[Bug]: Possible dynamic-stack-buffer-overflow in /lib/core/abts.c #2577
Labels
Comments
liuxiaoxinxinxin
added
the
triage
liuxiaoxinxinxin
changed the title
acetcom
added
type:bug
acetcom
added a commit
that referenced
this issue
Sep 5, 2023
acetcom
added a commit
that referenced
this issue
Sep 5, 2023
github-actions
bot
removed
the
Housekeeping:ToClose
davidkneipp
pushed a commit
to Omnitouch/open5gs
that referenced
this issue
Sep 14, 2023
* [MME] add facility to select smf(pgwu) by tac and e_cell_id. [mme.yaml] # o SMF selection by eNodeB TAC # (either single TAC or multiple TACs, DECIMAL representation) # # gtpc: # - addr: 127.0.0.4 # tac: 26000 # - addr: 127.0.2.4 # tac: [25000, 27000, 28000] # # o SMF selection by e_cell_id(28bit) # (either single or multiple e_cell_id, HEX representation) # # gtpc: # - addr: 127.0.0.4 # e_cell_id: abcde01 # - addr: 127.0.2.4 # e_cell_id: [12345, a9413, 98765] * [Fuzzing] oss-fuzz support for fuzzing (open5gs#2283) * [Fuzzing] oss-fuzz support for fuzzing Signed-off-by: Arjun Singh <[email protected]> * [Fuzzing] fix error 2284 Signed-off-by: Arjun Singh <[email protected]> --------- Signed-off-by: Arjun Singh <[email protected]> * [MME] try to fix the open5gs#2287 issue * [SMF] Disable Network Service request while ACTIVATING Disable Network triggered service request while UE triggered service request (open5gs#2294) * Update document (open5gs#2274, open5gs#1127) * [SBI] Fixed a bug with encoder/decoder of scpPorts (open5gs#2310, open5gs#2274) * [AMF] Fixed crash if served_tai_index < 0 (open5gs#2059) * [SGWU/UPF] Fixed crashed by gTPTunnel (open5gs#2313) SGWU/UPF crashes with ogs_pfcp_setup_far_gtpu_node by a special crafted gTPTunnel.transportLayerAddress * [AMF/MME] Fixed crashes by M-TMSI (open5gs#2307) * [AMF] Fixed crashes with assertion (open5gs#2312) AMF crashes with amf_nnssf_nsselection_handle_get assertion failure. * Release v2.6.4 * [PCF] Always expose SNSSAI label (open5gs#2320) * [SMF] Expose metrics for nr. of PDU session creations [ETSI TS 128 552 V16.9.0](https://www.etsi.org/deliver/etsi_ts/128500_128599/128552/16.09.00_60/ts_128552v160900p.pdf): Registration type label is not provided. A nonstandard PLMNID label is added to achieve uniqueness. - 5.3.1.3 Number of PDU sessions requested to be created by the SMF PLMNID and SNSSAI are defined during PDU session creation processing. Some requests can be rejected during processing before label values are known. Those requests are not counted under particular labels. To count also such requests, the basic metric with empty labels is exposed too. ``` fivegs_smffunction_sm_pdusessioncreationreq{plmnid="",snssai=""} 1 fivegs_smffunction_sm_pdusessioncreationreq{plmnid="00101",snssai="1000009"} 1 ``` - 5.3.1.4 Number of PDU sessions successfully created by the SMF ``` fivegs_smffunction_sm_pdusessioncreationsucc{plmnid="00101",snssai="1000009"} 1 ``` - 5.3.1.5 Number of PDU sessions failed to be created by the SMF ``` fivegs_smffunction_sm_pdusessioncreationfail{cause="400"} 1 ``` Example for one successful and one failed (during creation processing) PDU session creation: ``` fivegs_smffunction_sm_pdusessioncreationreq{plmnid="",snssai=""} 2 fivegs_smffunction_sm_pdusessioncreationreq{plmnid="00101",snssai="1000009"} 1 fivegs_smffunction_sm_pdusessioncreationsucc{plmnid="00101",snssai="1000009"} 1 fivegs_smffunction_sm_pdusessioncreationfail{cause="400"} 1 ``` * relocation of user-location-info on top level * [PFCP] Fix IPv4 PFCP advertise addresses * [PFCP] Support PFCP advertise address in F-SEID * [Fuzzing] bug fix 59062 and increasing converge Signed-off-by: Arjun Singh <[email protected]> * [HSS] SWx: SAR & MAR: set mandatory User-Name on failure cases Multimedia-Auth-Answer and Server-Assignment-Answer defines the AVP User-Name as mandatory. It must also be present on failure cases. See 3GPP TS 29.273 Rel 17. Signed-off-by: Alexander Couzens <[email protected]> * Updated SRS 5G SA Tutorial URL * [Docs] fixed CURL generates 16 ERROR Refer to curl/curl#3750 * [SBI] Fixed Invalid S-NSSAI format (open5gs#2337) * [CORE] Rollback ogs_pool_init/final (open5gs#2339) ogs_pool_init() shall be used in the initialization routine. Otherwise, memory will be fragment since this function uses system malloc() Compared with ogs_pool_init() ogs_pool_create() could be called while the process is running, so this function should use ogs_malloc() instead of system malloc() * [Docs] Update night build URI * [SBI,NAS] Fix conversion of bitrate between OpenAPI/NAS and internal representation From the OpenAPI document,TS29571_CommonData.yaml : BitRate String representing a bit rate; the prefixes follow the standard symbols from The International System of Units, and represent x1000 multipliers, with the exception that prefix "K" is used to represent the standard symbol "k". * [NAS] Improve algorithm for conversion of bitrate to NAS The improved algorithm better handles some odd bitrates. With the current version, the bitrates 63 Kbps and 65 Kbps would get converted into 48 Kbps (unit 16 Kbps x 3) and 64 Kbps (unit 64 Kbps x 1). Especially in the first case, the conversion error is quite signicant. Current version tries to find the biggest 'unit', while the 'value' is still above 0. With the updated version, the algorithm tries to find the 'unit' low enough, that the resulting 'value' can still fit into the 16-bit space without overflow. * [PFCP] Fix calculation of AMBR When converting bitrates from bits per second to kilobits per second, if the conversion results in fractions, the resulting value should be rounded upwards * [SMF/PFCP] Send framed routes in both UL and DL pdrs * Update 01-genodebs.md add ASKEY SCE2200 to the Commercial 5G list * [SMF] Fix typo in log line * fix Gy for 3GPP-User-Location-Info * [PCF] Fix calculation of NF Instance load information - the 'if' clause was comparing some value with an always '1' due to wrong calculation. Consequently, this 'if' statement never executed. - sizes for session pool and UE pools are directly linked between each other. We need to count the number of items only in one of the pools to correctly represent the NF load - if anything, we should also check the load of the application pool to determine correct load of the NF * [AMF,SMF,PCF] Rename the function for calculating NF Instance load - have a more consistent naming among the NF's - always have the same prefix (amf_/smf_/pcf_) depending on the NF - function name is always the same, how the function calculates the load is NF specific and internal to the function itself (but not the function name). * [SMF] Fix a use-after-free bug * [SMF] Fix Gx/Gy assert() if more than 64 CCRs are sent The current code uses the cc request number as an index to the transaction array (xact/xact_data). Since cc request number is a 32 bit integer this is unfeasible for longer sessions and if more than a handful of messages are exchanged per session. The array size was already increased in open5gs#2038 which simply delays the issue. Furthermore, the current code asserts that cc_request_number is <= MAX_CC_REQUEST_NUMBER which leads to an out-of-bounds write if cc_request_number == MAX_CC_REQUEST_NUMBER. Instead use a smaller array and index into it using cc_request_number % array size. More than 2 requests should never be in flight at any one time (initial or update request together with a termination request) so an array size of 4 should be fine. * [SMF] Decrease sessions metric on OLD Session Release Since [redesign](open5gs@8553c77) of fivegs_smffunction_sm_sessionnbr gauge, the metric doesn't expose some decrements. The decreasing of gauge had been moved out of function stats_remove_smf_session. It should be decreased every time stats_remove_smf_session is called, but this particular case is easily reproducible by killing UPF while the session is established. * [DOCS] Added VPP-UPF tutorial * [Docs] 5G SCTP Load Balancer Tutorial (open5gs#2391) * BTI Wirelss Femto Cell nCELL-F2240 added * [AMF] Fix search for correct SMF based on SmfInfo Each SMF's NfProfile can contain multiple SmfInfo items. The issue was that AMF checked only the first SmfInfo for correct S-NSSAI/NR-TAI information. In case of a 5G core setup with SMF handling 2 or more slices, and UE trying to establish multiple PDU sessions, AMF would report an error when trying to find the correct serving SMF. [amf] ERROR: [1:0] (NF discover) No [nsmf-pdusession] (../src/amf/nnrf-handler.c:85) * Follow-up on open5gs#2399 * fix boot-looping of UPF with interface in TAP mode * mac: fix mongodb config path for Apple Silicon * [NRF] Fix crash due to failing assertion on OPTIONS request * cosmetic: mme: Fix trailing whitespace in several files * Add CIFuzz workflow Add CIFuzz workflow action to have fuzzers build and run on each PR. This service is offered by OSS-Fuzz where open5gs already runs. CIFuzz can help catch regressions and fuzzing build issues early, and has a variety of features (see the URL above). In the current PR the fuzzers gets build on a pull request and will run for 300 seconds. Signed-off-by: David Korczynski <[email protected]> * gtp: xact: Fix unneeded conditionals The xarg->org is set to a specific value above in the same function, so no need to check for its value. * gtp1: Add missing RAN INFORMATION RELAY msg The RAN INFORMATION RELAY message has no associated response, and hence it should not start T3-RESPONSE timer to retrigger retransmissions. TS 29.060 11.1: "The Error Indication, Version Not Supported, RAN Information Relay, Supported Extension Headers Notification and the SGSN Context Acknowledge messages shall be considered as Responses for the purpose of this clause" TS 29.060 7.5.14.1: "For handling of protocol errors the RAN Information Relay message is treated as a Response message." * [AMF] Handle N1N2MessageTransfer sess. est. reject from SMF * [SMF] On sess. est. fail, don't reply to AMF twice on the same stream * [SMF] Reject session on PFCP sess. est. timeout * [SMF] Don't abort session tear-down on PCF error * Follow-up on open5gs#2428 * mme: Introduce initial Gn iface (GTPv1C) support This interface allows supporting several inter-RAT mobility features towards pre-rel8-SGSNs (SGSNs without S3/S4 GTPV2C interface). Related specs: - 3GPP TS 23.401: -- "5.6 Network Assisted Cell Change" -- "5.15 RAN Information Management (RIM) procedures" -- "Annex D" - 3GPP TS 23.060 (general GERAN<->GERAN mobility) - 3GPP TS 29.060 * mme: s1ap: Implement rx of eNB DIRECT INFORMATION TRANSFER If destination is a GERAN network, attempt to use the new Gn interface to forward it to an SGSN if configured to do so. * mme: s1ap: Implement tx of MME DIRECT INFORMATION TRANSFER Triggered when receiving a GTPv1C RAN Information Relay message on Gn interface, targeted at one of the eNBs under the MME. * [HSS] Modify where to check mongodb version (open5gs#2425) * Fixed the build error * Follow-up on open5gs#2428 * [SMF] Reply with error instead of crashing when IP pool is exhausted * Follow-up on open5gs#2443 * mme: fix missing memset in mme_fd_init The 'data' struct used to specify the diameter dispatch options for the MME callbacks was not being initialized properly, which meant that the App id could contain garbage. This was preventing the callbacks from being invoked when receiving ISD/CLR requests. * mme: s1ap: Split rx HandoverRequired handling based on HandoverType This is a preparation towards adding other handover types in the future. * [AMF] Implicit Deregistration (Reset, ConnRefused) When AMF release the NAS signalling connection, ran_ue context is removed by ran_ue_remove() and amf_ue/ran_ue is de-associated by amf_ue_deassociate(). In this case, implicit deregistration is attempted by the mobile reachable timer according to the standard document, and amf_ue will be removed by amf_ue_remove(). TS 24.501 5.3.7 Handling of the periodic registration update timer and Start AMF_TIMER_MOBILE_REACHABLE mobile reachable timer The network supervises the periodic registration update procedure of the UE by means of the mobile reachable timer. If the UE is not registered for emergency services, the mobile reachable timer shall be longer than the value of timer T3512. In this case, by default, the mobile reachable timer is 4 minutes greater than the value of timer T3512. The mobile reachable timer shall be reset and started with the value as indicated above, when the AMF releases the NAS signalling connection for the UE. * Fixed build failure in osmocom/open5gs * [MME] Temporarily disable sgsn settings (open5gs#2441) * [MME] rework sgsn default route config in mme.yaml Move the config to the sgsn node instead of having a specific route with specific format "default: route", since anyway internally it's already applied to the sgsn object. * Added missing memory release (open5gs#2441, open5gs#2450) * fix tap mode arp table poisoning * [AMF/MME] Remove code that doesn't work (open5gs#2013) Based on the standard document below, when the UE is in the IDLE state, we checked the implicit timer and tried to send a message to the UE, but it doesn't work properly. So, first of all, I deleted the related code. - TS 24.301 Ch 5.3.7 If ISR is not activated, the network behaviour upon expiry of the mobile reachable timer is network dependent, but typically the network stops sending paging messages to the UE on the first expiry, and may take other appropriate actions - TS 24.501 Ch 5.3.7 The network behaviour upon expiry of the mobile reachable timer is network dependent, but typically the network stops sending paging messages to the UE on the first expiry, and may take other appropriate actions. * UPF HA - release/establish new PDU session in CM_IDLE (open5gs#2471) See also open5gs#2396, open5gs#2418 * Fixed security vulnerability for malformed packet * Fixed SIGPIPE problem (open5gs#2411, open5gs#2312) * Update VoLTE Dockerized Tutorial (open5gs#2484) * Added Roaming Document * Update document * Update Roaming Document * Add trace log for debugging open5gs#2287 * [UPF] Fix wrong number of QoS flows metric (open5gs#2490) * add search with msisdn (open5gs#2495) * add search with msisdn * add 2nd msisdn * UE slice shall be also available in RAN (open5gs#2482) Changed to that registration can be accepted only when the UE slice is available in the RAN slice. * S1Setup failure with invalid MCC/MNC (open5gs#2491) * [SMF] Fix crash on double policy deletion (open5gs#2489) * [AMF/MME] Follow-up on open5gs#2491 * [AMF/MME] Defaults 9 minutes for T3412/T3512 * [SBI] UDR stores PEI instead of PCF * Use x1000 multiplier for Kbps, Mbps, ... etc. (open5gs#2515) NAS, GTP, PFCP, SBI, all except S1AP/NGAP use x1000 multiplier for Kbps, Mbps, Gbps ... etc. From now on in WebUI all units also use a multiplier of x1000. * [SMF] Added SMF registrations (open5gs#2514, open5gs#2524) * [TLV] PFCP parser crash from FuzzingLabs (open5gs#2523) * [SBI] nghttp2 SETTING ACK should be sent (open5gs#2385) Whether or not to send a Setting ACK is determined by the nghttp2 library. Therefore, when nghttp2 informs us that it want to send an SETTING frame with ACK by nghttp2_session_want_write(), we need to call session_send() directly to send it. * [WebUI] Fixed a crash when editing Subscribe After the UE performs Registration/Attach, SQN field is created. If we edit subscriber information when SQN value is present, WebUI crash occurs. It is because the way to handle Long Type(SQN:Long) is different when the mongoose version is 6 or higher. To avoid this crash, we use the mongoose version down to 5.x first. * [SMF] Deregister issue during sess release (open5gs#2537) A situation in which you establish two sessions and release both of them. In the first SESSION, the UE normally sent PDUSessionResourceReleaseResponse and PDU session release complete. However, these were not sent when releasing the second SESSION. At this point, when the UE tried to do a deregistration, the SMF was not properly handling the exception. I've just fixed this. * [GTP] gtp_message_fuzz: Abrt in ogs_abort See below for details. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=59414 * [TLV] GTP parser crashg from FuzzingLabs See below for details https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61780#c1 * [TLV] Oops! Fixed my mistake on pull open5gs#2549 * Update docs.md * Fix typo and remove trailing whitespaces in nas-security * [AMF] amf_ue_set_suci: Assertion `suci` (open5gs#2567) Cannot convert SUCI in `Not implemented SUPI format [4]` * [WebUI] Update NodeJS installation Guide * [UDM] Fixed crash for invalid SUCI (open5gs#2571) Modifications were made to resolve the following assertion.. Invalid HNET PKI Value [0] (../lib/sbi/conv.c:135) ogs_supi_from_supi_or_suci: Expectation `supi' failed. (../lib/sbi/conv.c:262) udm_ue_add: Assertion `udm_ue->supi' failed. (../src/udm/context.c:144) backtrace() returned 8 addresses (../lib/core/ogs-abort.c:37) * Update open5gs-dbctl This is now consistent with the webui (check /webui/src/components/Subscriber/Edit.js:175) * Fixed dynamic-stack-buffer-overflow (open5gs#2578, open5gs#2577) * [NRF] Fixed NRF crash when Custom nfType (open5gs#2576) NF Instance Registration to reproduce crash: curl -v -X PUT -d '{"nfInstanceId":"0b8a8d59-af80-4fb7-8645-b832fd69d94a","nfType":"CUSTOM_INF","nfStatus":"REGISTERED","ipv4Addresses":["127.0.13.37"]}' --http2-prior-knowledge http://127.0.0.10:7777/nnrf-nfm/v1/nf-instances/0b8a8d59-af80-4fb7-8645-b832fd69d94a * [PFCP] Fixed Possible heap buffer overflow (open5gs#2585) After examining the call stack and reading the source code, I found that in /lib/core/ogs-pool.h line 152: (pool)->array[i] = i+1; then in lib/pfcp/context.c line 78: pdr_random_to_index[ogs_pfcp_pdr_teid_pool.array[i]] = i; ogs_pfcp_pdr_teid_pool.array[i] may exceed the size of pdr_random_to_index, leading to a heap-buffer-overflow. * [SMF] Invalid Message(SmContextCreateData) (open5gs#2590) curl --noproxy '*' --http2-prior-knowledge -X POST --header "Content-Type: multipart/related" --data-binary @pdu http:/192.168.29.231:7777/nsmf-pdusession/v1/sm-contexts Attaching file 'pdu' SMF crashes as not able to decode the message properly. SmContextCreateData is not accessible. * [GTPU] Fixed PDCP SN handling (open5gs#2584, open5gs#2477) Scenario is handover on S1AP, data forwarding is enabled, and the Source ENB is forwarding DL PDCP packets to EPC(SGWU) with PDCP SN included. SGWU is also forwarding these packets to the Target ENB. However the PDCP SN is not present in the forwarded packets from SGWU to Target ENB. I modified this part, and there was the same problem in 5GC, fixed it as well. A lot of code in GTP-U has been modified, so if you have any problems, please let us know right away. * Minor change to address timer warnings and erros in upf, patch for upf bearer removal when sgw restarts --------- Signed-off-by: Arjun Singh <[email protected]> Signed-off-by: David Korczynski <[email protected]> Co-authored-by: Shigeru Ishida <[email protected]> Co-authored-by: Arjun <[email protected]> Co-authored-by: Sukchan Lee <[email protected]> Co-authored-by: Gaber Stare <[email protected]> Co-authored-by: Eugene Bogush <[email protected]> Co-authored-by: mitmitmitm <[email protected]> Co-authored-by: Arjun Singh <[email protected]> Co-authored-by: Alexander Couzens <[email protected]> Co-authored-by: jmasterfunk84 <[email protected]> Co-authored-by: Bostjan Meglic <[email protected]> Co-authored-by: jy <[email protected]> Co-authored-by: Pau Espin Pedrol <[email protected]> Co-authored-by: Daniel Willmann <[email protected]> Co-authored-by: Rolf Winter <[email protected]> Co-authored-by: Robert Dash <[email protected]> Co-authored-by: Jan Romann <[email protected]> Co-authored-by: Matthias Bräuer <[email protected]> Co-authored-by: David Korczynski <[email protected]> Co-authored-by: Emanuele Di Pascale <[email protected]> Co-authored-by: bem4444 <[email protected]> Co-authored-by: gstaa <[email protected]> Co-authored-by: Abdelmuhaimen Seaudi <[email protected]> Co-authored-by: Carlos Giraldo <[email protected]> Co-authored-by: theodorsm <[email protected]> Co-authored-by: Gabriel <[email protected]> Co-authored-by: Ryan Dimsey <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Open5GS Release, Revision, or Tag
v2.6.4
Steps to reproduce
According to "Building Open5GS from Sources," I compiled Open5GS with ASAN on ubuntu 20.04. After the compilation was completed, I ran meson test -v in the build directory, and ASAN reported the following information:
==23232==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffc12a4a898 at pc 0x7f275967feda bp 0x7ffc12a4a530 sp 0x7ffc12a4a528
WRITE of size 8 at 0x7ffc12a4a898 thread T0
#0 0x7f275967fed9 in abts_main /home/lxy/Downloads/open5gs-main/build/../lib/core/abts.c:592:17
#1 0x4f3c0e in main /home/lxy/Downloads/open5gs-main/build/../tests/core/abts-main.c:85:10
#2 0x7f2759295082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#3 0x41ebad in _start (/home/lxy/Downloads/open5gs-main/build/tests/core/core+0x41ebad)
Address 0x7ffc12a4a898 is located in stack of thread T0 at offset 856 in frame
#0 0x7f275967f2df in abts_main /home/lxy/Downloads/open5gs-main/build/../lib/core/abts.c:506
This frame has 2 object(s):
[32, 136) 'options' (line 509)
[176, 208) 'optarg' (line 510) <== Memory access at offset 856 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions are supported)
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow /home/lxy/Downloads/open5gs-main/build/../lib/core/abts.c:592:17 in abts_main
Shadow bytes around the buggy address:
0x1000025414c0: 00 00 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x1000025414d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000025414e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000025414f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100002541500: 00 00 00 00 00 00 00 00 00 00 00 00 ca ca ca ca
=>0x100002541510: 00 00 00[cb]cb cb cb cb f1 f1 f1 f1 00 00 00 00
0x100002541520: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00
0x100002541530: f2 f2 00 00 00 00 f3 f3 f3 f3 f3 f3 00 00 00 00
0x100002541540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100002541550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100002541560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==23232==ABORTING
1/13 open5gs:unit / core FAIL 0.12 s (exit status 1)
Logs
Expected behaviour
Based on the call stack analysis, I've identified that the issue occurs in
/test/core/abts-main.c line 80: const char* argv_out[argc + 2];
where the size allocated for argv_out is missing one byte.
The same issue has also been found in:
/test/unit/abts-main.c line 70
/test/sctp/abts-main.c line 48
/test/crypt/abts-main.c line 53.
I would like to propose modifying the code to const char* argv_out[argc + 3]; to prevent further buffer overflow issues.
I am not quite sure whether this is a bug, any feedback would be appreciated!
Observed Behaviour
ASAN reported dynamic-stack-buffer-overflow in /lib/core/abts.c:592:17 and the test failed
eNodeB/gNodeB
No response
UE Models and versions
No response
The text was updated successfully, but these errors were encountered: