# OpenSGS Vulnerability Summary ## Vulnerability Overview - **Title**: Assertion failure in `ngap_build_pdu_session_resource_modify_transfer` during PDU Session Modification request - **Issue ID**: #3858 - **Status**: Closed - **Labels**: Housekeeping/ToClose, Type:Security - **Reported Date**: 2025-04-17 - **Fixed Date**: 2025-05-05 ## Impact Scope - **Component**: OpenSGS v2.7.3 - **Module**: `ngap_build_pdu_session_resource_modify_transfer` function - **Trigger Condition**: When a UE initiates a PDU Session Modification Request containing a Non-GBR QoS flow (SQLi=9) - **Impact**: Assertion failure causes program crash, preventing the PDU Session Modification Request from completing ## Remediation - **Fix Content**: Modified the logic of the `ngap_build_pdu_session_resource_modify_transfer` function to correctly distinguish between GBR and Non-GBR QoS flows - **Specific Fix**: Identified QoS flow types (GBR/Non-GBR) based on the SQLi value and handled MBR/GBR parameters accordingly - **Fix Commit**: - Merged to the main branch by `acetcorn` on 2025-05-05 - Commit ID: 3b55144 - Fix Description: `[AMF/NME] default to Non-GBR flow when MBR/GBR parameters are missing` ## Reproduction Steps 1. UE initial registration 2. Establish PDU Session 1 (IPv4) 3. Establish PDU Session 3 (IPv4) 4. Modify PDU Session 3 by adding a QoS rule with SQLi=9 5. Trigger assertion failure ## Key Log Information ``` [amf] FATAL: ngap_build_pdu_session_resource_modify_transfer: Assertion 'qos_flow->qos_mbr_dl_bwlink' failed. [core] FATAL: backtrace() returned 11 addresses ``` ## Expected Behavior - The SMF should correctly identify the QoS flow as Non-GBR type - The modification request should complete successfully and generate valid NGAP messages forwarded to the RAN ## Actual Behavior - The PDU Session Modification Request procedure fails - No response from eNodeB/gNodeB