mirror of
https://github.com/open5gs/open5gs.git
synced 2026-04-26 10:30:41 +00:00
mirror of https://github.com/open5gs/open5gs link from https://open5gs.org/
https://open5gs.org
21ada5e1a7
Problem
When the implicit detach timer expires, the MME may initiate local
UE context removal if no S1 context exists.
In the previous implementation, mme_ue_remove() could be triggered
directly from mme_send_delete_session_or_detach() in this path.
This leads to a structural issue:
- The UE context may be freed while the EMM FSM is still processing
the implicit detach timer event.
- Subsequent FSM operations (state transition, ENTRY/EXIT signals)
may access the freed mme_ue.
- This results in assertion failures or crashes such as:
emm_state_registered: Assertion `mme_ue' failed
Analysis
Implicit detach handling executes within the EMM FSM context.
Immediate UE context removal from this path violates the FSM
lifecycle assumption that the context remains valid until the
event handling and state transition complete.
This creates a use-after-free risk and can also cause double-free
depending on concurrent removal paths.
Solution
Introduce deferred UE context removal via FSM:
1. Add a new flag:
mme_ue->ue_context_will_remove
2. Modify mme_send_delete_session_or_detach():
- If no S1 context exists, do not remove immediately.
- Set ue_context_will_remove = true instead.
3. In implicit detach timer handling:
- Check the flag and select the next state accordingly.
4. Introduce a new FSM state:
emm_state_ue_context_will_remove
- UE context removal is performed safely on ENTRY_SIG.
This ensures:
- UE context is not freed inside the original EMM handler.
- FSM lifecycle is preserved.
- Removal happens after state transition.
Impact
- Prevents crashes caused by use-after-free during implicit detach.
- Avoids double-free scenarios.
- Aligns UE context lifecycle with FSM design.
This change only affects implicit detach paths where S1 context
does not exist and does not alter normal detach procedures.
Fixes: #4298
|
||
|---|---|---|
| .github | ||
| configs | ||
| debian | ||
| docker | ||
| docs | ||
| lib | ||
| misc | ||
| src | ||
| subprojects | ||
| tests | ||
| vagrant | ||
| webui | ||
| .clang-tidy | ||
| .dockerignore | ||
| .editorconfig | ||
| .gitignore | ||
| LICENSE | ||
| meson.build | ||
| meson_options.txt | ||
| README.md | ||
Getting Started
Please follow the documentation at open5gs.org!
Sponsors
If you find Open5GS useful for work, please consider supporting this Open Source project by Becoming a sponsor. To manage the funding transactions transparently, you can donate through OpenCollective.
Community
- Problem with Open5GS can be filed as issues in this repository.
- Other topics related to this project are happening on the discussions.
- Voice and text chat are available in Open5GS's Discord workspace. Use this link to get started.
Contributing
If you're contributing through a pull request to Open5GS project on GitHub, please read the Contributor License Agreement in advance.
License
- Open5GS Open Source files are made available under the terms of the GNU Affero General Public License (GNU AGPL v3.0).
- Commercial licenses are also available from NewPlane at sales@newplane.io.
Support
Technical support and customized services for Open5GS are provided by NewPlane at support@newplane.io.