 No Content` for: ```text POST /nsmf-pdusession/v1/sm-contexts/{smContextRef}/modify ``` but omits `SmContextUpdatedData.n2SmInfo` while the AMF is waiting for the Service Request activation response. The reachable live path is: ```text UE Service Request with Uplink Data Status -> gmm_handle_service_request() -> amf_sbi_send_activating_session() -> POST /nsmf-pdusession/v1/sm-contexts/{smContextRef}/modify -> amf_nsmf_pdusession_handle_update_sm_context() ``` `gmm_handle_service_request()` triggers that `/modify` transaction at `../src/amf/gmm-handler.c:855-860`. When the success response comes back without `n2SmInfo`, `amf_nsmf_pdusession_handle_update_sm_context()` falls into the success/no-N2 branch and reaches the explicit “Not reached here” abort for `AMF_UPDATE_SM_CONTEXT_SERVICE_REQUEST`: ```c } else if (state == AMF_UPDATE_SM_CONTEXT_SERVICE_REQUEST) { ogs_assert_if_reached(); } ``` at `../src/amf/nsmf-handler.c:643-646`. ### Root Cause - Entry chain: Service Request with active PDU session -> `gmm_handle_service_request()` -> `amf_sbi_send_activating_session()` -> SMF `POST /nsmf-pdusession/v1/sm-contexts/{smContextRef}/modify` -> `amf_nsmf_pdusession_handle_update_sm_context()` - Crash site: `../src/amf/nsmf-handler.c:646` - Root cause family: assertion on impossible success-state combination from untrusted peer response - Controlling field / condition: success response with missing `SmContextUpdatedData.n2SmInfo` ### Steps to Reproduce 1. Ensure the local direct harness exists: ```text /home/ubuntu/open5gs_277/.audit_tmp/amf_direct_crash_harness /home/ubuntu/open5gs_277/.audit_tmp/amf_direct_crash_harness.c ``` 2. Control experiment: same empty success response, but use a non-crashing AMF state (`AMF_UPDATE_SM_CONTEXT_MODIFIED`): ```bash LD_LIBRARY_PATH=/home/ubuntu/open5gs_277/open5gs/build-audit/lib/app:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/asn1c/common:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/asn1c/ngap:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/asn1c/util:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/core:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/crypt:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/metrics:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/nas/5gs:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/nas/common:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/ngap:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/proto:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/sbi:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/sbi/openapi:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/sctp:\ /home/ubuntu/open5gs_277/open5gs/build-audit/subprojects/prometheus-client-c \ /home/ubuntu/open5gs_277/.audit_tmp/amf_direct_crash_harness nsmf-control ``` 3. Malicious experiment: same empty success response, but use the live AMF Service Request state (`AMF_UPDATE_SM_CONTEXT_SERVICE_REQUEST`): ```bash LD_LIBRARY_PATH=/home/ubuntu/open5gs_277/open5gs/build-audit/lib/app:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/asn1c/common:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/asn1c/ngap:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/asn1c/util:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/core:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/crypt:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/metrics:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/nas/5gs:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/nas/common:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/ngap:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/proto:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/sbi:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/sbi/openapi:\ /home/ubuntu/open5gs_277/open5gs/build-audit/lib/sctp:\ /home/ubuntu/open5gs_277/open5gs/build-audit/subprojects/prometheus-client-c \ /home/ubuntu/open5gs_277/.audit_tmp/amf_direct_crash_harness nsmf-missing-n2 ``` ### Logs ```text 04/13 08:47:36.328: [amf] INFO: Setup NF EndPoint(fqdn) [udm.open5gs.org:0] (../src/amf/nudm-handler.c:361) 04/13 08:47:36.328: [amf] INFO: Setup NF EndPoint(addr) [10.33.33.14:80] (../src/amf/nudm-handler.c:361) 04/13 08:47:36.330: [sbi] INFO: [5ac5b314-3644-41f1-b7b4-21a7b4c43293] Setup NF Instance [type:PCF] (../lib/sbi/path.c:307) 04/13 08:47:36.333: [amf] INFO: Setup NF EndPoint(fqdn) [pcf.open5gs.org:0] (../src/amf/npcf-handler.c:143) 04/13 08:47:36.333: [amf] INFO: Setup NF EndPoint(addr) [10.33.33.10:80] (../src/amf/npcf-handler.c:143) 04/13 08:47:36.536: [gmm] INFO: [imsi-001011234567891] Registration complete (../src/amf/gmm-sm.c:3146) 04/13 08:47:36.536: [amf] INFO: [imsi-001011234567891] Configuration update command (../src/amf/nas-path.c:609) 04/13 08:47:36.536: [gmm] INFO: UTC [2026-04-13T08:47:36] Timezone[0]/DST[0] (../src/amf/gmm-build.c:551) 04/13 08:47:36.536: [gmm] INFO: LOCAL [2026-04-13T08:47:36] Timezone[0]/DST[0] (../src/amf/gmm-build.c:556) 04/13 08:47:36.536: [amf] INFO: [Added] Number of AMF-Sessions is now 1 (../src/amf/context.c:2798) 04/13 08:47:36.536: [gmm] INFO: UE SUPI[imsi-001011234567891] DNN[internet] LBO[0] S_NSSAI[SST:1 SD:0x1] smContextRef[NULL] smContextResourceURI[NULL] (../src/amf/gmm-handler.c:1419) 04/13 08:47:36.536: [gmm] INFO: V-SMF Instance [6b46951a-3715-41f1-a195-cb642406bdb9](LIST) (../src/amf/gmm-handler.c:1496) 04/13 08:47:36.536: [gmm] INFO: [6b46951a-3715-41f1-a195-cb642406bdb9] Setup NF Instance [type:SMF] (../src/amf/gmm-handler.c:1498) 04/13 08:47:36.536: [gmm] INFO: V-SMF Instance [6b46951a-3715-41f1-a195-cb642406bdb9] (../src/amf/gmm-handler.c:1508) 04/13 08:47:36.536: [gmm] INFO: V-SMF discovered in Non-Roaming or LBO-Roaming[0] (../src/amf/gmm-handler.c:1577) 04/13 08:47:36.536: [gmm] INFO: nsmf_pdusession [1:0x56175242b090:(nil)] (../src/amf/gmm-handler.c:1617) 04/13 08:47:36.562: [amf] INFO: Setup NF EndPoint(fqdn) [smf.open5gs.org:0] (../src/amf/nsmf-handler.c:140) 04/13 08:47:36.562: [amf] INFO: Setup NF EndPoint(addr) [10.33.33.15:80] (../src/amf/nsmf-handler.c:140) 04/13 08:47:36.579: [amf] INFO: [imsi-001011234567891:1:11][0:0:NULL] /nsmf-pdusession/v1/sm-contexts/{smContextRef}/modify (../src/amf/nsmf-handler.c:954) 04/13 08:48:01.043: [amf] INFO: gNB-N2[10.33.33.6] connection refused!!! (../src/amf/amf-sm.c:1013) 04/13 08:48:01.049: [amf] INFO: [Removed] Number of gNBs is now 0 (../src/amf/context.c:1305) 04/13 08:48:01.053: [amf] INFO: [Removed] Number of gNB-UEs is now 0 (../src/amf/context.c:2784) 04/13 08:48:01.053: [amf] INFO: [imsi-001011234567891:1:51][0:0:NULL] /nsmf-pdusession/v1/sm-contexts/{smContextRef}/modify (../src/amf/nsmf-handler.c:954) 04/13 08:48:11.188: [amf] INFO: gNB-N2 accepted[10.33.33.6]:49064 in ng-path module (../src/amf/ngap-sctp.c:113) 04/13 08:48:11.188: [amf] INFO: gNB-N2 accepted[10.33.33.6] in master_sm module (../src/amf/amf-sm.c:953) 04/13 08:48:11.195: [amf] INFO: [Added] Number of gNBs is now 1 (../src/amf/context.c:1277) 04/13 08:48:11.195: [amf] INFO: gNB-N2[10.33.33.6] max_num_of_ostreams : 10 (../src/amf/amf-sm.c:1000) 04/13 08:48:26.937: [sbi] INFO: [6b46951a-3715-41f1-a195-cb642406bdb9] (NRF-notify) NF_DEREGISTERED event [type:SMF] (../lib/sbi/nnrf-handler.c:1186) 04/13 08:55:24.680: [amf] INFO: gNB-N2[10.33.33.6] connection refused!!! (../src/amf/amf-sm.c:1013) 04/13 08:55:24.687: [amf] INFO: [Removed] Number of gNBs is now 0 (../src/amf/context.c:1305) 04/13 08:56:06.143: [amf] INFO: gNB-N2 accepted[10.33.33.6]:40624 in ng-path module (../src/amf/ngap-sctp.c:113) 04/13 08:56:06.143: [amf] INFO: gNB-N2 accepted[10.33.33.6] in master_sm module (../src/amf/amf-sm.c:953) 04/13 08:56:06.151: [amf] INFO: [Added] Number of gNBs is now 1 (../src/amf/context.c:1277) 04/13 08:56:06.151: [amf] INFO: gNB-N2[10.33.33.6] max_num_of_ostreams : 10 (../src/amf/amf-sm.c:1000) 04/13 08:56:49.438: [amf] INFO: InitialUEMessage (../src/amf/ngap-handler.c:461) 04/13 08:56:49.438: [amf] INFO: [Added] Number of gNB-UEs is now 1 (../src/amf/context.c:2777) 04/13 08:56:49.438: [amf] INFO: [suci-0-001-01-0000-0-0-1234567891] 5G-S_TMSI[AMF_ID:0x20040,M_TMSI:0xc00003fc] (../src/amf/ngap-handler.c:542) 04/13 08:56:49.438: [amf] INFO: RAN_UE_NGAP_ID[1] AMF_UE_NGAP_ID[2] TAC[1] CellID[0x10] (../src/amf/ngap-handler.c:622) 04/13 08:56:49.442: [gmm] INFO: Service request (../src/amf/gmm-sm.c:1835) 04/13 08:56:49.443: [gmm] INFO: [suci-0-001-01-0000-0-0-1234567891] 5G-S_GUTI[AMF_ID:0x20040,M_TMSI:0xc00003fc] (../src/amf/gmm-handler.c:754) 04/13 08:56:49.582: [amf] FATAL: amf_nsmf_pdusession_handle_update_sm_context: should not be reached. (../src/amf/nsmf-handler.c:646) 04/13 08:56:49.624: [core] FATAL: backtrace() returned 8 addresses (../lib/core/ogs-abort.c:37) open5gs-amfd(+0x5e56e) [0x561751c1356e] open5gs-amfd(+0x4cf17) [0x561751c01f17] /usr/local/lib/libogscore.so.2(ogs_fsm_dispatch+0x119) [0x7f70b0781abc] open5gs-amfd(+0xba4d) [0x561751bc0a4d] /usr/local/lib/libogscore.so.2(+0x12b4f) [0x7f70b0771b4f] /lib/x86_64-linux-gnu/libc.so.6(+0x94ac3) [0x7f70af929ac3] /lib/x86_64-linux-gnu/libc.so.6(clone+0x44) [0x7f70af9baa84] /usr/local/bin/entrypoint.sh: line 10: 7 Aborted (core dumped) open5gs-amfd "${@}" ``` ### Expected behaviour The AMF should reject success responses that omit mandatory `n2SmInfo` for the current activation state, not abort on an internal assertion. ### Observed Behaviour A single malformed SMF `/modify` success response aborts the AMF process during Service Request handling. ### eNodeB/gNodeB UERANSIM gNB v3.2.7 with a local single-AMF fallback for Service Request `InitialUEMessage` forwarding. ### UE Models and versions UERANSIM UE v3.2.7
Fuente	⚠️ https://github.com/open5gs/open5gs/issues/4409
Usuario	FrankyLin (UID 94345)
Sumisión	2026-04-15 16:24 (hace 2 meses)
Moderación	2026-05-03 09:21 (18 days later)
Estado	Aceptado
Entrada de VulDB	360882 [Open5GS hasta 2.7.7 AMF /src/amf/gmm-handler.c gmm_handle_service_request denegación de servicio]
Puntos	20

◂ Anterior Visión De Conjunto Próximo ▸

Want to know what is going to be exploited?

We predict KEV entries!