bump upstream from 2.6 to 2.7.2 #92
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This reverts commit 253b09f.
This reverts commit 6814de5.
The AMF will crash on the following locations when it receives a sequence of NAS messages from a UE. - ogs_nas_encrypt: Assertion `pkbuf->len' failed. (../lib/nas/common/security.c:86) - gmm_state_authentication: Assertion `r != OGS_ERROR' failed. (../src/amf/gmm-sm.c:1561) Besides the crashes found above, an incorrect protocol transition is identified in Open5GS. Without any Registration/Attach Request message, when the Identity Response message sent, the Core Network responds with an Authentication Request message. According to the standard, only the Registration/Attach Request message can start a state transition from the 5GMM/EMM-DEREGISTERED state to the 5GMM/EMM-COMMON-PROCEDURE-INITIATED. So I've modified the relevant code to address these issues.
In InitialUEMessage, send a NAS message with a message type other than Registration Request, Deregistration Request, or Service Request, the following messages from UE will not be accepted. We found this issue in not only the initial state but multiple states. We believe if an attacker has the ability to inject a NAS message to the core, it can perform a DoS attack on the victim UE. So, I've fixed that The MME/AMF deletes MME_UE_S1AP_ID/AMF_UE_NGAP_ID, and will not accept any following messages from the UE.
A malformed PDU Session Modification Request is sent from UE
after Registration Complete.
```
Crash 1:
04/12 15:00:44.031: [amf] INFO: [imsi-999700000000001:1:11][0:0:NULL] /nsmf-pdusession/v1/sm-contexts/{smContextRef}/modify (../src/amf/nsmf-handler.c:837)
04/12 15:00:46.569: [nas] FATAL: ogs_nas_parse_qos_flow_descriptions: Assertion `descriptions->length' failed. (../lib/nas/5gs/types.c:486)
04/12 15:00:46.569: [core] FATAL: backtrace() returned 11 addresses (../lib/core/ogs-abort.c:37)
../src/smf/../../lib/nas/5gs/libogsnas-5gs.so.2(ogs_nas_parse_qos_flow_descriptions+0x162) [0x7e6e7a5a4e5d]
../src/smf/open5gs-smfd(+0x8c6ec) [0x5dd6c333d6ec]
../src/smf/open5gs-smfd(+0x2d69b) [0x5dd6c32de69b]
../src/smf/../../lib/core/libogscore.so.2(ogs_fsm_dispatch+0x119) [0x7e6e7b216c0c]
../src/smf/open5gs-smfd(+0x288b3) [0x5dd6c32d98b3]
../src/smf/../../lib/core/libogscore.so.2(ogs_fsm_dispatch+0x119) [0x7e6e7b216c0c]
../src/smf/open5gs-smfd(+0xf2d8) [0x5dd6c32c02d8]
../src/smf/../../lib/core/libogscore.so.2(+0x1197a) [0x7e6e7b20797a]
/lib/x86_64-linux-gnu/libc.so.6(+0x94ac3) [0x7e6e7a094ac3]
/lib/x86_64-linux-gnu/libc.so.6(+0x126850) [0x7e6e7a126850]
04/12 15:00:46.613: [app] ERROR: Signal-NUM[17] received (Child status change) (../src/main.c:81)
04/12 15:00:46.613: [sbi] WARNING: [92] HTTP/2 stream 19 was not closed cleanly before end of the underlying stream (../lib/sbi/client.c:626)
04/12 15:00:46.613: [scp] WARNING: response_handler() failed [-1] (../src/scp/sbi-path.c:539)
04/12 15:00:46.613: [amf] ERROR: [1:0] No SmContextUpdateError [500] (../src/amf/nsmf-handler.c:866)
04/12 15:00:46.613: [amf] ERROR: AMF_SESS_CLEAR (../src/amf/amf-sm.c:484)
04/12 15:00:46.613: [amf] INFO: [Removed] Number of AMF-Sessions is now 0 (../src/amf/context.c:2551)
04/12 15:00:50.596: [nrf] WARNING: [c466ec64-f8fe-41ee-a888-194dc4363612] No heartbeat (../src/nrf/nrf-sm.c:260)
04/12 15:00:50.596: [nrf] INFO: [c466ec64-f8fe-41ee-a888-194dc4363612] NF de-registered (../src/nrf/nf-sm.c:205)
04/12 15:00:50.596: [sbi] INFO: [c466ec64-f8fe-41ee-a888-194dc4363612:1] NF removed (../lib/sbi/nnrf-handler.c:750)
04/12 15:00:50.596: [sbi] INFO: [c466ec64-f8fe-41ee-a888-194dc4363612:1] NF removed (../lib/sbi/nnrf-handler.c:750)
04/12 15:00:55.094: [pfcp] WARNING: [10] LOCAL No Reponse. Give up! for step 1 type 1 peer [127.0.0.4]:8805 (../lib/pfcp/xact.c:599)
04/12 15:00:55.094: [upf] WARNING: No Heartbeat from SMF [127.0.0.4]:8805 (../src/upf/pfcp-sm.c:329)
04/12 15:00:55.094: [upf] INFO: PFCP de-associated [127.0.0.4]:8805 (../src/upf/pfcp-sm.c:199)
04/12 15:01:02.599: [pfcp] WARNING: [11] LOCAL No Reponse. Give up! for step 1 type 5 peer [127.0.0.4]:8805 (../lib/pfcp/xact.c:599)
04/12 15:01:06.098: [upf] WARNING: Retry to association with peer [127.0.0.4]:8805 failed (../src/upf/pfcp-sm.c:107)
Crash 2:
04/12 15:16:39.748: [amf] INFO: [imsi-999700000000001:1:11][0:0:NULL] /nsmf-pdusession/v1/sm-contexts/{smContextRef}/modify (../src/amf/nsmf-handler.c:837)
04/12 15:16:42.155: [nas] FATAL: ogs_nas_parse_qos_rules: Assertion `size+sizeof(rule->flow.flags) <= length' failed. (../lib/nas/5gs/types.c:961)
04/12 15:16:42.155: [core] FATAL: backtrace() returned 11 addresses (../lib/core/ogs-abort.c:37)
../src/smf/../../lib/nas/5gs/libogsnas-5gs.so.2(ogs_nas_parse_qos_rules+0x12d1) [0x7d1affbd2d72]
../src/smf/open5gs-smfd(+0x8b446) [0x629a57861446]
../src/smf/open5gs-smfd(+0x2d69b) [0x629a5780369b]
../src/smf/../../lib/core/libogscore.so.2(ogs_fsm_dispatch+0x119) [0x7d1affd05c0c]
../src/smf/open5gs-smfd(+0x288b3) [0x629a577fe8b3]
../src/smf/../../lib/core/libogscore.so.2(ogs_fsm_dispatch+0x119) [0x7d1affd05c0c]
../src/smf/open5gs-smfd(+0xf2d8) [0x629a577e52d8]
../src/smf/../../lib/core/libogscore.so.2(+0x1197a) [0x7d1affcf697a]
/lib/x86_64-linux-gnu/libc.so.6(+0x94ac3) [0x7d1afea94ac3]
/lib/x86_64-linux-gnu/libc.so.6(+0x126850) [0x7d1afeb26850]
04/12 15:16:42.199: [sbi] WARNING: [92] HTTP/2 stream 13 was not closed cleanly before end of the underlying stream (../lib/sbi/client.c:626)
04/12 15:16:42.199: [scp] WARNING: response_handler() failed [-1] (../src/scp/sbi-path.c:539)
04/12 15:16:42.199: [app] ERROR: Signal-NUM[17] received (Child status change) (../src/main.c:81)
04/12 15:16:42.200: [amf] ERROR: [1:0] No SmContextUpdateError [500] (../src/amf/nsmf-handler.c:866)
04/12 15:16:42.200: [amf] ERROR: AMF_SESS_CLEAR (../src/amf/amf-sm.c:484)
04/12 15:16:42.200: [amf] INFO: [Removed] Number of AMF-Sessions is now 0 (../src/amf/context.c:2551)
04/12 15:16:49.858: [nrf] WARNING: [23f1aee2-f901-41ee-a488-85a58e1e3420] No heartbeat (../src/nrf/nrf-sm.c:260)
04/12 15:16:49.858: [nrf] INFO: [23f1aee2-f901-41ee-a488-85a58e1e3420] NF de-registered (../src/nrf/nf-sm.c:205)
04/12 15:16:49.859: [sbi] INFO: [23f1aee2-f901-41ee-a488-85a58e1e3420:1] NF removed (../lib/sbi/nnrf-handler.c:750)
04/12 15:16:49.859: [sbi] INFO: [23f1aee2-f901-41ee-a488-85a58e1e3420:1] NF removed (../lib/sbi/nnrf-handler.c:750)
04/12 15:16:59.364: [pfcp] WARNING: [5] LOCAL No Reponse. Give up! for step 1 type 1 peer [127.0.0.4]:8805 (../lib/pfcp/xact.c:599)
04/12 15:16:59.364: [upf] WARNING: No Heartbeat from SMF [127.0.0.4]:8805 (../src/upf/pfcp-sm.c:329)
04/12 15:16:59.364: [upf] INFO: PFCP de-associated [127.0.0.4]:8805 (../src/upf/pfcp-sm.c:199)
```
So, I've fixed it.
The way subnet is set up has changed as shown below.
```
<OLD Format>
smf:
session:
- subnet: 10.45.0.1/16
<NEW Format>
smf:
session:
- subnet: 10.45.0.0/16
gateway: 10.45.0.1
```
For more information, please refer to Pull Request #2975.
Add an option to disable printing the timestamp. This is useful to not
have duplicate timestamps, when stderr is piped into a logging system
that adds timestamps on its own. For example with systemd's journald:
$ journalctl -u open5gs-smfd
Apr 10 13:25:18 hostname open5gs-smfd[1582]: 04/10 13:25:18.274: [app] INFO: Configuration: '/etc/open5gs/smf.yaml' (../lib/app/ogs-init.c:130)
Configuration change:
```
<OLD Format>
logger:
file: /var/log/open5gs/smf.log
<NEW Format>
logger:
file:
path: /var/log/open5gs/smf.log
```
Example config, to have no timestamps on stderr:
```
logger:
default:
timestamp: false
file:
path: /var/log/open5gs/smf.log
timestamp: true
```
Add a section that explains how to fix duplicate timestamps in journalctl.
A friend in the community was trying to connect an SMF made by another
manufacturer with an SBI interface and found a big problem with Open5GS.
All of the code in the part that generates the Resource URI
from HTTP.location is invalid.
For example, suppose we create a Resource URI with SMContext as below.
{apiRoot}/nsmf-pdusession/<apiVersion>/sm-contexts/{smContextRef}
In this case, Open5GS extracted the {smContextRef} part of the HTTP.location
and appended it to the beginning
{apiRoot}/nsmf-pdusession/<apiVersion>/sm-contexts/.
This implementation may not work properly if the apiRoot changes.
Consider a different port number as shown below.
<HTTP.location>
127.0.0.4:9999/nsmf-pdusession/v1/sm-contexts/1
The SMF may send an apiRoot to the AMF with a changed port number,
in which case the AMF must honor it.
Therefore, instead of extracting only the smContextRef from HTTP.location,
we modified it to use the whole thing to create a Resource URI.
We modified all NFs that use HTTP.location in the same way, not just SMFs.
…ddresses When running the open5gs package with systemd network config, the 1st IP address of the UE pool configured in open5gs-upfd config file for ogstun is being assigned to the interface through this file. That was discussed as being a desirable default setup. However, in the event a user wants a setup where no IP address is assigned to the tundev, then it's not enough removing the IP address, because then the implicit routing rules regarding the subnet of the IP address added automatically by the kernel are also removed. This patch adds config sections to set up the routing explicitly, with the aim to get the routing still applied if the user decides to comment out the IP address, so that packets are still forwarded properly in that case. Related: https://osmocom.org/issues/6361
When NSSF was first implemented, nf-status-notify was not required. This is because there was no need to be notified if other NFs were registered or de-registered in the NRF. However, this situation changed with the addition of SEPP. NSSFs can be notified whenever a SEPP registers or de-registers an NRF. Therefore, we added nf-status-notify, which was not implemented when the NSSF was originally created.
An assert shall be triggered if sepp_node is corrupted.
```
pwndbg> p *sepp_node
$5 = {
lnode = {
prev = 0x0,
next = 0xaaaac920c638
},
receiver = 0xaaaac9230990 "sepp2.localdomain",
negotiated_security_scheme = OpenAPI_security_capability_TLS,
target_apiroot_supported = true,
plmn_id = {{
mcc1 = 6 '\006',
mcc2 = 6 '\006',
mcc3 = 6 '\006',
mnc1 = 6 '\006',
mnc2 = 6 '\006',
mnc3 = 6 '\006'
} <repeats 12 times>},
num_of_plmn_id = 6710887,
target_plmn_id_presence = false,
target_plmn_id = {
mcc1 = 0 '\000',
mcc2 = 0 '\000',
mcc3 = 0 '\000',
mnc1 = 0 '\000',
mnc2 = 0 '\000',
mnc3 = 0 '\000'
},
supported_features = 1,
sm = {
init = 0xaaaaada181fc <sepp_handshake_state_initial>,
fini = 0xaaaaada18390 <sepp_handshake_state_final>,
state = 0xaaaaada194b4 <sepp_handshake_state_established>
},
t_establish_interval = 0xffffa7d6c4e0,
client = 0xaaaac91af010,
n32f = {
client = 0xaaaac91af090
}
}
pwndbg> p/x sepp_node.num_of_plmn_id
$6 = 0x666667
```
An assert shall be triggered if a stack corruption occurs.
The vulnerable code path is in src/hss/hss-s6a-path.c:
```
static int hss_ogs_diam_s6a_air_cb( struct msg **msg, struct avp *avp,
struct session *session, void *opaque, enum disp_action *act)
{
..
ogs_plmn_id_t visited_plmn_id;
..
ret = fd_msg_search_avp(qry, ogs_diam_visited_plmn_id, &avp);
ogs_assert(ret == 0);
ret = fd_msg_avp_hdr(avp, &hdr);
ogs_assert(ret == 0);
memcpy(&visited_plmn_id, hdr->avp_value->os.data, hdr->avp_value->os.len);
```
An assert shall be triggered.
The vulnerable code path is in src/mme/mme-fd-path.c:
```
/* s6a process Subscription-Data from avp */
static int mme_s6a_subscription_data_from_avp(struct avp *avp,
ogs_subscription_data_t *subscription_data,
mme_ue_t *mme_ue, uint32_t *subdatamask)
{
...
/* AVP: 'MSISDN'( 701 )
* The MSISDN AVP is of type OctetString. This AVP contains an MSISDN,
* in international number format as described in ITU-T Rec E.164 [8],
* encoded as a TBCD-string, i.e. digits from 0 through 9 are encoded
* 0000 to 1001; 1111 is used as a filler when there is an odd number
* of digits; bits 8 to 5 of octet n encode digit 2n; bits 4 to 1 of
* octet n encode digit 2(n-1)+1.
* Reference: 3GPP TS 29.329
*/
ret = fd_avp_search_avp(avp, ogs_diam_s6a_msisdn, &avpch1);
ogs_assert(ret == 0);
if (avpch1) {
ret = fd_msg_avp_hdr(avpch1, &hdr);
ogs_assert(ret == 0);
if (hdr->avp_value->os.data && hdr->avp_value->os.len) {
mme_ue->msisdn_len = hdr->avp_value->os.len; /* 1 */
memcpy(mme_ue->msisdn, hdr->avp_value->os.data,
ogs_min(mme_ue->msisdn_len, OGS_MAX_MSISDN_LEN)); /* 2 */
ogs_buffer_to_bcd(mme_ue->msisdn,
mme_ue->msisdn_len, mme_ue->msisdn_bcd); /* 3 */
*subdatamask = (*subdatamask | OGS_DIAM_S6A_SUBDATA_MSISDN);
}
}
```
Assert shall be triggered if the mme_enb_t object is corrupted.
```
$ gdb -q -p `pidof open5gs-mmed`
..
Using host libthread_db library "/lib/aarch64-linux-gnu/libthread_db.so.1".
0x0000ffff90deb46c in __GI___sigtimedwait (set=set@entry=0xfffffe63be68, info=info@entry=0xfffffe63bda8, timeout=timeout@entry=0x0) at ../sysdeps/unix/sysv/linux/sigtimedwait.c:61
61 ../sysdeps/unix/sysv/linux/sigtimedwait.c: No such file or directory.
Breakpoint 1 at 0xaaaabef69250: file ../src/mme/s1ap-handler.c, line 199.
[Switching to Thread 0xffff1efdef00 (LWP 20348)]
Thread 38 "open5gs-mmed" hit Breakpoint 1, s1ap_handle_s1_setup_request (enb=0xffff9029b5a0, message=0xffff1efdc498) at ../src/mme/s1ap-handler.c:199
warning: Source file is more recent than executable.
199 if (maximum_number_of_enbs_is_reached()) {
(gdb) p enb.supported_ta_list
$1 = {{plmn_id = {mcc1 = 0 '\000', mcc2 = 0 '\000', mcc3 = 1 '\001', mnc1 = 15 '\017', mnc2 = 0 '\000', mnc3 = 1 '\001'}, tac = 1} <repeats 256 times>}
(gdb) p enb
$2 = (mme_enb_t *) 0xffff9029b5a0
(gdb) p *enb
$3 = {lnode = {prev = 0x0, next = 0x0}, sm = {init = 0xaaaabef66540 <s1ap_state_initial>, fini = 0xaaaabef66640 <s1ap_state_final>, state = 0xaaaabef66730 <s1ap_state_operational>}, enb_id = 1, plmn_id = {
mcc1 = 1 '\001', mcc2 = 2 '\002', mcc3 = 3 '\003', mnc1 = 15 '\017', mnc2 = 4 '\004', mnc3 = 5 '\005'}, sctp = {type = 1, sock = 0xfffedc000bd0, addr = 0xfffedc000e70, poll = {read = 0xffff9032a0f0,
write = 0x0}, write_queue = {prev = 0x0, next = 0x0}}, state = {s1_setup_success = false}, max_num_of_ostreams = 30, ostream_id = 0, num_of_supported_ta_list = 258, supported_ta_list = {{plmn_id = {
mcc1 = 0 '\000', mcc2 = 0 '\000', mcc3 = 1 '\001', mnc1 = 15 '\017', mnc2 = 0 '\000', mnc3 = 1 '\001'}, tac = 1} <repeats 256 times>}, s1_reset_ack = 0x10f100000110f100, enb_ue_list = {prev = 0x1,
next = 0x0}}
pwndbg> vmmap enb
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
Start End Perm Size Offset File
0xffff8edd4000 0xffff8ede4000 ---p 10000 0 [anon_ffff8edd4]
► 0xffff8ede4000 0xffff90650000 rw-p 186c000 0 [anon_ffff8ede4] +0x1517010
0xffff90650000 0xffff90659000 r-xp 9000 0 /usr/lib/aarch64-linux-gnu/libffi.so.8.1.0
```
The value s1_reset_ack = 0x10f100000110f100 shall contain a function pointer, but has been corrupted.
The following patch will abort the process:
```diff
$ diff --git a/src/mme/s1ap-handler.c b/src/mme/s1ap-handler.c
index dff401ded..55a1f7e1b 100644
--- a/src/mme/s1ap-handler.c
+++ b/src/mme/s1ap-handler.c
@@ -178,6 +178,7 @@ void s1ap_handle_s1_setup_request(mme_enb_t *enb, ogs_s1ap_message_t *message)
SupportedTAs_Item->broadcastPLMNs.list.array[j];
ogs_assert(pLMNidentity);
+ ogs_assert(enb->num_of_supported_ta_list < OGS_ARRAY_SIZE(enb->supported_ta_list));
memcpy(&enb->supported_ta_list[enb->num_of_supported_ta_list].tac,
tAC->buf, sizeof(uint16_t));
enb->supported_ta_list[enb->num_of_supported_ta_list].tac =
@@ -310,6 +311,7 @@ void s1ap_handle_enb_configuration_update(
SupportedTAs_Item->broadcastPLMNs.list.array[j];
ogs_assert(pLMNidentity);
+ ogs_assert(enb->num_of_supported_ta_list < OGS_ARRAY_SIZE(enb->supported_ta_list));
memcpy(&enb->supported_ta_list[
enb->num_of_supported_ta_list].tac,
tAC->buf, sizeof(uint16_t));
```
The indexes rx_message.ims_data.num_of_media_component and media_component->num_of_sub can overflow.
```
static int pcrf_rx_aar_cb( struct msg **msg, struct avp *avp,
struct session *sess, void *opaque, enum disp_action *act)
..
/* Gwt Specific-Action */
case OGS_DIAM_RX_AVP_CODE_SPECIFIC_ACTION:
break;
/* Gwt Media-Component-Description */
case OGS_DIAM_RX_AVP_CODE_MEDIA_COMPONENT_DESCRIPTION:
media_component = &rx_message.ims_data.
media_component[rx_message.ims_data.num_of_media_component];
ret = fd_msg_browse(avpch1, MSG_BRW_FIRST_CHILD, &avpch2, NULL);
ogs_assert(ret == 0);
while (avpch2) {
ret = fd_msg_avp_hdr(avpch2, &hdr);
..
}
fd_msg_browse(avpch2, MSG_BRW_NEXT, &avpch2, NULL);
}
rx_message.ims_data.num_of_media_component++;
break;
default:
ogs_warn("Not supported(%d)", hdr->avp_code);
break;
}
..
}
```
The PAA is already known (provided by SGSN through Gn SGSNContextResponse), so not mandatory for it to be set.
The TEID is already known (provided by SGSN through Gn SGSNContextResponse), so not mandatory for it to be set.
The ubuntu docker image defaults to UID 1000 as the ubuntu username, so change the UID of the open5gs default user acetcom to 2000.
Fixed not using Reference Count for adding/deleting NF Instances.
Up until now, NF Instances have been managed by referencing the Reference Count.
Initially, when an NF Instance is added, the Reference Count is incremented and
when it is deleted, the Reference Count is decremented.
If a UE discovers another NF Instance through the NF Discovery function,
the Reference Count is incremented. And if a UE de-registers,
the Reference Count of the discovered NF is decremented.
However, there's a problem with this approach.
When other NF is de-registered,
there is no guarantee that it will be 100% notified.
For example, if a UDM is de-registered, but an SCP is de-registered before it,
the AMF will not be notified that the UDM has been de-registered.
In situations where this is not clear, Reference Count cannot be used.
Therefore, we have modified it to not use the Reference Count method.
Also, when a UE connects, it is modified to always search
whether an NF Instance exists by NF Instance ID whenever it is discovered.
To do this, we modified lib/sbi/path.c as shown below.
```diff
@@ -281,13 +281,15 @@ int ogs_sbi_discover_and_send(ogs_sbi_xact_t *xact)
}
/* Target NF-Instance */
- nf_instance = sbi_object->service_type_array[service_type].nf_instance;
+ nf_instance = ogs_sbi_nf_instance_find(
+ sbi_object->service_type_array[service_type].nf_instance_id);
if (!nf_instance) {
nf_instance = ogs_sbi_nf_instance_find_by_discovery_param(
target_nf_type, requester_nf_type, discovery_option);
- if (nf_instance)
- OGS_SBI_SETUP_NF_INSTANCE(
- sbi_object->service_type_array[service_type], nf_instance);
+ if (nf_instance) {
+ OGS_SBI_SETUP_NF_INSTANCE_ID(
+ sbi_object->service_type_array[service_type], nf_instance->id);
+ }
}
```
The validity time for NF Instances obtained through NF Discovery was not properly implemented. Since the validity was 3600 seconds(1 hour), which caused 5G Core to not work properly after 3600 seconds(1 hour). There was an issue where an NF Instance should be deleted when its validity time expired, but it was not working correctly due to incorrect use of reference count. Therefore, I have modified the Validity of NF Instances obtained through NF Discovery to work properly. I also changed the default value of valdityPeriod to 30 seconds.
3GPP TS 23.003: 28.4.2 Format of the S-NSSAI The SST field may have standardized and non-standardized values. Values 0 to 127 belong to the standardized SST range and they are defined in 3GPP TS 23.501 [119]. Values 128 to 255 belong to the Operator-specific range.
In case that mapped HPLMN SST was not set by the UE in the request to Establish PDU Session, AMF/SMF would assume it is set to 0 (since the recent change to allow SST value 0).
…ution (#3431) Modified the `ogs_gtp/pfcp_context_parse_config` function to iterate through all configured GTP/PFCP server addresses. When a Fully Qualified Domain Name (FQDN) resolves to multiple IP addresses, the server now binds and listens on each IP address individually. These modifications enhance the flexibility and reliability of the GTP/PFCP server within Open5GS, allowing it to handle multiple network interfaces and redundant IP configurations as required.
Created util.h and util.c to implement the ogs_pfcp_get_node_id function, which retrieves the node_id from a PFCP message. Utilized the ogs_pfcp_status_e enum for enhanced error handling, distinguishing between success, absence, and error states.
- Changed ogs_sockaddr_strdup to ogs_sockaddr_to_string_static - Replaced dynamic allocation with a static buffer - Updated source and header files accordingly
- Replace direct usage of OGS_ADDR/OGS_PORT macros with ogs_sockaddr_to_string_static() for consistent IPv4/IPv6 logging. - Remove redundant stack buffer allocations for address printing. - Update PFCP node address handling to use addr_list and related merges, avoiding obsolete sa_list references. - Use ogs_pfcp_extract_node_id() and related APIs to safely extract PFCP Node ID, improving error handling and reducing stack usage.
…3671) This commit addresses an Open5GS bug where the AMF process crashes when receiving npcf-am-policy-control service responses during UE handovers. The crash was occurring in the gmm_state_authentication() function when the AMF encountered an unexpected SBI (Service Based Interface) message from the PCF related to AM Policy Control requests. Added a new case block in gmm_state_authentication() to explicitly handle messages with the service name OGS_SBI_SERVICE_NAME_NPCF_AM_POLICY_CONTROL.
Return value should be a pointer to sockaddr instead of status code.
Variable was used after it was free'd (put back into the application's memory pool, but still).
Each received PFCP message triggered ogs_pfcp_node_find(), causing a DNS resolution if node_id was FQDN. Under heavy traffic, this could lead to excessive DNS queries. - Implement a 300-second refresh interval to avoid repeated DNS lookups. - Store last_dns_refresh in each node to defer new queries until needed. - Treat config-based nodes with no Node ID as UNKNOWN, matching them by IP alone until ogs_pfcp_node_merge() updates their ID. - Validate IPv4, IPv6, or FQDN types in ogs_pfcp_node_merge() and reject invalid IDs. - Provide inline code comments for clarity and maintainability.
Wrap SSL_CTX_set_keylog_callback calls with an OpenSSL version check to ensure compatibility with versions older than 1.1.1. This prevents compilation issues on earlier OpenSSL releases, such as those found on Ubuntu 18.04(bionic).
This update improves compatibility with newer distributions by modifying dependency declarations in control files, Dockerfiles, and documentation.
to conditionally install `libidn-dev` or `libidn11-dev`, depending on availability, and clarify common dependencies for Debian/Ubuntu.
Previously, the function `udm_nudm_sdm_handle_subscription_create()` would trigger a fatal assertion failure if the maximum number of SDM subscriptions was reached. This commit adds error handling to check if the subscription pool allocation fails. If `udm_sdm_subscription_add()` returns NULL, an appropriate error message is logged, and a 400 Bad Request response is sent back to the client instead of causing a crash.
#3689) This commit adds additional checks in the PFCP receive callback to ensure that a complete PFCP message is received before parsing. A minimum header length check and a total message length validation are now performed. This prevents incomplete, fragmented messages from being processed and avoids potential parsing errors and DoS conditions.
This commit modifies the message length check in ogs_pfcp_recvfrom. Previously, the condition only verified that the received size was less than the expected length, which could allow messages that are too long to be processed. The condition now requires an exact match between the received size and the expected total PFCP message length, ensuring proper message validation.
…nnel responses Replace enb_ue with source_ue to correctly reference the target eNodeB context during handover. Added null checks and assertions to ensure proper session cleanup in both mme-s11-handler.c and s1ap-handler.c.
Previously, policies were configured via YAML files without MongoDB. This update enhances the YAML approach by adding the 'supi_range' key to filter policies based on UE SUPI ranges. When both 'supi_range' and 'plmn_id' are provided, both conditions must be met. Note that PLMN-ID filtering will be deprecated in a future release.
…ponses (#3707) During handover between two gNBs, the AMF enters an invalid state when it receives an unexpected SBI response from the UDM in the process of sending a smf-select-data request. This bug could lead to an AMF crash as the state machine in gmm_state_registration encountered an unknown state. The fix adds explicit handling for SBI messages with resource names such as AM_DATA, SMF_SELECT_DATA, UE_CONTEXT_IN_SMF_DATA, and SDM_SUBSCRIPTIONS. If the HTTP response status is not OK, CREATED, or NO_CONTENT, a warning is logged and the message is ignored. This prevents the AMF from transitioning into an abnormal state and improves overall stability during frequent handovers.
…3710) When a duplicate PDU session establishment is received, the AMF logs a warning and proceeds to update the SM context via the SBI interface. This process eventually calls amf_nsmf_pdusession_build_create_sm_context(), which uses the SUPI to build the SBI URI header. If the SUPI is NULL, then the header's resource component becomes NULL. This leads to a call to ogs_uridup() that asserts on the NULL value, causing a crash. This commit adds a check before invoking the SBI update. If the SUPI is NULL, the update is skipped and a warning is logged. This prevents the invalid URI build process and avoids the subsequent crash in ogs_uridup().
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.