Отправить #818585: Open5GS AUSF v2.7.7 Denial of ServiceИнформация

НазваниеOpen5GS AUSF v2.7.7 Denial of Service
Описание### Open5GS Release, Revision, or Tag v2.7.7 ### Steps to reproduce ### Description AUSF crashes when `POST /nausf-auth/v1/ue-authentications` is sent in repeated bursts while `nudm-ueau` `generate-auth-data` requests are kept hanging. The key behaviour is: 1. Each incoming auth request creates an SBI xact with a response timer. 2. If the client resets the HTTP/2 stream, AUSF frees the local `stream` and `request` objects immediately. 3. The outbound `nudm-ueau` xact and its timer remain pending until the SBI client wait timeout. 4. Repeating this quickly exhausts the timer pool. 5. `ogs_sbi_xact_add()` then fails, `ausf_sbi_discover_and_send()` returns `OGS_ERROR`, and `ausf_nausf_auth_handle_authenticate()` aborts on `ogs_assert(r != OGS_ERROR)`. Stream cleanup on client-side close: ```c static int on_stream_close(...) { ... stream_remove(stream); } ogs_list_remove(&sbi_sess->stream_list, stream); ogs_sbi_request_free(stream->request); ogs_pool_id_free(&stream_pool, stream); ``` Timer allocation in `ogs_sbi_xact_add()`: ```c xact->t_response = ogs_timer_add(...); if (!xact->t_response) { ogs_error("ogs_timer_add() failed"); ... return NULL; } ``` The auth handler then turns that send failure into a hard abort: ```c r = ausf_sbi_discover_and_send(...); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); ``` Default sizing makes the pool finite and shared: ```c #define MAX_NUM_OF_UE 1024 #define POOL_NUM_PER_UE 16 ogs_app()->pool.timer = global_conf.max.ue * POOL_NUM_PER_UE; ``` ### Root cause - Entry route: `POST /nausf-auth/v1/ue-authentications` - Preconditions: `nudm-ueau` `POST /security-information/generate-auth-data` must be stalled so outbound SBI xacts remain pending - Exact crash site: `../src/ausf/nausf-handler.c:63` - Upstream failures: `../lib/core/ogs-timer.c:82-85` `../lib/sbi/context.c:2592-2600` `../src/ausf/sbi-path.c:97-103` - Stream cleanup that enables wave-based accumulation: `../lib/sbi/nghttp2-server.c:1306-1327` and `../lib/sbi/nghttp2-server.c:787-792` - Pool sizing: `../lib/app/ogs-config.c:71-77` and `../lib/app/ogs-config.c:115-119` - Root cause family: timer pool exhaustion leading to assertion abort - Controlling factor: number of short-lived inbound auth requests whose outbound UDM xacts remain pending ### Steps to reproduce 1. Start a fake UDM that accepts `generate-auth-data` and never responds: ```bash docker stop fake-ausf-udm-hang 2>/dev/null || true docker run --rm -d \ --name fake-ausf-udm-hang \ --network open5gs \ -v /home/ubuntu/open5gs_277/.audit_tmp:/srv \ node:24-alpine \ node /srv/ausf_fake_udm_hang.js ``` 2. Restart AUSF and override `udm.open5gs.org` so `nudm-ueau` traffic goes to the hanging fake UDM: ```bash docker restart ausf docker exec ausf sh -lc "grep -v 'udm.open5gs.org' /etc/hosts > /tmp/hosts.new && printf '10.33.33.9\tudm.open5gs.org\n' >> /tmp/hosts.new && cat /tmp/hosts.new > /etc/hosts && getent hosts udm.open5gs.org" ``` 3. Control case: one moderate burst. This should not crash AUSF. ```bash docker exec fake-ausf-udm-hang sh -lc 'AUSF_STRESS_CONNECTIONS=8 AUSF_STRESS_REQUESTS_PER_CONNECTION=256 AUSF_STRESS_LAUNCH_ONLY_MS=1000 node /srv/ausf_auth_stress.js' docker inspect -f '{{.State.Status}} {{.State.ExitCode}}' ausf ``` 4. Malicious case: repeat the same `2048`-request launch-only burst several times so old streams are freed but outbound xacts and timers continue to accumulate. One working reproduction was: ```bash docker restart ausf docker exec ausf sh -lc "grep -v 'udm.open5gs.org' /etc/hosts > /tmp/hosts.new && printf '10.33.33.9\tudm.open5gs.org\n' >> /tmp/hosts.new && cat /tmp/hosts.new > /etc/hosts" docker exec fake-ausf-udm-hang sh -lc 'AUSF_STRESS_CONNECTIONS=8 AUSF_STRESS_REQUESTS_PER_CONNECTION=256 AUSF_STRESS_LAUNCH_ONLY_MS=1000 node /srv/ausf_auth_stress.js' docker exec fake-ausf-udm-hang sh -lc 'for i in 1 2 3 4 5 6 7; do AUSF_STRESS_CONNECTIONS=8 AUSF_STRESS_REQUESTS_PER_CONNECTION=256 AUSF_STRESS_LAUNCH_ONLY_MS=1000 node /srv/ausf_auth_stress.js; done' docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' ausf docker logs --tail 80 ausf 2>&1 ``` ### Logs ```shell 04/23 01:43:35.574: [event] ERROR: Failed to allocate timer object from pool (../lib/core/ogs-timer.c:84) 04/23 01:43:35.577: [sbi] ERROR: ogs_timer_add() failed (../lib/sbi/context.c:2596) 04/23 01:43:35.579: [ausf] ERROR: ausf_sbi_discover_and_send() failed (../src/ausf/sbi-path.c:98) 04/23 01:43:35.588: [ausf] ERROR: ausf_nausf_auth_handle_authenticate: Expectation `r == OGS_OK' failed. (../src/ausf/nausf-handler.c:62) 04/23 01:43:35.588: [ausf] FATAL: ausf_nausf_auth_handle_authenticate: Assertion `r != OGS_ERROR' failed. (../src/ausf/nausf-handler.c:63) 04/23 01:43:35.610: [core] FATAL: backtrace() returned 10 addresses (../lib/core/ogs-abort.c:37) ``` ### Expected behaviour AUSF should reject excess pending authentication work with a normal HTTP error and remain running, even if UDM authentication is slow or unresponsive. ### Observed Behaviour Repeated burst traffic that keeps `nudm-ueau` auth generation pending exhausts the timer pool, causes `ausf_sbi_discover_and_send()` to fail with `OGS_ERROR`, and then crashes AUSF via `ogs_assert(r != OGS_ERROR)`. ### eNodeB/gNodeB Not required. ### UE Models and versions Not required.
Источник⚠️ https://github.com/open5gs/open5gs/issues/4473
Пользователь
 ZiyuLin (UID 93568)
Представление04.05.2026 05:04 (1 месяц назад)
Модерация29.05.2026 19:15 (26 days later)
Статуспринято
Запись VulDB367294 [Open5GS до 2.7.7 ue-authentications Endpoint /lib/core/ogs-timer.c ogs_sbi_xact_add отказ в обслуживании]
Баллы20

ПредыдущийОбзорДалее

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!