Avoid aborting on malformed or oversized GTP messages that exhaust the
internal TLV pool.
- Replace ogs_assert() in ogs_tlv_get() with error handling and NULL return
- Detect TLV allocation and parsing failures in ogs_tlv_parse_block()
- Clean up partially parsed TLVs and return failure instead of aborting
- Limit hexdump size to prevent log flooding on malformed input
This prevents a single malformed message from crashing SGW-C/PGW-C/MME
and ensures graceful failure when TLV allocation or parsing fails.
Issues: #4234
Replace ogs_assert() and ogs_fatal() with runtime checks when allocating
UE contexts, transactions, and timers.
Handle pool and timer exhaustion gracefully by logging errors, cleaning
up partially created objects, and returning NULL instead of aborting
the process, improving control-plane robustness under high load or
resource limits.
Issues: #4220, #4221
Remove hard assertions in GTPv2 Bearer QoS and Flow QoS parsers and
replace them with defensive length validation. Invalid IEs are now
gracefully rejected by the caller instead of aborting the process.
Update SGW-C and SMF handlers to validate parser results and return
appropriate GTP-C error causes, preventing daemon crashes on malformed
GTPv2 messages.
Issues: #4217
Align full-DNN construction with 3GPP TS 23.003 §9.1.2 by switching the
Operator Identifier format from "5gc.mncXXX.mccYYY.3gppnetwork.org" to
"mncXXX.mccYYY.gprs". Introduce new helper utilities to extract and build
OI (Operator Identifier) from both PLMN-ID and FQDN, and replace the
legacy `ogs_home_network_domain_from_fqdn()` usage in AMF/SMF/PCF paths.
This resolves DNN misalignment in vSMF–hSMF PDU Session Create that
caused interop issues with external 5G core vendors during HR roaming.
Includes updates across AMF/SMF/PCF, unit tests, and supporting helpers.
Issues: #4096
When CreatePDR/PDI contains an F-TEID IE with length 0, SGWU aborted due to
assertion `pdr->f_teid.ipv4 || pdr->f_teid.ipv6` in ogs_pfcp_handle_create_pdr().
This allowed a malformed PFCP Session Establishment Request to remotely crash SGWU.
This patch adds validation for:
- Zero-length F-TEID IE (return INVALID_LENGTH)
- F-TEID without IPv4/IPv6 flag (return INVALID_F_TEID_ALLOCATION_OPTION)
Instead of asserting and aborting, SGWU now rejects the request gracefully by
returning an appropriate Cause/Offending IE.
Issues: #4182
This patch replaces fatal ogs_assert() calls in PFCP object allocation
(ogs_pfcp_{pdr,far,urr,qer}_find_or_add) with graceful error handling.
Previously, exceeding per-session resource limits (e.g., QER pool overflow
triggered via CreatePDR referencing undeclared QER-ID) would cause a process
abort in open5gs-upfd, leading to a remote denial-of-service condition.
The handler now returns PFCP Cause=NO_RESOURCES_AVAILABLE and properly
rejects malformed or resource-exhausting PFCP Session Establishment requests,
allowing the UPF to continue running without terminating all existing sessions.
Fixes: DoS vulnerability triggered by excessive implicit QER allocation.
Issues: #4181
Replace `ogs_assert(nxt == 0)` with validation and graceful error return
when parsing IPv6 jumbo payload where plen=0 but NextHeader is non-zero.
This prevents open5gs-upfd from aborting when receiving a single malformed
GTP-U IPv6 packet crafted to trigger assertion failure, resulting in a
remote DoS condition.
Malformed packets are now safely dropped and logged instead of terminating
the UPF process.
Issues: #4180
According to TS 29.244, FAR-ID is a mandatory IE in CreatePDR. However,
Open5GS previously accepted a Session Establishment Request containing a
CreatePDR without FAR-ID. When subsequent GTP-U packets matched the PDR,
the user-plane fast path dereferenced a NULL FAR pointer and aborted,
leading to a UPF crash (DoS).
This patch adds mandatory IE validation for FAR-ID in
ogs_pfcp_handle_create_pdr(), returning PFCP cause
MANDATORY_IE_MISSING when FAR-ID is absent.
As a result, malformed CreatePDR is rejected at PFCP control plane
instead of causing fatal assertion in the data path.
Fixes crash in `_gtpv1_u_recv_cb()` and improves robustness.
Issues: #4179
When receiving a PFCP Session Establishment Request containing a CreateURR
with an out-of-range URR-ID (e.g. 65535), UPF attempted to index
sess->urr_acc[] without bounds checking, leading to an assertion failure
and process abort.
This patch validates URR-ID before use and rejects the message gracefully
with an error cause if the value exceeds OGS_MAX_NUM_OF_URR. A clearer
log message is also added to indicate the valid range.
Fixes: assertion failure in upf_sess_urr_acc_timers_setup()
Issues: #4169
* AMF dynamic PLMNs via APIREST
* add new feature now we can register ues when plmn is deleted
* add documentation for use the API AMF-OAM
* update tutorial 08
* fix memory not freed
fix memory not freed
fix memory not freed
* improve releases ues of plmn
A malformed CER containing duplicate Auth-Application-Id AVPs caused
freeDiameter to trigger FD_LOG_FATAL within parserules_check_one_rule(),
reaching an unimplemented branch and calling abort(), which terminated
Open5GS daemons (HSS/MME/PCRF/AAA) using the freeDiameter stack.
To avoid crashing on invalid Diameter messages, remove the call to
ogs_assert_if_reached() inside FD_LOG_FATAL logging path. This allows
Open5GS to gracefully reject malformed messages instead of aborting.
Issues: #4155
UPF could crash when handling PFCP Session Establishment/Update
containing a CreateURR with a malformed Dropped-DL-Traffic-Threshold IE.
Added length validation for Dropped-DL-Traffic-Threshold and
Volume Measurement IEs to prevent buffer misuse and return an
appropriate PFCP cause and offending IE value.
Also removed assertion in IE parsing functions and replaced it with
error logging and validation checks.
Issues: #4154, #4152
When PFCP Session Establishment/Modification includes CreatePDR with F-TEID
(CH=1) whose address family flags (IPv4/IPv6) do not match the UPF's GTP-U
resource configuration for the target DNN (Network Instance), UPF asserted
and crashed in ogs_pfcp_object_teid_hash_set(). This occurred because the
existing logic assumed a matching address family and enforced it via
assert().
This patch replaces the assertions with proper validation and returns an
appropriate PFCP cause (REQUEST_REJECTED) when the address family does not
match, or if local F-TEID generation fails. This prevents UPF from crashing
and allows the SMF to receive a graceful failure response.
Changes:
- ogs_pfcp_object_teid_hash_set() now returns PFCP Cause instead of void
- Validate IPv4/IPv6 compatibility for DNN resource and local GTP-U address
- Replace assert() usage with runtime error handling and logging
- Integrate cause checking in SGWU/UPF N4 handlers for both Session
Establishment and Modification
- Avoids crash and reports REQUEST_REJECTED when mismatch occurs
Tested scenario:
- UPF with IPv4-only DNN resource receiving CH F-TEID with IPv6-only flags
(or vice versa) no longer causes crash.
Issues: #4315
This patch introduces assoc_id[] to ogs_sbi_xact_t and stores a snapshot
of the RAN-UE ID (AMF_ASSOC_RAN_UE_ID) when the AMF sends SBI requests
to SMF/PCF. Since the RAN-NG context may change (e.g., during NG
Context release or RRC re-establishment) before the asynchronous SBI
response arrives, relying on sess->ran_ue_id can lead to incorrect
context resolution. The transaction-level snapshot ensures that AMF
uses the correct RAN-UE when handling SBI responses.
Key changes:
- Added assoc_id[] array to ogs_sbi_xact_t.
- Stored RAN-UE snapshot for SBI Client operations.
- Updated AMF handlers (amf-sm, nsmf-handler, nnssf-handler,
nnrf-handler, sbi-path) to use xact->assoc_id[] instead of
sess->ran_ue_id for SBI Client responses.
- Updated NAMF handlers to continue using sess->ran_ue_id since they
operate in SBI Server mode and have no transaction snapshot.
- Refactored function signatures to pass amf_ue and ran_ue explicitly.
- Added detailed comments to sess->ran_ue_id explaining the distinction
between SBI Client and SBI Server behavior.
- Updated test cases and added the new issues4174 test.
This resolves the race where RAN-UE context changes between SBI request
and response, ensuring correct session processing and eliminating
RAN-UE lookup failures during asynchronous callbacks.
Issues #4174
Add explicit length checks for Maximum Bitrate and Guaranteed Bitrate
IEs in Create/Update QER handlers. When the IE length does not match
OGS_PFCP_BITRATE_LEN, return INVALID_LENGTH with the corresponding
offending IE type.
Also update ogs_pfcp_parse_bitrate() to log a detailed error message
and return 0 when the encoded IE length is invalid, instead of asserting.
This prevents crashes caused by malformed PFCP messages and ensures
correct cause/offending IE reporting to the peer.
Issues: #4152
- Added null-check for flow description direction token in ogs_ipfw_compile_rule()
to prevent dereferencing a NULL pointer.
- Replaced assertions with graceful error handling in Create/Update PDR handlers:
* Log failure when ogs_ipfw_compile_rule() returns error.
* Free allocated flow_description and remove the faulty PDR rule, then continue.
- Improved logging for invalid pdi.network_instance:
* Print length and include a hexdump of the invalid field.
Issues: #4151
Each time Prometheus scraper queried the metrics, there was a memory
leak. Depending on the amount of metrics, this could amount to some
5MB/h of memory leakage (in case of a scrape every 10 second).
Compiler outputs an error when compiling against libcurl 8.14.1-2ubuntu1
found in Ubuntu 25.10.
error: call to '_curl_easy_setopt_err_long' declared with attribute
warning: curl_easy_setopt expects a long argument [-Werror=attribute-warning]
Fix crash when discovery request specifies only DNN for SMF
The previous implementation could dereference a NULL s_nssai pointer
when handling discovery requests that contained only a DNN filter
(without any S-NSSAI). This caused an assertion failure inside
ogs_sbi_check_smf_info_slice(), which expects both arguments to be
non-null.
This patch fixes the issue by iterating over the SMF’s own slice list
and reusing each stored S-NSSAI when evaluating the DNN-only case.
The SMF instance now correctly matches any slice that provides the
requested DNN, avoiding a crash and restoring expected behavior.
The previous PR implemented the correct OR logic for multiple smfInfo
blocks but resulted in code that was harder to read. This commit rewrites
the logic in a simpler and clearer form without changing functionality.
The discovery matcher meant to accept an SMF instance when any advertised
smfInfo satisfied the requested S-NSSAI/DNN/TAI, but the previous logic
returned false as soon as one block missed the filters. That made configs
with multiple info blocks fail with “No SMF Instance”.
Track whether the request actually carries slice/TAI filters and mark the
instance as matched when at least one smfInfo passes them. Other NF types
keep their existing behaviour, while multi-block SMF configs now work as
documented.
Emergency numbers may be configured:
mme:
...
emergency:
dnn: internet.sos
number:
- digits: 110
categories: police
- digits: 112
categories: [ fire, ambulance ]
The categories are: police, ambulance, fire, marine, mountain
They are sent to the UE during attachment. Some UEs require this list
of numbers. When an emergency call is made, one of the given categories
is indicated towards the IMS in the INVITE message.
This patch consolidates the TAU handling logic for both
initialUEMessage and uplinkNASTransport cases, ensuring that the
EPS Bearer Context Status (BCS) check is always performed regardless
of active_flag or S1AP procedure type.
Key changes:
- Removed duplicated TAU handling code paths in emm-sm.c.
- Commonized KDF derivation and BCS validation under a single block.
- Introduced mme_ue->tracking_area_update_accept_proc to store
the selected S1AP procedure for TAU ACCEPT transmission.
- When e->s1ap_code == initialUEMessage and active_flag == 1,
TAU ACCEPT is sent via InitialContextSetup; otherwise via
DownlinkNASTransport.
- Applied the stored proc consistently across all handlers:
mme-path.c, mme-s11-handler.c, mme-s6a-handler.c, and sgsap-handler.c.
- Added fallback to DownlinkNASTransport if proc is not set.
- Cleared tracking_area_update_accept_proc after use to avoid reuse.
This ensures consistent TAU behavior for both initialUEMessage and
uplinkNASTransport flows, unified BCS mismatch handling
Instead of predetermined endpoints in the metrics library, each NF can
now set it's own endpoints on which it listens for requests to dump info
(UE/PDU/gNB/eNB).
Remove function pointers to set page/page sizes per info type
(UE/PDU/gNB/eNB info). Instead, call dumpers functions with this
information as function arguments.
When the UE sends a Tracking Area Update (TAU) Request with active_flag=0,
the MME previously sent TAU Accept without verifying the EPS Bearer Context
Status (EBCS). This caused stale bearer sessions to remain in the MME even
if the UE had already released them.
According to 3GPP TS 24.301 §5.5.3.2, the MME should release any bearer
not reported in the UE’s EBCS when active_flag=0. This patch introduces
mme_send_delete_session_or_tau_accept(), which compares the UE’s EBCS bitmask
with the MME session list and deletes any missing default bearer session
before sending TAU Accept.
If no mismatch is found, TAU Accept is sent immediately. The Delete Session
response triggers TAU Accept when deletions are required. This ensures that
the TAU Accept message reflects the UE’s current bearer context accurately.
Also includes:
- Added OGS_GTP_DELETE_SEND_TAU_ACCEPT handling in mme-s11-handler.c
- Simplified EBCS structure (uint16_t value) for bitmask comparison
- Updated TAU-related tests with realistic EBI bitmasks (0x20, 0x60)
This change aligns TAU handling with 3GPP 24.301 and prevents bearer
mismatch issues between UE and EPC during TAU.
Open5GS has a lightweight HTTP server (already used for `/metrics`) embedded in each NF.
New optional JSON endpoints were added:
| NF | Endpoint | Content |
| --- | --- | --- |
| **SMF** | `/pdu-info` | All currently connected UEs + their PDU sessions (IMSI/SUPI, DNN, IPs, S-NSSAI, QoS, state, etc.) |
| **AMF** | `/gnb-info` | All currently connected gNBs and their supported TAs, PLMNs, SCTP info, number of UEs |
| **AMF** | `/ue-info` | All currently connected NR UEs and their info, active gNB, tai, security, slices, am_policy |
| **MME** | `/enb-info` | All currently connected eNBs and their supported TAs, PLMNs, SCTP info, number of UEs |
| **MME** | `/ue-info` | All currently connected LTE UEs and their info, active eNB, tai, pdn info |
They are exposed on the same HTTP port used by Prometheus metrics (default `:9090`).
To reduce processor load when there are a large number of devices, the API includes a pager that limits output.
`/ue-info?page=0&page_size=100`
page in the range 0-n (0 is default),
`page=-1` to avoid paging
`page_size=100` (default and MAX)
- Use ogs_pool_id_calloc() / ogs_pool_id_free() instead of ogs_pool_alloc() / ogs_pool_free()
to assign stable pool IDs to connection_t and ogs_sbi_session_t.
- Pass pool ID to ogs_timer_add() instead of raw pointer.
- In connection_timer_expired() and session_timer_expired(), resolve object via
ogs_pool_find_by_id() and safely return if the object has already been freed.
- Add safety checks and error logs for invalid IDs and missing objects.
This prevents use-after-free or double-free crashes when timer callbacks
are triggered after the object has been freed under heavy load.
The older version of the code was wrong (or at least not exactly
correct) in many (corner) cases.
* Split the parsing of Packet Filter List into its own helper function
to simplify the code
* Improve error logging to provide more info on which QoS rule failed.
* Add some extra logic checking match between 'Length of QoS rule' and
existance of m+1 and m+2 bytes.
* Correct logic checking expected/unexpected presence of m+1 and m+2
octets based on Rule Operation Code according to specs.
Home-Routed roaming: during Xn/N2 handover the source gNB may forward
remaining DL data to the core using UL PDU Session Information (PSC).
On the V-UPF the PSC was lost on the indirect path because OHR+OHC
removed the incoming GTP-U header (and its extensions) and we did not
recreate PSC when no QER/QFI was provisioned by the V-SMF.
This change makes the V-UPF rebuild a DL PSC for the target gNB even
when QER is absent, limited to the Access->Access indirect path
(source gNB -> V-UPF -> target gNB).
Why this is needed in HR:
- In HR deployments the V-SMF typically does not provision QER/QFI for
the temporary indirect path. Without recreating PSC from recvhdr, the
extension header disappears after OHR+OHC and the target gNB cannot
see the QFI during handover buffering/forwarding.
Add robust error checks and logging to MME, SMF, PCRF, and HSS
Diameter callback functions. Prevent assertion failures by
handling unexpected or late messages gracefully.
