提出 #808483: Open5gs SMF v2.7.7 Denial of Service情報

タイトル	Open5gs SMF v2.7.7 Denial of Service
説明	### Open5GS Release, Revision, or Tag v2.7.7 ### Steps to reproduce ### Description When SMF operates in the HR V-SMF role and receives `PduSessionCreatedData` from the H-SMF, it trusts `qosFlowsSetupList[*].qosRules` to be a valid base64-encoded NAS QoS Rules blob. Later, while building the establishment accept toward the AMF/UE, `gsm_build_pdu_session_establishment_accept()` decodes that field and asserts that decoding produced a non-zero length: ```c len = ogs_base64_decode_len(qosFlowSetupItem->qos_rules); ogs_assert(len); ... authorized_qos_rules->length = ogs_base64_decode_binary( authorized_qos_rules->buffer, qosFlowSetupItem->qos_rules); ogs_assert(authorized_qos_rules->length); ``` There is no graceful error handling. A crafted H-SMF `201 Created` response with a malformed `qosRules` string therefore aborts the whole SMF process. This issue is distinct from the related `missing hcnTunnelInfo` and `missing qosFlowsSetupList` response-path crashes. Here the list is present, but one of its encoded payload fields is attacker-controlled and malformed. ### Steps to reproduce 1. Run a fake H-SMF h2c server on `10.33.33.1:18084` that answers `POST /nsmf-pdusession/v1/pdu-sessions` with: - HTTP status `201` - a valid `Location` header - multipart JSON `PduSessionCreatedData` including: - `n1SmInfoToUe` - `pduSessionType: "IPV4"` - `sscMode: "1"` - `ueIpv4Address` - valid `hcnTunnelInfo` - `qosFlowsSetupList` containing one item with: - `qfi: 1` - `qosRules: "!"` - `qosFlowDescription: "!"` - valid `qosFlowProfile` 2. Send `POST /nsmf-pdusession/v1/sm-contexts` to the local SMF with: - a full DNN such as `internet.mnc001.mcc001.gprs` - `hSmfUri` pointing to the fake H-SMF - minimal `n1SmMsg` payload `c191a1` 3. Check SMF state and logs: ```bash docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' smf docker logs --since 2026-04-11T05:57:17Z smf ``` ### Logs ```shell Fake H-SMF log: REQ POST /nsmf-pdusession/v1/pdu-sessions BODYLEN 691 RESP sent 506 SMF state: exited 139 2026-04-11T05:57:33.872823786Z SMF log: 04/11 05:57:33.724: [smf] INFO: Setup NF EndPoint(addr) [10.33.33.1:18084] (../src/smf/nsmf-handler.c:2040) 04/11 05:57:33.725: [smf] INFO: UE SUPI[imsi-001011234567894] DNN[internet] S_NSSAI[SST:1 SD:0xffffff] pduSessionRef[fake-4] pduSessionResourceURI[http://10.33.33.1:18084/nsmf-pdusession/v1/pdu-sessions/fake-4] (../src/smf/nsmf-handler.c:2078) 04/11 05:57:33.726: [gsm] FATAL: gsm_build_pdu_session_establishment_accept: Assertion `authorized_qos_rules->length' failed. (../src/smf/gsm-build.c:115) ``` ### Expected behaviour SMF should reject malformed encoded `qosRules` content from the H-SMF response and fail only the affected transaction. ### Observed Behaviour The crafted response aborts the entire SMF process with exit code `139`. ### eNodeB/gNodeB Not required. ### UE Models and versions Not required.
ソース	⚠️ https://github.com/open5gs/open5gs/issues/4447
ユーザー	FrankLin (UID 97501)
送信	2026年04月20日 21:20 (1 月 ago)
モデレーション	2026年05月10日 17:44 (20 days later)
ステータス	承諾済み
VulDBエントリ	362563 [Open5GS 迄 2.7.7 SMF /src/smf/gsm-build.c gsm_build_pdu_session_establishment_accept サービス拒否]
ポイント	20

◂ 前概要次 ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!