提交 #808420: Open5gs NSSF v2.7.7 Denial of Service信息

标题	Open5gs NSSF v2.7.7 Denial of Service
描述	### Open5GS Release, Revision, or Tag v2.7.7 ### Steps to reproduce ### Description NSSF crashes if a Home-NSSF selection request causes an outbound `nnssf-nsselection` query and the original client disconnects before the Home NSSF response arrives. In the NSSF client-response FSM path, the code retrieves the original associated stream by ID: ```c stream = ogs_sbi_stream_find_by_id(sbi_xact->assoc_stream_id); ... nssf_nnrf_nsselection_handle_get_from_hnssf(home, stream, &message); ``` If the original requester has already timed out or reset the HTTP/2 stream, `ogs_sbi_stream_find_by_id()` returns `NULL`. The called handler immediately asserts that the stream pointer is non-NULL: ```c ogs_assert(stream); ``` This makes a delayed but otherwise valid Home-NSSF response a process-killing event once the original stream is gone. ### Steps to reproduce This reproduction used the live Open5GS Docker lab with temporary test setup to force the Home-NSSF path: 1. Add serving PLMN entries to the live lab configs so NRF accepts a fake Home NSSF registration and local NSSF can build Home-NSSF discovery: ```yaml # /home/ubuntu/docker-open5gs/configs/basic/nrf.yaml nrf: serving: - plmn_id: { mcc: 001, mnc: 01 } - plmn_id: { mcc: 999, mnc: 70 } ``` ```yaml # /home/ubuntu/docker-open5gs/configs/basic/nssf.yaml nssf: serving: - plmn_id: { mcc: 001, mnc: 01 } ``` 2. Restart `nrf` and `nssf`. 3. Register a fake Home NSSF into NRF with a long heartbeat and an `nnssf-nsselection` service endpoint pointing to a local delayed h2c test server (`10.33.33.1:18081` in this live setup). 4. Run a delayed Home-NSSF responder that accepts HTTP/2 cleartext and returns a valid `AuthorizedNetworkSliceInfo` only after 3 seconds. 5. Send the original request with a 1-second timeout so the client aborts before the delayed response returns: ```bash curl --http2-prior-knowledge --max-time 1 -sS -i --get \ 'http://10.33.33.5/nnssf-nsselection/v2/network-slice-information' \ --data-urlencode 'nf-id=test-amf' \ --data-urlencode 'nf-type=AMF' \ --data-urlencode 'home-plmn-id={"mcc":"999","mnc":"70"}' \ --data-urlencode 'slice-info-request-for-pdu-session={"sNssai":{"sst":1,"sd":"000001"},"homeSnssai":{"sst":1,"sd":"000001"},"roamingIndication":"HOME_ROUTED_ROAMING"}' ``` 6. Wait for the delayed Home-NSSF response to arrive, then check the NSSF container state and logs. ### Logs ```shell Original requester: curl: (28) Operation timed out after 1001 milliseconds with 0 bytes received Delayed Home-NSSF backend saw the request: GET /nnssf-nsselection/v2/network-slice-information?slice-info-request-for-pdu-session=%7B%22sNssai%22%3A%7B%22sst%22%3A1%2C%22sd%22%3A%22000001%22%7D%2C%22roamingIndication%22%3A%22HOME_ROUTED_ROAMING%22%7D&nf-id=f806e06c-3509-41f1-a3ee-09fbeb9317ec&snssai=%7B%22sst%22%3A1%2C%22sd%22%3A%22000001%22%7D&nf-type=NSSF Container state: exited 139 2026-04-10T18:25:33.593273294Z NSSF logs: 04/10 18:25:31.450: [sbi] INFO: RST_STREAM received: stream_id=1 (../lib/sbi/nghttp2-server.c:1288) 04/10 18:25:33.483: [nssf] FATAL: nssf_nnrf_nsselection_handle_get_from_hnssf: Assertion `stream' failed. (../src/nssf/nnssf-handler.c:189) ``` ### Expected behaviour If the original requester disconnects before the Home-NSSF response arrives, NSSF should discard the late response or clean up the transaction safely without touching a dead stream. ### Observed Behaviour The original client times out, the stream is closed, and the later Home-NSSF response causes NSSF to assert on a `NULL` stream pointer and exit with code `139`. ### eNodeB/gNodeB Not required. ### UE Models and versions Not required.
来源	⚠️ https://github.com/open5gs/open5gs/issues/4431
用户	FrankyLin (UID 94345)
提交	2026-04-20 20時09分 (1 月前)
管理	2026-05-07 18時56分 (17 days later)
状态	已接受
VulDB条目	361906 [Open5GS 直到 2.7.7 NSSF nghttp2-server.c ogs_sbi_stream_find_by_id 拒绝服务]
积分	20

◂ 上一步一览下一步 ▸

Want to know what is going to be exploited?

We predict KEV entries!