Enviar #808485: Open5gs SMF v2.7.7 Denial of Serviceinformación

Título	Open5gs SMF v2.7.7 Denial of Service
Descripción	### Open5GS Release, Revision, or Tag v2.7.7 ### Steps to reproduce ### Description When SMF operates in the home-routed V-SMF role and receives a `201 Created` response for `POST /nsmf-pdusession/v1/pdu-sessions`, it aborts if `PduSessionCreatedData` omits `qosFlowsSetupList`. The response handler stores `sess->h_smf_qos_flows_setup_list` only if the received list exists and has at least one item: ```c qosFlowsSetupList = OpenAPI_list_create(); ... if (qosFlowsSetupList->count) sess->h_smf_qos_flows_setup_list = qosFlowsSetupList; else OpenAPI_list_free(qosFlowsSetupList); ``` But the later NAS builder for HR V-SMF unconditionally asserts that the list is present: ```c if (HOME_ROUTED_ROAMING_IN_VSMF(sess)) { qosFlowsSetupList = sess->h_smf_qos_flows_setup_list; ogs_assert(qosFlowsSetupList); ``` So a crafted H-SMF `201 Created` response with valid earlier fields but no `qosFlowsSetupList` leads to a fatal assertion in `gsm_build_pdu_session_establishment_accept()`. This issue is distinct from the related `missing hcnTunnelInfo` response-path crash. Here `hcnTunnelInfo` is present and valid; the abort happens later during NAS construction. ### Steps to reproduce 1. Run a fake H-SMF h2c server on `10.33.33.1:18083` that answers `POST /nsmf-pdusession/v1/pdu-sessions` with: - HTTP status `201` - `Location: http://10.33.33.1:18083/nsmf-pdusession/v1/pdu-sessions/fake-3` - a multipart body containing JSON `PduSessionCreatedData` with: - `n1SmInfoToUe` - `pduSessionType: "IPV4"` - `sscMode: "1"` - `ueIpv4Address` - valid `hcnTunnelInfo` - but no `qosFlowsSetupList` 2. Send `POST /nsmf-pdusession/v1/sm-contexts` to the local SMF with: - a full DNN such as `internet.mnc001.mcc001.gprs` - `hSmfUri` pointing to the fake H-SMF - minimal `n1SmMsg` payload `c191a1` 3. Wait for the fake H-SMF to log: ```text REQ POST /nsmf-pdusession/v1/pdu-sessions RESP sent 322 ``` 4. Check SMF state and logs: ```bash docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' smf docker logs --since 2026-04-11T05:46:54Z smf ``` ### Logs ```shell Fake H-SMF log: REQ POST /nsmf-pdusession/v1/pdu-sessions BODYLEN 691 RESP sent 322 SMF state: exited 139 2026-04-11T05:47:13.014793159Z SMF log: 04/11 05:47:12.916: [smf] INFO: Setup NF EndPoint(addr) [10.33.33.1:18083] (../src/smf/nsmf-handler.c:2040) 04/11 05:47:12.916: [smf] INFO: UE SUPI[imsi-001011234567895] DNN[internet] S_NSSAI[SST:1 SD:0xffffff] pduSessionRef[fake-3] pduSessionResourceURI[http://10.33.33.1:18083/nsmf-pdusession/v1/pdu-sessions/fake-3] (../src/smf/nsmf-handler.c:2078) 04/11 05:47:12.918: [gsm] FATAL: gsm_build_pdu_session_establishment_accept: Assertion `qosFlowsSetupList' failed. (../src/smf/gsm-build.c:101) ``` ### Expected behaviour SMF should reject the malformed `PduSessionCreatedData` response and terminate only the affected transaction. ### Observed Behaviour The crafted H-SMF response aborts the entire SMF process with exit code `139`. ### eNodeB/gNodeB Not required. ### UE Models and versions Not required.
Fuente	⚠️ https://github.com/open5gs/open5gs/issues/4449
Usuario	FrankLin (UID 97501)
Sumisión	2026-04-20 21:21 (hace 2 meses)
Moderación	2026-05-10 17:44 (20 days later)
Estado	Aceptado
Entrada de VulDB	362565 [Open5GS hasta 2.7.7 SMF OpenAPI_list_create denegación de servicio]
Puntos	20

◂ Anterior Visión De Conjunto Próximo ▸

Interested in the pricing of exploits?

See the underground prices here!