In amf_context_parse_config(), update the loop condition to ensure that
((i * 2) + 1) remains below
(OGS_NAS_MAX_NETWORK_NAME_LEN - 1) before performing any writes.
This change prevents potential out-of-bounds memory writes during
the conversion of an ASCII string to USC-2, thereby fixing a buffer
overflow issue.
This issue was observed on Ubuntu 25.04 and reported in the osmocom
nightly package.
This commit adds support for two Supported-Features AVPs in the
UpdateLocationAnswer (ULA) to enable 5G-NSA roaming. The first AVP
includes subscriber restrictions, while the second AVP signals that NR
as Secondary RAT is supported. Updates include modifications to
lib/diameter/s6a/message.c, lib/diameter/s6a/message.h, and
src/hss/hss-s6a-path.c.
This commit enhances the SM Policy request sent to the PCF
by incorporating user location information and time zone data.
The SMF now builds a userLocationInfo structure using the session's NR TAI
and NR CGI details, along with a timestamp generated from the current GMT time.
Additionally, the UE's time zone is included in the request context,
and the ratType is explicitly set to NR.
In Open5GS 2.7.x, when using curl 8.x with external epoll, an issue occurred
where the peer connection was closed, triggering EPOLLERR. At this point,
POLL_OUT should have been set to trigger the write event handler, invoking
`event_cb()` and calling `curl_multi_socket_action`. This would allow
`curl_multi_info_read` to execute without blocking.
However, when `event_cb()` wasn't invoked, `curl_multi_socket_action` was
not called, causing `curl_multi_info_read` to block. This resulted in a busy
loop in epoll, continuously checking for the closed peer connection.
This issue specifically affects Open5GS 2.7.x with curl 8.x, and is observed
on Ubuntu versions starting from **noble** and later. It does not occur on
Ubuntu Jammy.
The solution involves globally ignoring SIGPIPE and fixing the epoll logic
to ensure POLL_OUT is triggered when EPOLLERR occurs, allowing `curl_multi_socket_action`
to be invoked and `curl_multi_info_read` to run non-blocking. This resolves
the busy loop and connection issues caused by peer disconnects when using
curl 8.x and external epoll.
This fix improves the stability and performance of Open5GS when used with
curl 8.x and Ubuntu versions **noble** and above.
This commit fixes an issue where the callback header (3gpp-Sbi-Callback)
was incorrectly added in non-callback requests. Specifically, for registration
(PUT) and subscription requests in the AMF and SMF modules, the callback
header was included even though these are not asynchronous notifications.
Changes include:
- Removing the callback header assignment in src/amf/nudm-build.c and
src/smf/nudm-build.c for registration and subscription requests.
- Removing the callback header in NRF subscription-related builds in
lib/sbi/nnrf-build.c where it was not required.
- Adding the callback header only for actual notification or callback
operations (e.g. in src/amf/nsmf-build.c for N1/N2 transfer failure and
in src/nrf/nnrf-build.c for NF status notifications).
- Introducing a new callback macro in lib/sbi/message.h for
Namf_Communication_onN1N2TransferFailure.
This aligns the implementation with the standard, ensuring that callback
headers are only included in genuine callback/notification messages.
When UPF/SGW-U is restarted, missing f_teid_len validation causes an error.
This patch adds checks for f_teid_len > 0 in ogs_pfcp_pdr_swap_teid and
in the SGW-U and N4 handler functions.
When a UE handover occurs, the target UE may already be removed. This
patch adds a NULL pointer check and logs an error instead of causing a
segmentation fault in both enb and sgw deassociation functions.
Renamed backup/restore security context functions to save/restore
memento and updated flag to "can_restore_context". Updated AMF and MME
state machines to restore context on failure, preventing malicious
deletion triggered by spoofed NAS messages.
- Changed amf_region_id type from uint16_t to uint8_t in context.h.
- Updated context.c to use ogs_amf_region_id() for extracting and comparing
the region ID.
- Backup sensitive security context fields (e.g. xres, kasme, rand, autn,
keys, counters) when transitioning from REGISTERED state.
- Set the can_restore_security_context flag in common_register_state()
based on whether the transition originates from a REGISTERED or
de-registered state.
- In emm_state_authentication(), restore the security context and revert
to the REGISTERED state on authentication failure only if restoration
is allowed; otherwise, transition to an exception state.
- Remove the redundant unconditional state transition in the cleanup block
to prevent overriding a valid restoration.
Replace unsafe strcpy calls with ogs_cpystrn in both ogs_pfcp_dev_add()
and ogs_pfcp_subnet_add() to ensure proper length checking.
This change prevents potential buffer overflows when handling ifname
and dnn fields, which could otherwise lead to unintended overwrites
(e.g., fd and num_of_range).
Previously, the EPC used the UE-provided KSI directly in the Authentication
Request (except for the special case where the UE sent
OGS_NAS_KSI_NO_KEY_IS_AVAILABLE, which was reset to 0).
This commit changes the EPC to follow the 5G Core approach
for issuing KSI in Attach-Request.
Now, when a Attach Request is received and a new Authentication Vector is
generated, the EPC performs the following steps:
- Extract the KSI value from the UE's request.
- Increment the extracted KSI by 1.
- Use the incremented KSI in the Authentication Request sent to the UE.
This detailed process ensures that the EPC issues the KSI consistently
with 5G Core standards, improving key management and interoperability.
Previously, sample.yaml was used for both 5GC and EPC attach tests.
Because SMF had SBI configured, it sent a register PUT to NRF even in
EPC-only tests (where nrf/scp was not run), leading to a missing HTTP
response and connection timer expiry.
Now, attach.yaml is used for EPC, preventing the unwanted NRF registration.
This commit introduces robust validation for the F-TEID information element
in the PFCP message handling. Previously, malformed F-TEID values (such as
a zero length, zero TEID, or a TEID exceeding the pool size) could lead
to an assertion failure and crash the UPF.
The changes ensure that:
- The F-TEID length is greater than zero, confirming the IE is present.
- The TEID is a non-zero value, as a valid TEID must be positive.
- The TEID does not exceed the allowed pool size (max_ue * 4 * 16).
If any of these conditions are not met, an error is logged with the F-TEID
length and TEID value, and the function returns an error code
(OGS_PFCP_CAUSE_MANDATORY_IE_INCORRECT), preventing further processing
of the malformed message.
When another NF restarts, curl reuses the existing connection, which in
curl 8.9.1 causes the nghttp2 server to send an RST. This commit sends a
GOAWAY frame to every active session on shutdown, ensuring a graceful
termination and avoiding RST errors.
Previous versions such as curl 7.81.0 did not exhibit this behavior.
Previously, nf_instance pointers were stored in nf_type_array and
service_type_array. This led to dangling pointers when an NF instance
was removed via ogs_sbi_nf_instance_remove(), causing incomplete cleanup
and improper recovery on UDR or other NF restarts. The issue resulted in
the system falling back to nf_instance->client with the default port 80,
leading to connection failures.
To resolve the problem, nf_instance_id is now stored instead of the
pointer. The validity of an NF instance is verified using
ogs_sbi_nf_instance_find(nf_instance_id), which ensures proper cleanup
and correct recovery.
In case that NF do not send ProblemDetails in the response.
Do not assume that ProblemDetails is always present, to prevent null
pointer dereferencing.
When receiving a PFCP Session Establishment Request with an invalid PDN type(0),
the UPF would crash due to a failed assertion.
This commit improves error handling by:
- Removing the session_type assertion check that caused the crash
- Changing warning log to error log for better visibility
- Returning CAUSE_SERVICE_NOT_SUPPORTED instead of proceeding
with invalid type
This prevents potential DoS attacks through malformed PFCP messages.
Before this, there were 2 different ways to search for neighbouring
NF's:
a) in the case AMF was started _before_ UDM, AMF would create
subscription to NRF to notify it when a UDM would (un)register. In this
case, NF instance would remain in AMF's context indefinitely.
b) in the case AMF was started _after_ UDM, AMF would have to use NF
discovery mechanism to search for NF's. In this case, NF instance would
remain in AMF's context for the duration of Search's validity (defaults
to 30 seconds). After validity expires, NF would expire. This means that
for heavy traffic situations, AMF would constantly issue discovery
requests.
[SBI] save only wanted NF instances on NF List Retrieval
When retrieving a list of NF Instances from NRF, save only the NF's that
we want. Check the NF instance against our subscription list for either
the NF type or NF Service.
This can still cause a DoS on NRF when NF starts in case there are 100's
of NF's in the network, but prevents using too much memory on NF.
* [UDM][UDR] Add support for nssai resource in nudm-sdm
* Resolve Memory Issue
* Protect from multiple field entries, remove macros
* remove request_from_server, make use of xact state
* typo....
* definition cleanup
When a duplicate PDU session establishment is received, the AMF logs a
warning and proceeds to update the SM context via the SBI interface. This
process eventually calls amf_nsmf_pdusession_build_create_sm_context(), which
uses the SUPI to build the SBI URI header. If the SUPI is NULL, then the header's
resource component becomes NULL. This leads to a call to ogs_uridup() that
asserts on the NULL value, causing a crash.
This commit adds a check before invoking the SBI update. If the SUPI is NULL,
the update is skipped and a warning is logged. This prevents the invalid URI
build process and avoids the subsequent crash in ogs_uridup().
During handover between two gNBs, the AMF enters an invalid state when it
receives an unexpected SBI response from the UDM in the process of sending
a smf-select-data request. This bug could lead to an AMF crash as the state
machine in gmm_state_registration encountered an unknown state.
The fix adds explicit handling for SBI messages with resource names such as
AM_DATA, SMF_SELECT_DATA, UE_CONTEXT_IN_SMF_DATA, and SDM_SUBSCRIPTIONS.
If the HTTP response status is not OK, CREATED, or NO_CONTENT, a warning
is logged and the message is ignored. This prevents the AMF from transitioning
into an abnormal state and improves overall stability during frequent handovers.
Previously, policies were configured via YAML files without MongoDB.
This update enhances the YAML approach by adding the 'supi_range' key to
filter policies based on UE SUPI ranges. When both 'supi_range' and
'plmn_id' are provided, both conditions must be met.
Note that PLMN-ID filtering will be deprecated in a future release.
