### Vulnerability Overview This vulnerability involves the AMF (Access and Mobility Management Function) failing to properly handle invalid `registration_type` values when a UE (User Equipment) sends a Registration Request containing such values in a 5G network, leading to unexpected behavior in subsequent logic. Specifically: - Invalid values may erroneously trigger N4 UE context transfer attempts. - Placeholder 5G-GUTIs (with AMF-ID and M-TMSI set to zero) sent by certain devices and fuzzing tools are mistakenly recognized as valid, thereby triggering unnecessary N4 UE context transfers. ### Impact Scope - **Affected Component**: The `gmm_handle_registration_request` function within the AMF module. - **Impact Scenario**: When a UE sends a Registration Request containing an invalid `registration_type` value, the AMF may incorrectly process these requests, resulting in unexpected behavior in subsequent logic. ### Remediation 1. **Normalize `registration_type` values**: - In the early stages of the `gmm_handle_registration_request` function, normalize invalid `registration_type` values to `OGS_NAS_5GS_REGISTRATION_TYPE_INITIAL`. - Ensure that subsequent logic operates based on valid `registration_type` values. 2. **Ignore placeholder 5G-GUTIs**: - In the `gmm_registration_request_from_old_amf` function, ignore placeholder 5G-GUTIs (where AMF-ID and M-TMSI are zero). - Treat these placeholders as non-actionable and fall back to standard Registration / Identity procedures. ### Code Changes #### `src/amf/gmm-handler.c` ```c if (registration_type->value == OGS_NAS_5GS_REGISTRATION_TYPE_INITIAL) { /* * TS 24.501 Table 9.11.3.7.1: * Unused registration-type encodings shall be interpreted as * "Initial registration" by the network. * Normalize here so subsequent transfer logic has a stable basis. */ if (amf_ue->nas.registration.value != 0) { ogs_error("Normalize reg_type[%d] to INITIAL"); amf_ue->nas.registration.value = OGS_NAS_5GS_REGISTRATION_TYPE_INITIAL; } if (amf_ue->nas.registration.value != OGS_NAS_5GS_REGISTRATION_TYPE_INITIAL) { /* * Issue #2848 */ return false; } } /* * Robustness: many devices (and fuzzers) send a "placeholder" 5G-GUTI * (AMF-ID zero + M-TMSI zero). Treat it as non-actionable for context * transfer regardless of PLMN digits, and fall back to Identity Request / * normal registration handling. */ if ((amf_ue->old_guti.amf_id.region == 0 && amf_ue->old_guti.amf_id.mt2 == 0 && amf_ue->old_guti.nas.plmn_id.mcc1 == 0 && amf_ue->old_guti.nas.plmn_id.mcc2 == 0 && amf_ue->old_guti.nas.plmn_id.mcc3 == 0 && amf_ue->old_guti.nas.plmn_id.mnc1 == 0 && amf_ue->old_guti.nas.plmn_id.mnc2 == 0 && amf_ue->old_guti.nas.plmn_id.mnc3 == 0) || (amf_ue->old_guti.amf_id.region == 0 && amf_ue->old_guti.amf_id.mt2 == 0 && amf_ue->old_guti.m_tmsi == 0)) { return false; } ``` #### `src/amf/namf-build.c` ```c ogs_assert(amf_ue->nas.access_type); ogs_assert(amf_ue->nas.registration.value); ue_context_id = amf_ue_to_context_id(amf_ue); ogs_assert(ue_context_id); ``` ### Summary This fix ensures the stability and correctness of the AMF when processing Registration Requests by normalizing invalid `registration_type` values and ignoring placeholder 5G-GUTIs, thereby preventing unexpected behavior caused by invalid values.