| शीर्षक | Open5GS AMF v2.7.7 Denial of Service |
|---|
| विवरण | ### Open5GS Release, Revision, or Tag
v2.7.7
### Description
AMF aborts if an SMF returns `200 OK` or `204 No Content` for:
```text
POST /nsmf-pdusession/v1/sm-contexts/{smContextRef}/modify
```
but omits `SmContextUpdatedData.n2SmInfo` while the AMF is waiting for the
Service Request activation response.
The reachable live path is:
```text
UE Service Request with Uplink Data Status
-> gmm_handle_service_request()
-> amf_sbi_send_activating_session()
-> POST /nsmf-pdusession/v1/sm-contexts/{smContextRef}/modify
-> amf_nsmf_pdusession_handle_update_sm_context()
```
`gmm_handle_service_request()` triggers that `/modify` transaction at
`../src/amf/gmm-handler.c:855-860`. When the success response comes back
without `n2SmInfo`, `amf_nsmf_pdusession_handle_update_sm_context()` falls into
the success/no-N2 branch and reaches the explicit “Not reached here” abort for
`AMF_UPDATE_SM_CONTEXT_SERVICE_REQUEST`:
```c
} else if (state == AMF_UPDATE_SM_CONTEXT_SERVICE_REQUEST) {
ogs_assert_if_reached();
}
```
at `../src/amf/nsmf-handler.c:643-646`.
### Root Cause
- Entry chain:
Service Request with active PDU session
-> `gmm_handle_service_request()`
-> `amf_sbi_send_activating_session()`
-> SMF `POST /nsmf-pdusession/v1/sm-contexts/{smContextRef}/modify`
-> `amf_nsmf_pdusession_handle_update_sm_context()`
- Crash site:
`../src/amf/nsmf-handler.c:646`
- Root cause family:
assertion on impossible success-state combination from untrusted peer response
- Controlling field / condition:
success response with missing `SmContextUpdatedData.n2SmInfo`
### Steps to Reproduce
1. Ensure the local direct harness exists:
```text
/home/ubuntu/open5gs_277/.audit_tmp/amf_direct_crash_harness
/home/ubuntu/open5gs_277/.audit_tmp/amf_direct_crash_harness.c
```
2. Control experiment: same empty success response, but use a non-crashing AMF
state (`AMF_UPDATE_SM_CONTEXT_MODIFIED`):
```bash
LD_LIBRARY_PATH=/home/ubuntu/open5gs_277/open5gs/build-audit/lib/app:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/asn1c/common:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/asn1c/ngap:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/asn1c/util:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/core:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/crypt:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/metrics:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/nas/5gs:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/nas/common:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/ngap:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/proto:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/sbi:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/sbi/openapi:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/sctp:\
/home/ubuntu/open5gs_277/open5gs/build-audit/subprojects/prometheus-client-c \
/home/ubuntu/open5gs_277/.audit_tmp/amf_direct_crash_harness nsmf-control
```
3. Malicious experiment: same empty success response, but use the live AMF
Service Request state (`AMF_UPDATE_SM_CONTEXT_SERVICE_REQUEST`):
```bash
LD_LIBRARY_PATH=/home/ubuntu/open5gs_277/open5gs/build-audit/lib/app:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/asn1c/common:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/asn1c/ngap:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/asn1c/util:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/core:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/crypt:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/metrics:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/nas/5gs:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/nas/common:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/ngap:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/proto:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/sbi:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/sbi/openapi:\
/home/ubuntu/open5gs_277/open5gs/build-audit/lib/sctp:\
/home/ubuntu/open5gs_277/open5gs/build-audit/subprojects/prometheus-client-c \
/home/ubuntu/open5gs_277/.audit_tmp/amf_direct_crash_harness nsmf-missing-n2
```
### Logs
```text
04/13 08:47:36.328: [amf] INFO: Setup NF EndPoint(fqdn) [udm.open5gs.org:0] (../src/amf/nudm-handler.c:361)
04/13 08:47:36.328: [amf] INFO: Setup NF EndPoint(addr) [10.33.33.14:80] (../src/amf/nudm-handler.c:361)
04/13 08:47:36.330: [sbi] INFO: [5ac5b314-3644-41f1-b7b4-21a7b4c43293] Setup NF Instance [type:PCF] (../lib/sbi/path.c:307)
04/13 08:47:36.333: [amf] INFO: Setup NF EndPoint(fqdn) [pcf.open5gs.org:0] (../src/amf/npcf-handler.c:143)
04/13 08:47:36.333: [amf] INFO: Setup NF EndPoint(addr) [10.33.33.10:80] (../src/amf/npcf-handler.c:143)
04/13 08:47:36.536: [gmm] INFO: [imsi-001011234567891] Registration complete (../src/amf/gmm-sm.c:3146)
04/13 08:47:36.536: [amf] INFO: [imsi-001011234567891] Configuration update command (../src/amf/nas-path.c:609)
04/13 08:47:36.536: [gmm] INFO: UTC [2026-04-13T08:47:36] Timezone[0]/DST[0] (../src/amf/gmm-build.c:551)
04/13 08:47:36.536: [gmm] INFO: LOCAL [2026-04-13T08:47:36] Timezone[0]/DST[0] (../src/amf/gmm-build.c:556)
04/13 08:47:36.536: [amf] INFO: [Added] Number of AMF-Sessions is now 1 (../src/amf/context.c:2798)
04/13 08:47:36.536: [gmm] INFO: UE SUPI[imsi-001011234567891] DNN[internet] LBO[0] S_NSSAI[SST:1 SD:0x1] smContextRef[NULL] smContextResourceURI[NULL] (../src/amf/gmm-handler.c:1419)
04/13 08:47:36.536: [gmm] INFO: V-SMF Instance [6b46951a-3715-41f1-a195-cb642406bdb9](LIST) (../src/amf/gmm-handler.c:1496)
04/13 08:47:36.536: [gmm] INFO: [6b46951a-3715-41f1-a195-cb642406bdb9] Setup NF Instance [type:SMF] (../src/amf/gmm-handler.c:1498)
04/13 08:47:36.536: [gmm] INFO: V-SMF Instance [6b46951a-3715-41f1-a195-cb642406bdb9] (../src/amf/gmm-handler.c:1508)
04/13 08:47:36.536: [gmm] INFO: V-SMF discovered in Non-Roaming or LBO-Roaming[0] (../src/amf/gmm-handler.c:1577)
04/13 08:47:36.536: [gmm] INFO: nsmf_pdusession [1:0x56175242b090:(nil)] (../src/amf/gmm-handler.c:1617)
04/13 08:47:36.562: [amf] INFO: Setup NF EndPoint(fqdn) [smf.open5gs.org:0] (../src/amf/nsmf-handler.c:140)
04/13 08:47:36.562: [amf] INFO: Setup NF EndPoint(addr) [10.33.33.15:80] (../src/amf/nsmf-handler.c:140)
04/13 08:47:36.579: [amf] INFO: [imsi-001011234567891:1:11][0:0:NULL] /nsmf-pdusession/v1/sm-contexts/{smContextRef}/modify (../src/amf/nsmf-handler.c:954)
04/13 08:48:01.043: [amf] INFO: gNB-N2[10.33.33.6] connection refused!!! (../src/amf/amf-sm.c:1013)
04/13 08:48:01.049: [amf] INFO: [Removed] Number of gNBs is now 0 (../src/amf/context.c:1305)
04/13 08:48:01.053: [amf] INFO: [Removed] Number of gNB-UEs is now 0 (../src/amf/context.c:2784)
04/13 08:48:01.053: [amf] INFO: [imsi-001011234567891:1:51][0:0:NULL] /nsmf-pdusession/v1/sm-contexts/{smContextRef}/modify (../src/amf/nsmf-handler.c:954)
04/13 08:48:11.188: [amf] INFO: gNB-N2 accepted[10.33.33.6]:49064 in ng-path module (../src/amf/ngap-sctp.c:113)
04/13 08:48:11.188: [amf] INFO: gNB-N2 accepted[10.33.33.6] in master_sm module (../src/amf/amf-sm.c:953)
04/13 08:48:11.195: [amf] INFO: [Added] Number of gNBs is now 1 (../src/amf/context.c:1277)
04/13 08:48:11.195: [amf] INFO: gNB-N2[10.33.33.6] max_num_of_ostreams : 10 (../src/amf/amf-sm.c:1000)
04/13 08:48:26.937: [sbi] INFO: [6b46951a-3715-41f1-a195-cb642406bdb9] (NRF-notify) NF_DEREGISTERED event [type:SMF] (../lib/sbi/nnrf-handler.c:1186)
04/13 08:55:24.680: [amf] INFO: gNB-N2[10.33.33.6] connection refused!!! (../src/amf/amf-sm.c:1013)
04/13 08:55:24.687: [amf] INFO: [Removed] Number of gNBs is now 0 (../src/amf/context.c:1305)
04/13 08:56:06.143: [amf] INFO: gNB-N2 accepted[10.33.33.6]:40624 in ng-path module (../src/amf/ngap-sctp.c:113)
04/13 08:56:06.143: [amf] INFO: gNB-N2 accepted[10.33.33.6] in master_sm module (../src/amf/amf-sm.c:953)
04/13 08:56:06.151: [amf] INFO: [Added] Number of gNBs is now 1 (../src/amf/context.c:1277)
04/13 08:56:06.151: [amf] INFO: gNB-N2[10.33.33.6] max_num_of_ostreams : 10 (../src/amf/amf-sm.c:1000)
04/13 08:56:49.438: [amf] INFO: InitialUEMessage (../src/amf/ngap-handler.c:461)
04/13 08:56:49.438: [amf] INFO: [Added] Number of gNB-UEs is now 1 (../src/amf/context.c:2777)
04/13 08:56:49.438: [amf] INFO: [suci-0-001-01-0000-0-0-1234567891] 5G-S_TMSI[AMF_ID:0x20040,M_TMSI:0xc00003fc] (../src/amf/ngap-handler.c:542)
04/13 08:56:49.438: [amf] INFO: RAN_UE_NGAP_ID[1] AMF_UE_NGAP_ID[2] TAC[1] CellID[0x10] (../src/amf/ngap-handler.c:622)
04/13 08:56:49.442: [gmm] INFO: Service request (../src/amf/gmm-sm.c:1835)
04/13 08:56:49.443: [gmm] INFO: [suci-0-001-01-0000-0-0-1234567891] 5G-S_GUTI[AMF_ID:0x20040,M_TMSI:0xc00003fc] (../src/amf/gmm-handler.c:754)
04/13 08:56:49.582: [amf] FATAL: amf_nsmf_pdusession_handle_update_sm_context: should not be reached. (../src/amf/nsmf-handler.c:646)
04/13 08:56:49.624: [core] FATAL: backtrace() returned 8 addresses (../lib/core/ogs-abort.c:37)
open5gs-amfd(+0x5e56e) [0x561751c1356e]
open5gs-amfd(+0x4cf17) [0x561751c01f17]
/usr/local/lib/libogscore.so.2(ogs_fsm_dispatch+0x119) [0x7f70b0781abc]
open5gs-amfd(+0xba4d) [0x561751bc0a4d]
/usr/local/lib/libogscore.so.2(+0x12b4f) [0x7f70b0771b4f]
/lib/x86_64-linux-gnu/libc.so.6(+0x94ac3) [0x7f70af929ac3]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x44) [0x7f70af9baa84]
/usr/local/bin/entrypoint.sh: line 10: 7 Aborted (core dumped) open5gs-amfd "${@}"
```
### Expected behaviour
The AMF should reject success responses that omit mandatory `n2SmInfo` for the
current activation state, not abort on an internal assertion.
### Observed Behaviour
A single malformed SMF `/modify` success response aborts the AMF process during
Service Request handling.
### eNodeB/gNodeB
UERANSIM gNB v3.2.7 with a local single-AMF fallback for Service Request
`InitialUEMessage` forwarding.
### UE Models and versions
UERANSIM UE v3.2.7 |
|---|
| स्रोत | ⚠️ https://github.com/open5gs/open5gs/issues/4409 |
|---|
| उपयोगकर्ता | FrankyLin (UID 94345) |
|---|
| सबमिशन | 15/04/2026 04:24 PM (2 महीनों पहले) |
|---|
| संयम | 03/05/2026 09:21 AM (18 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 360882 [Open5GS तक 2.7.7 AMF /src/amf/gmm-handler.c gmm_handle_service_request सेवा अस्वीकार] |
|---|
| अंक | 20 |
|---|