# BSF crash on POST /nsbf-management/v1/pcfBindings with invalid ipv4Addr #4400 ## Vulnerability Overview When processing a POST request to `/nsbf-management/v1/pcfBindings`, if the request body contains an invalid `ipv4Addr` string, it causes the BSF to crash. ## Affected Versions - **OpenSGS Release, Revision, or Tag**: v2.7.7 ## Remediation The BSF should reject invalid `ipv4Addr` inputs and return a standard HTTP response, rather than crashing. ## Reproduction Steps ```bash curl --http1.1 --http2-prior-knowledge -m 5 -sS -i \ -X POST http://10.10.33.5/nsbf-management/v1/pcfBindings \ -H 'content-type: application/json' \ -d '{"ipv4Addr":"not-an-ipv4","dom":"internet","snsnal":{"sat":1,"ud":"000001"},"pcfFqdn":"pcf.example.org"}' ``` Then check: ```bash docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' bsf docker logs --since 2020-04-10T17:01:02Z bsf ``` ## Logs ``` 04/10 17:05:15.235: [core] ERROR: Invalid IPv4 string = not-an-ipv4 04/10 17:05:15.235: [bsf] ERROR: bsf_sess_set_ipv4addr[not-an-ipv4] failed 04/10 17:05:15.235: [bsf] FATAL: bsf_state_operational: Assertion 'sess' failed. [/src/bsf/bsf-sm.c:157] ``` ## Expected Behavior The BSF should reject invalid `ipv4Addr` inputs and return a standard HTTP response, rather than crashing. ## Actual Behavior The connection is reset, and the BSF process exits with code 139. ## eNodeB/gNodeB Not applicable. ## UE Model and Version Not applicable.