vrr/open5gs
2
0
Fork 0
mirror of https://github.com/open5gs/open5gs.git synced 2026-04-28 03:19:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

UPF: Reject CreatePDR without FAR-ID to prevent crash in fast path

Browse source 
According to TS 29.244, FAR-ID is a mandatory IE in CreatePDR. However,
Open5GS previously accepted a Session Establishment Request containing a
CreatePDR without FAR-ID. When subsequent GTP-U packets matched the PDR,
the user-plane fast path dereferenced a NULL FAR pointer and aborted,
leading to a UPF crash (DoS).

This patch adds mandatory IE validation for FAR-ID in
ogs_pfcp_handle_create_pdr(), returning PFCP cause
MANDATORY_IE_MISSING when FAR-ID is absent.

As a result, malformed CreatePDR is rejected at PFCP control plane
instead of causing fatal assertion in the data path.

Fixes crash in `_gtpv1_u_recv_cb()` and improves robustness.

Issues: #4179
This commit is contained in:
Sukchan Lee 2025-12-05 09:39:08 +09:00
parent 1abe8c31fc
commit 93a9fd98a8
1 changed files with 7 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
lib/pfcp/handler.c
View file

@ -461,6 +461,13 @@ ogs_pfcp_pdr_t *ogs_pfcp_handle_create_pdr(ogs_pfcp_sess_t *sess,
return NULL;
}
if (message->far_id.presence == 0) {
ogs_error("No FAR-ID");
*cause_value = OGS_PFCP_CAUSE_MANDATORY_IE_MISSING;
*offending_ie_value = OGS_PFCP_FAR_ID_TYPE;
return NULL;
}
if (message->pdi.presence == 0) {
ogs_error("No PDI in PDR");
*cause_value = OGS_PFCP_CAUSE_MANDATORY_IE_MISSING;