जमा करें #808484: Open5gs SMF v2.7.7 Denial of Serviceजानकारी

शीर्षक	Open5gs SMF v2.7.7 Denial of Service
विवरण	### Open5GS Release, Revision, or Tag v2.7.7 ### Steps to reproduce ### Description When SMF operates in the home-routed V-SMF role and receives a `201 Created` response for `POST /nsmf-pdusession/v1/pdu-sessions`, it crashes if `PduSessionCreatedData` omits `hcnTunnelInfo`. The response handler `smf_nsmf_handle_created_data_in_vsmf()` contains the same bug pattern as the previously confirmed `vcnTunnelInfo` issue on the request path: it tries to reject a missing `hcnTunnelInfo`, but the error log dereferences the missing pointer in the `!hcnTunnelInfo` branch. Relevant code: ```c hcnTunnelInfo = PduSessionCreatedData->hcn_tunnel_info; if (!hcnTunnelInfo \|\| !(hcnTunnelInfo->ipv4_addr \|\| hcnTunnelInfo->ipv6_addr) \|\| !hcnTunnelInfo->gtp_teid) { ogs_error("[%s:%d] No hcnTunnelInfo [%s:%s:%s]", smf_ue->supi, sess->psi, hcnTunnelInfo->ipv4_addr ? hcnTunnelInfo->ipv4_addr : "NULL", hcnTunnelInfo->ipv6_addr ? hcnTunnelInfo->ipv6_addr : "NULL", hcnTunnelInfo->gtp_teid ? hcnTunnelInfo->gtp_teid : "NULL"); ``` In Docker, I confirmed this by: 1. forcing SMF into HR V-SMF mode with `hSmfUri` 2. answering the outbound H-SMF create request from a fake h2c server 3. returning `PduSessionCreatedData` that included `ueIpv4Address`, `pduSessionType`, `sscMode`, and `n1SmInfoToUe`, but omitted `hcnTunnelInfo` The fake H-SMF definitely received the request and sent the crafted `201` response, after which the SMF process exited with code `139`. As a control, the same setup with a valid `hcnTunnelInfo` did not die at that point; instead execution progressed further and later hit a different fatal assertion on missing `qosFlowsSetupList`. That separates the two crash causes. ### Steps to reproduce 1. Run a fake H-SMF h2c server on the host bridge `10.33.33.1:18082` that answers `POST /nsmf-pdusession/v1/pdu-sessions` with: - HTTP status `201` - `Location: http://10.33.33.1:18082/nsmf-pdusession/v1/pdu-sessions/fake-2` - a multipart body containing: - JSON `PduSessionCreatedData` with `n1SmInfoToUe`, `pduSessionType`, `sscMode`, `ueIpv4Address` - one binary part `Content-Id: 5gnas-sm` containing a minimal `0xc2` establishment-accept marker in the `gsmue` format 2. Send `POST /nsmf-pdusession/v1/sm-contexts` to the local SMF with: - a full DNN such as `internet.mnc001.mcc001.gprs` - `hSmfUri` pointing to the fake H-SMF - a minimal `n1SmMsg` payload `c191a1` 3. Wait for the fake H-SMF to log: ```text REQ POST /nsmf-pdusession/v1/pdu-sessions RESP sent 262 ``` 4. Check SMF state: ```bash docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' smf docker logs --since 2026-04-11T05:45:52Z smf ``` ### Logs ```shell Fake H-SMF log: REQ POST /nsmf-pdusession/v1/pdu-sessions BODYLEN 690 RESP sent 262 SMF state: exited 139 2026-04-11T05:46:10.148176924Z The process exited immediately after the crafted `201` response and before emitting a normal validation error for `hcnTunnelInfo`. ``` ### Expected behaviour SMF should reject the malformed `PduSessionCreatedData` response and terminate only the corresponding SBI transaction. ### Observed Behaviour The crafted H-SMF response kills the entire SMF process with exit code `139`. ### eNodeB/gNodeB Not required. ### UE Models and versions Not required.
स्रोत	⚠️ https://github.com/open5gs/open5gs/issues/4448
उपयोगकर्ता	FrankLin (UID 97501)
सबमिशन	20/04/2026 09:20 PM (2 महीनों पहले)
संयम	10/05/2026 05:44 PM (20 days later)
स्थिति	स्वीकृत
VulDB प्रविष्टि	362564 [Open5GS तक 2.7.7 SMF smf_nsmf_handle_created_data_in_vsmf सेवा अस्वीकार]
अंक	20

◂ पिछला सिंहावलोकन अगला ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!