N/A

When Open5GS UPF receives a PFCP Session Establishment Request, it stores related values for building the PFCP Session Establishment Response. Once UPF receives a request, it gets the f_teid_len from incoming message, and then uses it to copy data from incoming message to struct f_teid without checking the maximum length. If the pdi.local_f_teid.len exceeds the maximum length of the struct of f_teid, the memcpy() overwrites the fields (e.g., f_teid_len) after f_teid in the pdr struct. After parsing the request, the UPF starts to build a response. The f_teid_len with its overwritten value is used as a length for memcpy(). A segmentation fault occurs, as a result of a memcpy(), if this overwritten value is large enough.

N/A

潜在危险函数的使用

Open5GS 安全漏洞

Open5GS是一个 5G Core 和 Epc 的 C 语言开源实现，即 Lte/Nr 网络的核心网络。 Open5GS 2.4.9及之前版本存在安全漏洞，该漏洞源于如果pdi.local_f_teid.len超过了f_teid结构的最大长度，memcpy()就会覆盖pdr结构中f_teid后面的字段，在解析完请求后，UPF开始建立一个响应，f_teid_len及其覆盖的值被用作memcpy()的长度。如果这个覆盖的值足够大，作为memcpy()的结果，会发生分段故障。

N/A

N/A