SGW-C could abort when handling malformed GTPv2-C messages where an
F-TEID has neither IPv4 nor IPv6 flags set. In such cases,
ogs_gtp2_f_teid_to_ip() returned an error but the caller asserted on
OGS_OK, causing a process abort.
This change removes assertions on F-TEID and PFCP outer header creation
and replaces them with proper runtime validation and error handling.
Malformed or semantically incorrect messages are now rejected with an
appropriate GTP-C cause instead of crashing the control plane.
For Create Session Request handling, all error paths are unified through
a cleanup path to ensure partially created sessions are removed before
sending an error response, preventing resource leaks.
Issues: #4203
The meaning of pfcp_xact->assoc_xact_id differs depending on whether a PFCP
Session Modification response is related to an Error Indication.
For PFCP DEACTIVATE responses with OGS_PFCP_MODIFY_ERROR_INDICATION set,
assoc_xact_id refers to a bearer context rather than an S11 transaction.
Handle this case explicitly by resolving the bearer and UE context and
processing the session synchronization path accordingly.
For other DEACTIVATE cases, continue to resolve assoc_xact_id as an S11
transaction ID and send an appropriate GTPv2-C error response when possible,
while safely handling missing S11 transactions.
This change avoids incorrect transaction lookups and improves robustness
when handling PFCP Error Indication related DEACTIVATE responses.
When handling PFCP Session Modification responses with the DEACTIVATE flag,
SGWC assumed that a corresponding S11 transaction always existed and enforced
this with an assertion.
In some error paths (e.g. SGWU rejecting a PFCP modification due to missing
mandatory IEs or asynchronous cleanup), the associated S11 transaction may
already be released or may not exist at all. This caused SGWC to crash on
assertion failure.
Replace the assertion with a NULL check and log the condition (including IMSI
and associated transaction ID) when the S11 transaction is missing, while
allowing the PFCP transaction to be committed safely.
This change adds extensive logging across SGW-C GTP and PFCP paths
to identify the root cause of an assertion failure triggered when
building a PFCP Session Modification Request with no PDR/FAR changes.
The assertion was hit when the total number of remove/create/update
PDR/FAR entries was zero, indicating an invalid PFCP modification
state.
To trace where this condition originates, this commit:
- Promotes key debug logs to info level for better visibility
- Adds contextual logs when PFCP Session/Bearer Modification is invoked
from S11, S5-C, and SXA handlers
- Logs PFCP transaction state, modify flags, and bearer lists
- Logs detailed counters before asserting in
sgwc_sxa_build_bearer_to_modify_list()
These logs allow correlating GTP control-plane events with PFCP
modification requests and identifying cases where modification flags
are set but no effective PDR/FAR changes are generated.
A malformed SBI request with `"pduSessionId":0` (UNASSIGNED) or without
`pduSessionId` caused `smf_sess_find_by_psi()` to assert and crash.
This patch adds defensive validation in:
- smf_sess_add_by_sm_context()
- smf_sess_add_by_pdu_session()
If `is_pdu_session_id == false` or `pdu_session_id ==
OGS_NAS_PDU_SESSION_IDENTITY_UNASSIGNED`, log an error and safely discard
the request instead of creating a session.
Issues: #4201
Align full-DNN construction with 3GPP TS 23.003 §9.1.2 by switching the
Operator Identifier format from "5gc.mncXXX.mccYYY.3gppnetwork.org" to
"mncXXX.mccYYY.gprs". Introduce new helper utilities to extract and build
OI (Operator Identifier) from both PLMN-ID and FQDN, and replace the
legacy `ogs_home_network_domain_from_fqdn()` usage in AMF/SMF/PCF paths.
This resolves DNN misalignment in vSMF–hSMF PDU Session Create that
caused interop issues with external 5G core vendors during HR roaming.
Includes updates across AMF/SMF/PCF, unit tests, and supporting helpers.
Issues: #4096
In long-running deployments, a mismatch can occur between SMF’s stored
Gx/Gy/S6b Session-Id and the freeDiameter session table, typically after
peer reconnection, watchdog timeout, or internal cleanup. In such cases
`fd_sess_fromsid_msg()` may return `new != 0`, indicating that the
Diameter stack created a new session instance instead of retrieving the
existing one.
Previously, this condition triggered `ogs_assert(new == 0)` which caused
a fatal crash of the SMF (and potentially SGWC), interrupting normal
operation.
This patch replaces the assertion with a graceful recovery path:
- Log an error indicating that the Diameter session has been lost
- Free the pending request message and stored Session-Id
- Return early to trigger PDU session release handling by the upper layer
- Avoid process termination and maintain service continuity
This significantly improves robustness in long-running and fault-tolerant
deployments with commercial-grade operational requirements.
Issues: #4195
When a CPE (4G router) loses power abruptly without sending a Detach
Request, the ENB-UE context is removed first, causing the implicit
detach process to fail. This leaves sessions active in SMF/UPF/SGWC/SGWU.
Changes:
- Allow mme_send_delete_session_or_detach() to accept NULL enb_ue
- Remove enb_ue assertion in mme_gtp_send_delete_session_request()
- Conditionally set xact->enb_ue_id only when enb_ue is present
- Remove enb_ue assertion in mme_gtp_send_delete_all_sessions()
- Move ENB-UE context check in mme_s11_handle_delete_session_response()
after session cleanup to ensure proper resource release
- Change log level to INFO for Mobile Reachable timer in registered state
This ensures that implicit detach proceeds correctly even when the
ENB-UE context has already been released, allowing proper cleanup of
core network sessions.
Fixes session leak issue reported in GitHub issue #4194
Fix crash triggered by malformed PDU Session Resource Modify / Path Switch /
Handover Request Acknowledge transfers that contain invalid GTP Tunnel parameters
(IPv4/IPv6 flags both zero). Previously, these invalid states propagated to PFCP
rule creation, causing an assertion failure inside
ogs_pfcp_ip_to_outer_header_creation() and terminating SMF.
This patch adds defensive checks across NGAP handling paths and rejects
such requests early via SM-Context Update Error (HTTP 400), ensuring that
SMF continues normal operation for other UEs.
Key changes:
- Validate remote_dl_ip before processing
- Reject when IPv4/IPv6 flags are both zero
- Preserve session state by skipping invalid modifications
Prevents DoS-style SMF crash while maintaining 3GPP-compliant behavior.
Issues: #4193
When CreatePDR/PDI contains an F-TEID IE with length 0, SGWU aborted due to
assertion `pdr->f_teid.ipv4 || pdr->f_teid.ipv6` in ogs_pfcp_handle_create_pdr().
This allowed a malformed PFCP Session Establishment Request to remotely crash SGWU.
This patch adds validation for:
- Zero-length F-TEID IE (return INVALID_LENGTH)
- F-TEID without IPv4/IPv6 flag (return INVALID_F_TEID_ALLOCATION_OPTION)
Instead of asserting and aborting, SGWU now rejects the request gracefully by
returning an appropriate Cause/Offending IE.
Issues: #4182
This patch replaces fatal ogs_assert() calls in PFCP object allocation
(ogs_pfcp_{pdr,far,urr,qer}_find_or_add) with graceful error handling.
Previously, exceeding per-session resource limits (e.g., QER pool overflow
triggered via CreatePDR referencing undeclared QER-ID) would cause a process
abort in open5gs-upfd, leading to a remote denial-of-service condition.
The handler now returns PFCP Cause=NO_RESOURCES_AVAILABLE and properly
rejects malformed or resource-exhausting PFCP Session Establishment requests,
allowing the UPF to continue running without terminating all existing sessions.
Fixes: DoS vulnerability triggered by excessive implicit QER allocation.
Issues: #4181
Replace `ogs_assert(nxt == 0)` with validation and graceful error return
when parsing IPv6 jumbo payload where plen=0 but NextHeader is non-zero.
This prevents open5gs-upfd from aborting when receiving a single malformed
GTP-U IPv6 packet crafted to trigger assertion failure, resulting in a
remote DoS condition.
Malformed packets are now safely dropped and logged instead of terminating
the UPF process.
Issues: #4180
According to TS 29.244, FAR-ID is a mandatory IE in CreatePDR. However,
Open5GS previously accepted a Session Establishment Request containing a
CreatePDR without FAR-ID. When subsequent GTP-U packets matched the PDR,
the user-plane fast path dereferenced a NULL FAR pointer and aborted,
leading to a UPF crash (DoS).
This patch adds mandatory IE validation for FAR-ID in
ogs_pfcp_handle_create_pdr(), returning PFCP cause
MANDATORY_IE_MISSING when FAR-ID is absent.
As a result, malformed CreatePDR is rejected at PFCP control plane
instead of causing fatal assertion in the data path.
Fixes crash in `_gtpv1_u_recv_cb()` and improves robustness.
Issues: #4179
When receiving a PFCP Session Establishment Request containing a CreateURR
with an out-of-range URR-ID (e.g. 65535), UPF attempted to index
sess->urr_acc[] without bounds checking, leading to an assertion failure
and process abort.
This patch validates URR-ID before use and rejects the message gracefully
with an error cause if the value exceeds OGS_MAX_NUM_OF_URR. A clearer
log message is also added to indicate the valid range.
Fixes: assertion failure in upf_sess_urr_acc_timers_setup()
Issues: #4169
According to 3GPP TS 29.272 (5.2.1.1.2), when an Update Location Request
is sent due to an initial attach, the MME shall set the
"Initial-Attach-Indicator" flag in the ULR-Flags IE. This ensures that
the HSS updates the MME identity and prevents ULA rejection with
UNKNOWN_SERVING_NODE when UE moves between MMEs or when GUTI mismatch
occurs.
Commercial MME/HSS implementations (e.g., Cisco StarOS) also set the
Initial-Attach-Indicator flag by default to handle UEs that do not reset
their GUTI when changing networks.
This patch hardcodes the Initial-Attach-Indicator bit for all ULR
messages to align with expected practical behavior and resolve attach
failures caused by HSS identity mismatch.
Issues: #4165
* AMF dynamic PLMNs via APIREST
* add new feature now we can register ues when plmn is deleted
* add documentation for use the API AMF-OAM
* update tutorial 08
* fix memory not freed
fix memory not freed
fix memory not freed
* improve releases ues of plmn
The AK buffer is allocated with OGS_AK_LEN, but it was logged using
OGS_KEY_LEN, causing a stack buffer over-read under Address Sanitizer.
This change corrects the log length to OGS_AK_LEN.
Fixes the ASAN error reported during `volte cx-test`.
Issues: #4177
The previous key downloaded from `download.opensuse.org` was expired
(EXPKEYSIG FE7F42F276CEE0E6), causing `apt update` to fail when following
the Debian quickstart instructions.
This patch replaces the deprecated key URLs with valid signing key
download locations from build.opensuse.org and obs.osmocom.org.
Issues: #4175
A malformed CER containing duplicate Auth-Application-Id AVPs caused
freeDiameter to trigger FD_LOG_FATAL within parserules_check_one_rule(),
reaching an unimplemented branch and calling abort(), which terminated
Open5GS daemons (HSS/MME/PCRF/AAA) using the freeDiameter stack.
To avoid crashing on invalid Diameter messages, remove the call to
ogs_assert_if_reached() inside FD_LOG_FATAL logging path. This allows
Open5GS to gracefully reject malformed messages instead of aborting.
Issues: #4155
UPF could crash when handling PFCP Session Establishment/Update
containing a CreateURR with a malformed Dropped-DL-Traffic-Threshold IE.
Added length validation for Dropped-DL-Traffic-Threshold and
Volume Measurement IEs to prevent buffer misuse and return an
appropriate PFCP cause and offending IE value.
Also removed assertion in IE parsing functions and replaced it with
error logging and validation checks.
Issues: #4154, #4152
When PFCP Session Establishment/Modification includes CreatePDR with F-TEID
(CH=1) whose address family flags (IPv4/IPv6) do not match the UPF's GTP-U
resource configuration for the target DNN (Network Instance), UPF asserted
and crashed in ogs_pfcp_object_teid_hash_set(). This occurred because the
existing logic assumed a matching address family and enforced it via
assert().
This patch replaces the assertions with proper validation and returns an
appropriate PFCP cause (REQUEST_REJECTED) when the address family does not
match, or if local F-TEID generation fails. This prevents UPF from crashing
and allows the SMF to receive a graceful failure response.
Changes:
- ogs_pfcp_object_teid_hash_set() now returns PFCP Cause instead of void
- Validate IPv4/IPv6 compatibility for DNN resource and local GTP-U address
- Replace assert() usage with runtime error handling and logging
- Integrate cause checking in SGWU/UPF N4 handlers for both Session
Establishment and Modification
- Avoids crash and reports REQUEST_REJECTED when mismatch occurs
Tested scenario:
- UPF with IPv4-only DNN resource receiving CH F-TEID with IPv6-only flags
(or vice versa) no longer causes crash.
Issues: #4315
This patch introduces assoc_id[] to ogs_sbi_xact_t and stores a snapshot
of the RAN-UE ID (AMF_ASSOC_RAN_UE_ID) when the AMF sends SBI requests
to SMF/PCF. Since the RAN-NG context may change (e.g., during NG
Context release or RRC re-establishment) before the asynchronous SBI
response arrives, relying on sess->ran_ue_id can lead to incorrect
context resolution. The transaction-level snapshot ensures that AMF
uses the correct RAN-UE when handling SBI responses.
Key changes:
- Added assoc_id[] array to ogs_sbi_xact_t.
- Stored RAN-UE snapshot for SBI Client operations.
- Updated AMF handlers (amf-sm, nsmf-handler, nnssf-handler,
nnrf-handler, sbi-path) to use xact->assoc_id[] instead of
sess->ran_ue_id for SBI Client responses.
- Updated NAMF handlers to continue using sess->ran_ue_id since they
operate in SBI Server mode and have no transaction snapshot.
- Refactored function signatures to pass amf_ue and ran_ue explicitly.
- Added detailed comments to sess->ran_ue_id explaining the distinction
between SBI Client and SBI Server behavior.
- Updated test cases and added the new issues4174 test.
This resolves the race where RAN-UE context changes between SBI request
and response, ensuring correct session processing and eliminating
RAN-UE lookup failures during asynchronous callbacks.
Issues #4174
In case gNB sends a NGSetupRequest with a TAI that AMF does not serve,
AMF would in some cases respond with a NGSetupSuccess instead of
NGSetupFailure.
This is because of a missing check for correct PLMN.
For example, AMF was configured with the following:
PLMN 001-01:
tac: [1000-1100]
PLMN 999-93:
tac: [2000-2200]
gNB sent NGSetupRequest for PLMN 999-93 and with TAC 1050. AMF would
only check the TAC, instead of also PLMN.
When a UE performs TAU followed by a new Attach Request after a failed
Security Mode Command, the MME may crash while handling the subsequent
ESM Information Response. This occurs when multiple ESM sessions already
exist (e.g., default EPS session + PDN connectivity session), and the
internal session state is not properly reset.
In this scenario, the ESM handler incorrectly assumes that only one
session should exist and triggers the assertion:
"There should only be one SESSION"
This patch adds additional protection during the EMM authentication and
security_mode states by:
* Deleting all existing GTP sessions before triggering a new AIR
* Recording the GTP transaction count and validating that no new
transactions were created during cleanup
* Sending AIR only when session release is not pending and the
transaction count remains unchanged
These checks prevent ESM/EMM state inconsistencies and avoid the crash
in esm_handle_information_response().
Fixes: crash in TAU + Security failure + Attach sequence
Issues: #4172
Add explicit length checks for Maximum Bitrate and Guaranteed Bitrate
IEs in Create/Update QER handlers. When the IE length does not match
OGS_PFCP_BITRATE_LEN, return INVALID_LENGTH with the corresponding
offending IE type.
Also update ogs_pfcp_parse_bitrate() to log a detailed error message
and return 0 when the encoded IE length is invalid, instead of asserting.
This prevents crashes caused by malformed PFCP messages and ensures
correct cause/offending IE reporting to the peer.
Issues: #4152
- Added null-check for flow description direction token in ogs_ipfw_compile_rule()
to prevent dereferencing a NULL pointer.
- Replaced assertions with graceful error handling in Create/Update PDR handlers:
* Log failure when ogs_ipfw_compile_rule() returns error.
* Free allocated flow_description and remove the faulty PDR rule, then continue.
- Improved logging for invalid pdi.network_instance:
* Print length and include a hexdump of the invalid field.
Issues: #4151
If a GTPv2-C Create Bearer Response is received with TEID present but the
corresponding SMF session is missing, the SMF could dereference a NULL
session pointer and crash.
This patch adds a guard check for `sess == NULL` before calling
smf_s5c_handle_create_bearer_response(). In such cases, the transaction is
committed and processing stops safely.
This prevents SMF crashes caused by out-of-sync or unexpected S5-C messages.
When a large number of UEs repeatedly attach/detach, the SGWU session
counter may grow unexpectedly and eventually exhaust the sgwu_sess_pool.
Previously, sgwu_sess_add() asserted on a NULL session pointer, causing
a fatal crash.
This patch replaces the assertion with a proper NULL check. If
ogs_pool_id_calloc() fails, an error is logged and sgwu_sess_add()
returns NULL, allowing the caller to handle the failure gracefully.
This prevents SGWU daemon crashes when the session pool is depleted.
Fixes#4149
Each time Prometheus scraper queried the metrics, there was a memory
leak. Depending on the amount of metrics, this could amount to some
5MB/h of memory leakage (in case of a scrape every 10 second).
Compiled with GCC version 15.2.0 found in Ubuntu 25.10.
warning: initializer-string for array of 'unsigned char' truncates NUL
terminator but destination lacks 'nonstring' attribute (17 chars into 16
available) [-Wunterminated-string-initialization]
Compiler outputs an error when compiling against libcurl 8.14.1-2ubuntu1
found in Ubuntu 25.10.
error: call to '_curl_easy_setopt_err_long' declared with attribute
warning: curl_easy_setopt expects a long argument [-Werror=attribute-warning]
When the MME receives an E-RAB Setup Response with failure for the
default bearer, the PDN session remains in MME/SGWC context even
though it was never activated. As a result, when the UE retries
PDN Connectivity Request for the same APN, the MME prints
"APN duplicated [ims]" and rejects the request.
This patch fixes the issue by sending a Delete Session Request
toward SGWC when the default E-RAB setup fails. The failed PDN
session is then removed, allowing the UE to reattempt PDN
connectivity for the same APN.
Added a new regression test (test_issues4141_func) that reproduces
the scenario:
- First PDN Connectivity Request for IMS fails (E-RAB setup failure)
- MME sends Delete Session Request
- Second PDN Connectivity Request for IMS succeeds normally
Issue: #4141
This patch consolidates all TAU Accept and P-TMSI post-check logic into
a new helper function mme_send_tau_accept_and_check_release().
Key updates:
- Added mme_send_tau_accept_and_check_release(enb_ue, mme_ue) in mme-path.c
to send TAU ACCEPT and check P-TMSI update conditionally.
- Moved duplicated post-TAU logic (active_flag==0, P-TMSI unavailable)
from emm-sm.c, sgsap-handler.c, and mme-s11-handler.c into the helper.
- Added fallback handling when tracking_area_update_accept_proc is not set;
defaults to S1AP_ProcedureCode_id_downlinkNASTransport.
- Cleared mme_ue->tracking_area_update_accept_proc after TAU transmission
to prevent reuse in later procedures.
- Unified logging and behavior between NAS, SGS, and S11 paths.
- Updated mme-path.h with new prototype declaration.
This refactor improves consistency across TAU procedures, eliminates
code duplication, and ensures correct post-accept bearer release when
active_flag==0 and P-TMSI has not been updated.
Fixes: #4112, #4113, #4117
Inactive or PDN-disconnecting EPS bearers do not have valid SGW S1U
tunnel information. When s1ap_build_handover_request() attempted to
encode those bearers, ogs_asn_ip_to_BIT_STRING() failed, resulting in
a fatal assertion and MME crash.
This patch skips all non-active EPS bearers (esm_state_inactive or
esm_state_pdn_will_disconnect) when building the E-RAB list for
Handover Request. Active bearers are guaranteed to have valid
SGW S1U TEID/IP, ensuring safe encoding.
- Skip non-active bearers before E-RAB item construction
- Add state logging for debugging and verification
- Prevent "No IPv4 or IPv6" fatal error triggered by invalid TEID/IP
Fixes: #4131
