Segfault when NF receives HTTP2 request with incorrect payload

[bmeglic]

NF (in this particular case UDR) crashes with a segfault in case that a HTTP2 request is received which contains JSON payload that is not expected. JSON payload was constructed as an JSON array containing JSON object: [ { "amfInstanceId": "xxx", ...}] . But the UDR was expecting JSON payload containing JSON object directly: { "amfInstanceId": "xxx", ...}

Open5GS daemon v2.4.5-71-g694b60f

04/22 06:16:36.333: [app] INFO: Configuration: '/usr/local/etc/open5gs/udr.yaml' (../lib/app/ogs-init.c:129)
04/22 06:16:36.333: [app] INFO: File Logging: '/var/local/log/open5gs/udr.log' (../lib/app/ogs-init.c:132)
04/22 06:16:36.334: [app] INFO: LOG-LEVEL: 'trace' (../lib/app/ogs-init.c:135)
...
04/22 06:16:39.551: [sbi] DEBUG: MAX_CONCURRENT_STREAMS = -1 (../lib/sbi/nghttp2-server.c:720)
04/22 06:16:39.551: [sbi] DEBUG: ENABLE_PUSH = false (../lib/sbi/nghttp2-server.c:722)
0000: 00000604 00000000 00000300 000064     ..............d
04/22 06:16:39.551: [sbi] DEBUG: STREAM added [3] (../lib/sbi/nghttp2-server.c:1078)
04/22 06:16:39.551: [sbi] DEBUG: [PUT] /nudr-dr/v1/subscription-data/imsi-001010000050970/context-data/amf-3gpp-access (../lib/sbi/nghttp2-server.c:770)
04/22 06:16:39.551: [sbi] DEBUG: RECEIVED: 247 (../lib/sbi/nghttp2-server.c:773)
04/22 06:16:39.551: [sbi] DEBUG: [{ "amfInstanceId": "ee230e80-ac15-41ec-a0de-1123e64a0914", "deregCallbackUri": "http://127.0.0.5:7777/namf-callback/v1/imsi-001010000050970/dereg-notify", "guami": { "plmnId": { "mcc": "001", "mnc": "01" }, "amfId": "020040" }, "ratType": "NR" }] (../lib/sbi/nghttp2-server.c:774)
04/22 06:16:39.551: [udr] DEBUG: udr_state_operational(): UDR_EVT_SBI_SERVER (../src/udr/udr-sm.c:52)
[{ "amfInstanceId": "ee230e80-ac15-41ec-a0de-1123e64a0914", "deregCallbackUri": "http://127.0.0.5:7777/namf-callback/v1/imsi-001010000050970/dereg-notify", "guami": { "plmnId": { "mcc": "001", "mnc": "01" }, "amfId": "020040" }, "ratType": "NR" }]
Thread 2 "open5gs-udrd" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7faf186a0700 (LWP 13949)]
__strcmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:102
102     ../sysdeps/x86_64/multiarch/strcmp-avx2.S: No such file or directory.
(gdb) bt
#0  __strcmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:102
#1  0x00007faf1c29394d in get_object_item (object=0x7faf100077c0, name=0x7faf1c4f5bb8 "amfInstanceId", case_sensitive=1) at ../lib/sbi/openapi/external/cJSON.c:1804
#2  0x00007faf1c2939e0 in cJSON_GetObjectItemCaseSensitive (object=0x7faf100077c0, string=0x7faf1c4f5bb8 "amfInstanceId") at ../lib/sbi/openapi/external/cJSON.c:1827
#3  0x00007faf1c2b4fa3 in OpenAPI_amf3_gpp_access_registration_parseFromJSON (amf3_gpp_access_registrationJSON=0x7faf100077c0) at ../lib/sbi/openapi/model/amf3_gpp_access_registration.c:309
#4  0x00007faf1c656acf in parse_json (message=0x7faf1869f8c0, content_type=0x7faf10009fc0 "application/json",
    json=0x7faf1000a6e0 "[{ \"amfInstanceId\": \"ee230e80-ac15-41ec-a0de-1123e64a0914\", \"deregCallbackUri\": \"http://127.0.0.5:7777/namf-callback/v1/imsi-001010000050970/dereg-notify\", \"guami\": { \"plmnId\": { \"mcc\": \"001\", \"mnc\": "...) at ../lib/sbi/message.c:1192
#5  0x00007faf1c65988a in parse_content (message=0x7faf1869f8c0, http=0x7faf1898f1e8) at ../lib/sbi/message.c:1753
#6  0x00007faf1c65298d in ogs_sbi_parse_request (message=0x7faf1869f8c0, request=0x7faf1898f178) at ../lib/sbi/message.c:552
#7  0x00005641ff1506a3 in udr_state_operational (s=0x7faf1869fc50, e=0x5641ff453890) at ../src/udr/udr-sm.c:69
#8  0x00007faf1c6d3ae3 in ogs_fsm_dispatch (sm=0x7faf1869fc50, event=0x5641ff453890) at ../lib/core/ogs-fsm.c:62
#9  0x00005641ff14cd80 in udr_main (data=0x0) at ../src/udr/init.c:136
#10 0x00007faf1c6c5639 in thread_worker (arg=0x5641ff4c36b0) at ../lib/core/ogs-thread.c:67
#11 0x00007faf1bfd0609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#12 0x00007faf1c12c163 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(gdb)

[bmeglic]

The patch to fix this is simple, but since this is in external library, don't know if it is to be fixed or not. But anyway, NF should not crash on incorrect input.

diff --git a/lib/sbi/openapi/external/cJSON.c b/lib/sbi/openapi/external/cJSON.c
index 792c5b753..d6c881ffc 100644
--- a/lib/sbi/openapi/external/cJSON.c
+++ b/lib/sbi/openapi/external/cJSON.c
@@ -1801,7 +1801,7 @@ static cJSON *get_object_item(const cJSON * const object, const char * const nam
     current_element = object->child;
     if (case_sensitive)
     {
-        while ((current_element != NULL) && (strcmp(name, current_element->string) != 0))
+        while ((current_element != NULL) && (current_element->string != NULL) && (strcmp(name, current_element->string) != 0))
         {
             current_element = current_element->next;
         }

[acetcom]

@bmeglicit

I checked the cJSON github and found out that this issue is resolved on the cJSON github.

So, I upgraded from cJSON v1.7.7 to v1.7.15 to solve the problem.

Thank you so much for sharing this!
Sukchan

[bmeglic]

@acetcom
Never thought of checking for cJSON upstream. It works perfect now. Thanks!