vrr/open5gs
2
0
Fork 0
mirror of https://github.com/open5gs/open5gs.git synced 2026-04-28 11:29:32 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
open5gs/src
History
Sukchan Lee 21ada5e1a7 MME: Defer UE context removal on implicit detach without S1 context 
Problem

When the implicit detach timer expires, the MME may initiate local
UE context removal if no S1 context exists.

In the previous implementation, mme_ue_remove() could be triggered
directly from mme_send_delete_session_or_detach() in this path.

This leads to a structural issue:

- The UE context may be freed while the EMM FSM is still processing
  the implicit detach timer event.
- Subsequent FSM operations (state transition, ENTRY/EXIT signals)
  may access the freed mme_ue.
- This results in assertion failures or crashes such as:

  emm_state_registered: Assertion `mme_ue' failed

Analysis

Implicit detach handling executes within the EMM FSM context.
Immediate UE context removal from this path violates the FSM
lifecycle assumption that the context remains valid until the
event handling and state transition complete.

This creates a use-after-free risk and can also cause double-free
depending on concurrent removal paths.

Solution

Introduce deferred UE context removal via FSM:

1. Add a new flag:
     mme_ue->ue_context_will_remove

2. Modify mme_send_delete_session_or_detach():
   - If no S1 context exists, do not remove immediately.
   - Set ue_context_will_remove = true instead.

3. In implicit detach timer handling:
   - Check the flag and select the next state accordingly.

4. Introduce a new FSM state:
     emm_state_ue_context_will_remove

   - UE context removal is performed safely on ENTRY_SIG.

This ensures:

- UE context is not freed inside the original EMM handler.
- FSM lifecycle is preserved.
- Removal happens after state transition.

Impact

- Prevents crashes caused by use-after-free during implicit detach.
- Avoids double-free scenarios.
- Aligns UE context lifecycle with FSM design.

This change only affects implicit detach paths where S1 context
does not exist and does not alter normal detach procedures.

Fixes: #4298
2026-02-08 11:52:44 +09:00
..
amf amf: ignore late SDM_SUBSCRIPTIONS DELETE during re-registration 2026-01-23 11:24:06 +09:00
ausf [NFM] Prevent dispatch of SBI events to NF instance FSMs finalized by SIGTERM (#3938) 2025-06-27 17:12:49 +09:00
bsf [NFM] Prevent dispatch of SBI events to NF instance FSMs finalized by SIGTERM (#3938) 2025-06-27 17:12:49 +09:00
hss [HSS] Fix stack buffer over-read when logging AK in Cx-MAR handler 2025-11-30 22:15:46 +09:00
mme MME: Defer UE context removal on implicit detach without S1 context 2026-02-08 11:52:44 +09:00
nrf Return an error message for subscription request when request has no subscrcond or not supported subscrcond 2025-10-25 08:26:13 +09:00
nssf [HR] Implement handling of UE-initiated PDU Session Modification (#2194) 2025-06-30 10:07:06 +09:00
pcf Fix DNN Operator-Identifier format and refactor OI parsing for HR roaming interop 2025-12-06 22:23:34 +09:00
pcrf [PCRF] Check for QCI 5 only in case of 3GG RAT during Rx AAR for IMS signalling 2025-09-16 06:41:20 +09:00
scp Merge branch 'main' into home-routed 2025-06-30 10:02:57 +09:00
sepp [NFM] Prevent dispatch of SBI events to NF instance FSMs finalized by SIGTERM (#3938) 2025-06-27 17:12:49 +09:00
sgwc sgwc: avoid PFCP indirect modify without forwarding tunnel 2026-01-27 20:41:19 +09:00
sgwu UPF: Fix crash on CH F-TEID address family mismatch for selected DNN 2025-11-27 17:15:29 +09:00
smf sgwc/smf: handle late or orphan GTPv2 responses without abort 2026-01-11 11:23:56 +09:00
udm Follow-up on #4158 2025-11-15 10:44:50 +09:00
udr Follow-up on #4105 2025-10-17 09:17:02 +09:00
upf UPF: Fix crash on CH F-TEID address family mismatch for selected DNN 2025-11-27 17:15:29 +09:00
main.c Merge branch 'main' into home-routed 2025-04-06 18:36:57 +09:00
meson.build [SEPP] Initial Update for 5G Roaming (#2739) 2023-11-19 19:34:51 +09:00