You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[Bugs] UPF crash caused by malformed PFCP message whose Sequence Number is mutated to overflow bytes
Describe the bug
While fuzzing the free5gc UPF for some PFCP basic and security features, I could trigger several crashes when send malformed PFCP Heartbeat Request whose Sequence Number is mutated to overflow bytes (e.g. 0xFF 0xFF 0xFF 0xFF). This could cause DOS of any UPF instance, all memory issues due to this kind of PFCP messages are caught by the GO memory runtime, which would casue a panic and crash.
Any people could leverage this to cause DOS and resource consumption against a pool of UPF. As much as possible, check the total length of PFCP messages, update handling logic or just drop them to avoid frequent crashes. This will greatly improve the availability, stability, and security of free5gc UPF.
Screenshots
No special screenshot is provided.
Environment (please complete the following information):
free5GC Version: v3.3.0
OS: Ubuntu 20.04
Kernel version: 5.4.5-050405-generic
go version: go1.21.1 linux/amd64
Trace File
Configuration File
No specific configuration is required.
PCAP File
No specific pcap file is provided.
Log File
2023-10-24T17:49:15.614745280+08:00 [INFO][UPF][CFG] ==================================================
2023-10-24T17:49:15.614761831+08:00 [INFO][UPF][Main] Log level is set to [info]
2023-10-24T17:49:15.614777264+08:00 [INFO][UPF][Main] Report Caller is set to [false]
2023-10-24T17:49:15.614837834+08:00 [INFO][UPF][Main] starting Gtpu Forwarder [gtp5g]
2023-10-24T17:49:15.614864772+08:00 [INFO][UPF][Main] GTP Address: "127.0.0.8:2152"
2023-10-24T17:49:15.650332227+08:00 [INFO][UPF][BUFF] buff netlink server started
2023-10-24T17:49:15.650439249+08:00 [INFO][UPF][Perio] perio server started
2023-10-24T17:49:15.650444691+08:00 [INFO][UPF][Gtp5g] Forwarder started
2023-10-24T17:49:15.652112097+08:00 [INFO][UPF][PFCP][LAddr:127.0.0.8:8805] starting pfcp server
2023-10-24T17:49:15.652132290+08:00 [INFO][UPF][PFCP][LAddr:127.0.0.8:8805] pfcp server started
2023-10-24T17:49:15.652138607+08:00 [INFO][UPF][Main] UPF started
2023-10-24T17:50:42.343823681+08:00 [INFO][UPF][PFCP][LAddr:127.0.0.8:8805] handleAssociationSetupRequest
2023-10-24T17:50:42.343962121+08:00 [INFO][UPF][PFCP][LAddr:127.0.0.8:8805][CPNodeID:10.100.200.100] New node
2023-10-24T17:50:42.347048969+08:00 [FATA][UPF][PFCP][LAddr:127.0.0.8:8805] panic: runtime error: slice bounds out of range [6:4]
goroutine 10 [running]:
runtime/debug.Stack()
/usr/local/go/src/runtime/debug/stack.go:24 +0x65
github.com/free5gc/go-upf/internal/pfcp.(*PfcpServer).main.func1()
/home/lee/Downloads/free5gc/free5gc/NFs/upf/internal/pfcp/pfcp.go:86 +0x5d
panic({0x860400, 0xc000490210})
/usr/local/go/src/runtime/panic.go:1038 +0x215
github.com/wmnsk/go-pfcp/ie.(*IE).UnmarshalBinary(0x10000c0000cbb30, {0xc000490200, 0x20, 0x30})
/home/lee/gowork/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/ie/ie.go:371 +0x1a5
github.com/wmnsk/go-pfcp/ie.Parse({0xc000490200, 0xb, 0xb})
/home/lee/gowork/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/ie/ie.go:339 +0x48
github.com/wmnsk/go-pfcp/ie.ParseMultiIEs({0xc000490200, 0x13, 0x13})
/home/lee/gowork/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/ie/ie.go:632 +0x8c
github.com/wmnsk/go-pfcp/message.(*HeartbeatRequest).UnmarshalBinary(0xc000096720, {0xc0004901f8, 0x0, 0xadaa82a41536e5d2})
/home/lee/gowork/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/message/heartbeat-request.go:101 +0x6e
github.com/wmnsk/go-pfcp/message.Parse({0xc0004901f8, 0x13, 0x13})
/home/lee/gowork/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/message/message.go:117 +0x3ab
github.com/free5gc/go-upf/internal/pfcp.(*PfcpServer).main(0xc000400a90, 0xc0004030d0)
/home/lee/Downloads/free5gc/free5gc/NFs/upf/internal/pfcp/pfcp.go:125 +0x4ce
created by github.com/free5gc/go-upf/internal/pfcp.(*PfcpServer).Start
/home/lee/Downloads/free5gc/free5gc/NFs/upf/internal/pfcp/pfcp.go:222 +0xd2
The text was updated successfully, but these errors were encountered:
tjbdlq
changed the title
[Bugs] UPF crash caused by malformed PFCP Heartbeat Request message whose Sequence Number is mutated to overflow bytes
[Bugs] UPF crash caused by malformed PFCP messages whose Sequence Number is mutated to overflow bytes
Oct 25, 2023
[Bugs] UPF crash caused by malformed PFCP message whose Sequence Number is mutated to overflow bytes
Describe the bug
While fuzzing the free5gc UPF for some PFCP basic and security features, I could trigger several crashes when send malformed PFCP Heartbeat Request whose Sequence Number is mutated to overflow bytes (e.g. 0xFF 0xFF 0xFF 0xFF). This could cause DOS of any UPF instance, all memory issues due to this kind of PFCP messages are caught by the GO memory runtime, which would casue a panic and crash.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Any people could leverage this to cause DOS and resource consumption against a pool of UPF. As much as possible, check the total length of PFCP messages, update handling logic or just drop them to avoid frequent crashes. This will greatly improve the availability, stability, and security of free5gc UPF.
Screenshots
No special screenshot is provided.
Environment (please complete the following information):
Trace File
Configuration File
No specific configuration is required.
PCAP File
No specific pcap file is provided.
Log File
The text was updated successfully, but these errors were encountered: