Enviar #806251: Open5gs UDM v2.7.7 Denial of Serviceinformación

TítuloOpen5gs UDM v2.7.7 Denial of Service
Descripción### Open5GS Release, Revision, or Tag v2.7.7 ### Steps to reproduce ### Description This merged report covers the confirmed UDM reachability variants that hit the same crash site: ```c ogs_assert(udm_ue->amf_3gpp_access_registration); ``` at `../src/udm/nudm-handler.c:454`. The shared state mismatch is the same in all variants: a fresh `udm_ue` exists, but no AMF registration object has ever been created for it, and a request with `purgeFlag:true` is routed into `udm_nudm_uecm_handle_amf_registration_update()`. Confirmed reachability variants: 1. Direct route: `PATCH /nudm-uecm/v1/{supi}/registrations/amf-3gpp-access` 2. Misrouted child-resource variants: `PATCH /nudm-uecm/v1/{supi}/registrations/amf-3gpp-access/pei-update` and `PATCH /nudm-uecm/v1/{supi}/registrations/amf-3gpp-access/roaming-info-update` ### Root cause - Shared crash site: `../src/udm/nudm-handler.c:454` - Root cause family: assertion on missing precondition state - Direct route: `PATCH /nudm-uecm/v1/{supi}/registrations/amf-3gpp-access` - Route-confusion variants: `PATCH /nudm-uecm/v1/{supi}/registrations/amf-3gpp-access/*` - Controlling fields: `guami` and `purgeFlag` ### Direct Reproduction Prime a fresh UE context via: ```bash SUPI=imsi-001011234567896 curl --http2-prior-knowledge -sS -i -m 8 \ "http://10.33.33.10/nudm-sdm/v2/$SUPI/am-data" ``` ### Logs ```shell curl: (92) HTTP/2 stream 1 was not closed cleanly before end of the underlying stream exited 139 2026-04-15T14:43:28.673980241Z 0 04/15 14:43:27.599: [sbi] INFO: NF Service [nudm-ueau] (../lib/sbi/context.c:1985) 04/15 14:43:27.599: [sbi] INFO: NF Service [nudm-uecm] (../lib/sbi/context.c:1985) 04/15 14:43:27.599: [sbi] INFO: NF Service [nudm-sdm] (../lib/sbi/context.c:1985) 04/15 14:43:27.608: [sbi] INFO: nghttp2_server() [http://udm.open5gs.org]:80 (../lib/sbi/nghttp2-server.c:434) 04/15 14:43:27.608: [app] INFO: UDM initialize...done (../src/udm/app.c:31) 04/15 14:43:27.611: [sbi] INFO: [76b74a1e-38d9-41f1-8c51-cbe8e6997d90] NF registered [Heartbeat:10s] (../lib/sbi/nf-sm.c:341) 04/15 14:43:27.613: [sbi] INFO: Setup NF EndPoint(fqdn) [nrf.open5gs.org:80] (../lib/sbi/nnrf-handler.c:969) 04/15 14:43:27.613: [sbi] INFO: [76b9ac32-38d9-41f1-83d3-81714110b74b] Subscription created until 2026-04-16T14:43:27.613476+00:00 [duration:86400000000,validity:86400.000000,patch:43200.000000] (../lib/sbi/nnrf-handler.c:888) 04/15 14:43:27.613: [sbi] INFO: Setup NF EndPoint(fqdn) [nrf.open5gs.org:80] (../lib/sbi/nnrf-handler.c:969) 04/15 14:43:27.613: [sbi] INFO: [76b9b218-38d9-41f1-83d3-81714110b74b] Subscription created until 2026-04-16T14:43:27.613614+00:00 [duration:86400000000,validity:86400.000000,patch:43200.000000] (../lib/sbi/nnrf-handler.c:888) 04/15 14:43:27.616: [sbi] INFO: [a9996ea0-38d7-41f1-b953-63be20b73eef] (NRF-profile-get) NF registered (../lib/sbi/nf-sm.c:81) 04/15 14:43:27.616: [sbi] INFO: [UDR] NFInstance associated [a9996ea0-38d7-41f1-b953-63be20b73eef] (../lib/sbi/context.c:2441) 04/15 14:43:27.616: [sbi] INFO: Setup NF EndPoint(fqdn) [udr.open5gs.org:0] (../lib/sbi/context.c:2446) 04/15 14:43:27.616: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.10:80] (../lib/sbi/context.c:2446) 04/15 14:43:27.616: [sbi] INFO: [nudr-dr] NFService associated [a999de94-38d7-41f1-b953-63be20b73eef] (../lib/sbi/context.c:2109) 04/15 14:43:27.616: [sbi] INFO: Setup NF EndPoint(fqdn) [udr.open5gs.org:0] (../lib/sbi/context.c:2111) 04/15 14:43:27.616: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.10:80] (../lib/sbi/context.c:2111) 04/15 14:43:28.580: [sbi] INFO: [a9996ea0-38d7-41f1-b953-63be20b73eef] Setup NF Instance [type:UDR] (../lib/sbi/path.c:307) 04/15 14:43:28.582: [udm] ERROR: [imsi-001011234567896] No AccessAndMobilitySubscriptionData (../src/udm/nudr-handler.c:664) 04/15 14:43:28.586: [udm] FATAL: udm_nudm_uecm_handle_amf_registration_update: Assertion `udm_ue->amf_3gpp_access_registration' failed. (../src/udm/nudm-handler.c:454) 04/15 14:43:28.588: [core] FATAL: backtrace() returned 10 addresses (../lib/core/ogs-abort.c:37) open5gs-udmd(+0x14a15) [0x561758b77a15] open5gs-udmd(+0xa4e7) [0x561758b6d4e7] /usr/local/lib/libogscore.so.2(ogs_fsm_dispatch+0x119) [0x7f7222db8abc] open5gs-udmd(+0xf0ff) [0x561758b720ff] /usr/local/lib/libogscore.so.2(ogs_fsm_dispatch+0x119) [0x7f7222db8abc] open5gs-udmd(+0x6243) [0x561758b69243] /usr/local/lib/libogscore.so.2(+0x12b4f) [0x7f7222da8b4f] /lib/x86_64-linux-gnu/libc.so.6(+0x94ac3) [0x7f722249dac3] /lib/x86_64-linux-gnu/libc.so.6(clone+0x44) [0x7f722252ea84] ``` ### Expected behaviour UDM should reject `purgeFlag` updates when no AMF registration state exists, and should reject unsupported `PATCH` child-resource routes instead of routing them into the AMF registration update handler. ### Observed Behaviour All confirmed variants hit the same assertion and abort the UDM process. ### eNodeB/gNodeB Not required. ### UE Models and versions Not required.
Fuente⚠️ https://github.com/open5gs/open5gs/issues/4420
Usuario
 FrankyLin (UID 94345)
Sumisión2026-04-16 05:39 (hace 2 meses)
Moderación2026-05-04 17:50 (19 days later)
EstadoAceptado
Entrada de VulDB360978 [Open5GS hasta 2.7.7 amf-3gpp-access Endpoint /src/udm/nudm-handler.c udm_nudm_uecm_handle_amf_registration_update denegación de servicio]
Puntos20

AnteriorVisión De ConjuntoPróximo

Do you know our Splunk app?

Download it now for free!