제출 #808484: Open5gs SMF v2.7.7 Denial of Service정보

제목	Open5gs SMF v2.7.7 Denial of Service
설명	### Open5GS Release, Revision, or Tag v2.7.7 ### Steps to reproduce ### Description When SMF operates in the home-routed V-SMF role and receives a `201 Created` response for `POST /nsmf-pdusession/v1/pdu-sessions`, it crashes if `PduSessionCreatedData` omits `hcnTunnelInfo`. The response handler `smf_nsmf_handle_created_data_in_vsmf()` contains the same bug pattern as the previously confirmed `vcnTunnelInfo` issue on the request path: it tries to reject a missing `hcnTunnelInfo`, but the error log dereferences the missing pointer in the `!hcnTunnelInfo` branch. Relevant code: ```c hcnTunnelInfo = PduSessionCreatedData->hcn_tunnel_info; if (!hcnTunnelInfo \|\| !(hcnTunnelInfo->ipv4_addr \|\| hcnTunnelInfo->ipv6_addr) \|\| !hcnTunnelInfo->gtp_teid) { ogs_error("[%s:%d] No hcnTunnelInfo [%s:%s:%s]", smf_ue->supi, sess->psi, hcnTunnelInfo->ipv4_addr ? hcnTunnelInfo->ipv4_addr : "NULL", hcnTunnelInfo->ipv6_addr ? hcnTunnelInfo->ipv6_addr : "NULL", hcnTunnelInfo->gtp_teid ? hcnTunnelInfo->gtp_teid : "NULL"); ``` In Docker, I confirmed this by: 1. forcing SMF into HR V-SMF mode with `hSmfUri` 2. answering the outbound H-SMF create request from a fake h2c server 3. returning `PduSessionCreatedData` that included `ueIpv4Address`, `pduSessionType`, `sscMode`, and `n1SmInfoToUe`, but omitted `hcnTunnelInfo` The fake H-SMF definitely received the request and sent the crafted `201` response, after which the SMF process exited with code `139`. As a control, the same setup with a valid `hcnTunnelInfo` did not die at that point; instead execution progressed further and later hit a different fatal assertion on missing `qosFlowsSetupList`. That separates the two crash causes. ### Steps to reproduce 1. Run a fake H-SMF h2c server on the host bridge `10.33.33.1:18082` that answers `POST /nsmf-pdusession/v1/pdu-sessions` with: - HTTP status `201` - `Location: http://10.33.33.1:18082/nsmf-pdusession/v1/pdu-sessions/fake-2` - a multipart body containing: - JSON `PduSessionCreatedData` with `n1SmInfoToUe`, `pduSessionType`, `sscMode`, `ueIpv4Address` - one binary part `Content-Id: 5gnas-sm` containing a minimal `0xc2` establishment-accept marker in the `gsmue` format 2. Send `POST /nsmf-pdusession/v1/sm-contexts` to the local SMF with: - a full DNN such as `internet.mnc001.mcc001.gprs` - `hSmfUri` pointing to the fake H-SMF - a minimal `n1SmMsg` payload `c191a1` 3. Wait for the fake H-SMF to log: ```text REQ POST /nsmf-pdusession/v1/pdu-sessions RESP sent 262 ``` 4. Check SMF state: ```bash docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' smf docker logs --since 2026-04-11T05:45:52Z smf ``` ### Logs ```shell Fake H-SMF log: REQ POST /nsmf-pdusession/v1/pdu-sessions BODYLEN 690 RESP sent 262 SMF state: exited 139 2026-04-11T05:46:10.148176924Z The process exited immediately after the crafted `201` response and before emitting a normal validation error for `hcnTunnelInfo`. ``` ### Expected behaviour SMF should reject the malformed `PduSessionCreatedData` response and terminate only the corresponding SBI transaction. ### Observed Behaviour The crafted H-SMF response kills the entire SMF process with exit code `139`. ### eNodeB/gNodeB Not required. ### UE Models and versions Not required.
원천	⚠️ https://github.com/open5gs/open5gs/issues/4448
사용자	FrankLin (UID 97501)
제출	2026. 04. 20. PM 09:20 (2 개월 ago)
모더레이션	2026. 05. 10. PM 05:44 (20 days later)
상태	수락
VulDB 항목	362564 [Open5GS 까지 2.7.7 SMF smf_nsmf_handle_created_data_in_vsmf 서비스 거부]
포인트들	20

◂ 이전 개요 다음 ▸

Interested in the pricing of exploits?

See the underground prices here!