[Bug]: AMF crash after UE release request

[Ma2tGt]

Open5GS Release, Revision, or Tag

v2.6.4

Steps to reproduce

Hello,
We start to play with Open5GS and gNB Nokia. But sometime when we set UE in airplane mode, AMF crashed and process is killed. Sometime it's appear only after we turned off airplane mode.

Logs

09/05 15:07:58.678: [amf] DEBUG: PDUSessionResourceReleaseCommand (../src/amf/ngap-build.c:1710)
09/05 15:07:58.678: [amf] DEBUG:     RAN_UE_NGAP_ID[1194] AMF_UE_NGAP_ID[3] (../src/amf/ngap-build.c:1746)
09/05 15:07:58.678: [amf] DEBUG:     IP[10.17.4.6] RAN_ID[762] (../src/amf/ngap-path.c:69)
09/05 15:07:58.707: [amf] DEBUG: amf_state_operational(): AMF_EVENT_NGAP_MESSAGE (../src/amf/amf-sm.c:78)
09/05 15:07:58.707: [amf] DEBUG: ngap_state_operational(): AMF_EVENT_NGAP_MESSAGE (../src/amf/ngap-sm.c:55)
09/05 15:07:58.707: [amf] DEBUG: UplinkNASTransport (../src/amf/ngap-handler.c:606)
09/05 15:07:58.707: [amf] DEBUG:     IP[10.17.4.6] RAN_ID[762] (../src/amf/ngap-handler.c:628)
09/05 15:07:58.707: [amf] DEBUG:     RAN_UE_NGAP_ID[1194] AMF_UE_NGAP_ID[3] TAC[1] CellID[0x2fa1] (../src/amf/ngap-handler.c:714)
09/05 15:07:58.708: [amf] DEBUG: amf_state_operational(): AMF_EVENT_5GMM_MESSAGE (../src/amf/amf-sm.c:78)
09/05 15:07:58.708: [sbi] DEBUG: [POST] http://127.0.1.10:7777/nsmf-pdusession/v1/sm-contexts/5/modify (../lib/sbi/client.c:656)
09/05 15:07:58.708: [sbi] DEBUG: SENDING...[573] (../lib/sbi/client.c:432)
09/05 15:07:58.708: [sbi] DEBUG: --=-7XMTSeiJqXFqC2sR1tc8UQ==
09/05 15:07:58.708: [amf] DEBUG: PDUSessionResourceReleaseResponse (../src/amf/ngap-handler.c:2344)
09/05 15:07:58.708: [amf] DEBUG:     IP[10.17.4.6] RAN_ID[762] (../src/amf/ngap-handler.c:2365)
09/05 15:07:58.708: [amf] DEBUG:     RAN_UE_NGAP_ID[1194] AMF_UE_NGAP_ID[3] (../src/amf/ngap-handler.c:2400)
09/05 15:07:58.708: [amf] ERROR: Session Context is not in SMF [1] (../src/amf/ngap-handler.c:2472)
09/05 15:07:58.709: [ngap] DEBUG: Error Indication (../lib/ngap/build.c:36)
09/05 15:07:58.709: [ngap] DEBUG:     AMF_UE_NGAP_ID[3] (../lib/ngap/build.c:61)
09/05 15:07:58.709: [ngap] DEBUG:     RAN_UE_NGAP_ID[1194] (../lib/ngap/build.c:75)
09/05 15:07:58.709: [ngap] DEBUG:     Group[1] Cause[26] (../lib/ngap/build.c:90)
09/05 15:07:58.709: [amf] DEBUG:     IP[10.17.4.6] RAN_ID[762] (../src/amf/ngap-path.c:69)
09/05 15:07:58.709: [sbi] DEBUG: [204:POST] http://127.0.1.10:7777/nsmf-pdusession/v1/sm-contexts/5/modify (../lib/sbi/client.c:603)
09/05 15:07:58.709: [sbi] DEBUG: RECEIVED[0] (../lib/sbi/client.c:614)
09/05 15:07:58.709: [amf] DEBUG: amf_state_operational(): OGS_EVENT_NAME_SBI_CLIENT (../src/amf/amf-sm.c:78)
09/05 15:07:58.709: [amf] INFO: [imsi-999400000007676:1] Receive Update SM context(N1-RELEASED) (../src/amf/nsmf-handler.c:587)
09/05 15:07:58.709: [amf] INFO: [imsi-999400000007676:1:18][1:0:NULL] /nsmf-pdusession/v1/sm-contexts/{smContextRef}/modify (../src/amf/nsmf-handler.c:837)
09/05 15:07:59.744: [amf] DEBUG: amf_state_operational(): OGS_EVENT_NAME_SBI_TIMER (../src/amf/amf-sm.c:78)
09/05 15:07:59.744: [sbi] DEBUG: ogs_sbi_nf_state_registered(): OGS_EVENT_NAME_SBI_TIMER (../lib/sbi/nf-sm.c:204)
09/05 15:07:59.745: [sbi] DEBUG: [PATCH] http://127.0.1.10:7777/nnrf-nfm/v1/nf-instances/8a13bac0-4bec-41ee-911e-c358e18b7ee6 (../lib/sbi/client.c:656)
09/05 15:07:59.745: [sbi] DEBUG: SENDING...[129] (../lib/sbi/client.c:432)
09/05 15:07:59.745: [sbi] DEBUG: [204:PATCH] http://127.0.1.10:7777/nnrf-nfm/v1/nf-instances/8a13bac0-4bec-41ee-911e-c358e18b7ee6 (../lib/sbi/client.c:603)
09/05 15:07:59.746: [sbi] DEBUG: RECEIVED[0] (../lib/sbi/client.c:614)
09/05 15:07:59.746: [amf] DEBUG: amf_state_operational(): OGS_EVENT_NAME_SBI_CLIENT (../src/amf/amf-sm.c:78)
09/05 15:07:59.746: [sbi] DEBUG: ogs_sbi_nf_state_registered(): OGS_EVENT_NAME_SBI_CLIENT (../lib/sbi/nf-sm.c:204)
09/05 15:08:01.972: [amf] DEBUG: amf_state_operational(): AMF_EVENT_NGAP_MESSAGE (../src/amf/amf-sm.c:78)
09/05 15:08:01.973: [amf] DEBUG: ngap_state_operational(): AMF_EVENT_NGAP_MESSAGE (../src/amf/ngap-sm.c:55)
09/05 15:08:01.973: [amf] DEBUG: UplinkNASTransport (../src/amf/ngap-handler.c:606)
09/05 15:08:01.973: [amf] DEBUG:     IP[10.17.4.6] RAN_ID[762] (../src/amf/ngap-handler.c:628)
09/05 15:08:01.973: [amf] DEBUG:     RAN_UE_NGAP_ID[1194] AMF_UE_NGAP_ID[3] TAC[1] CellID[0x2fa1] (../src/amf/ngap-handler.c:714)
09/05 15:08:01.973: [amf] DEBUG: amf_state_operational(): AMF_EVENT_5GMM_MESSAGE (../src/amf/amf-sm.c:78)
09/05 15:08:01.973: [gmm] DEBUG: gmm_state_registered(): AMF_EVENT_5GMM_MESSAGE (../src/amf/gmm-sm.c:523)
09/05 15:08:01.973: [gmm] INFO: [imsi-999400000007676] Deregistration request (../src/amf/gmm-sm.c:1272)
09/05 15:08:01.973: [gmm] DEBUG:     OLD TSC[UE:0,AMF:0] KSI[UE:0,AMF:0] (../src/amf/gmm-handler.c:784)
09/05 15:08:01.973: [gmm] DEBUG:     NEW TSC[UE:0,AMF:0] KSI[UE:0,AMF:0] (../src/amf/gmm-handler.c:791)
09/05 15:08:01.973: [gmm] DEBUG:     Switch-Off (../src/amf/gmm-handler.c:796)
09/05 15:08:01.973: [gmm] INFO: [suci-0-999-40-0000-1-1-615252825a3accb1c8f9a6f7a850626c0398d7ce2336b2b2793a2626ffdea550802fbc23e469edb2d0e652d880]    SUCI (../src/amf/gmm-handler.c:798)
09/05 15:08:01.973: [gmm] DEBUG: gmm_state_registered(): EXIT (../src/amf/gmm-sm.c:523)
09/05 15:08:01.973: [gmm] DEBUG: gmm_state_de_registered(): ENTRY (../src/amf/gmm-sm.c:73)

hread 2 "open5gs-amfd" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff33fa640 (LWP 135288)]
0x00007ffff717179f in unlink_chunk (p=p@entry=0x7fffec01f140, av=0x7fffec000030) at ./malloc/malloc.c:1628
1628    ./malloc/malloc.c: No such file or directory.

Expected behaviour

AMF doesn't crash

Observed Behaviour

AMF crash after UE release request

eNodeB/gNodeB

Nokia ASOE

UE Models and versions

Iphone 13 / Nokia XR20

[acetcom]

@Ma2tGt

Do you have any experience using GDB? If so, it would be a great help in solving this problem if you could share the crash location using the tool.

If you're not familiar with the tool, I can explain how to use it. Please feel free to let me know.

Thanks a lot!
Sukchan

[Ma2tGt]

Hi @acetcom
No I'm not familiar with GDB. I'tried to use it but I have only:

free(): invalid size

Thread 2 open5gs-amfd received signal SIGABRT, Aborted. [Switching to Thread 0x7ffff33fa640 (LWP 135454)] __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737274422848) at ./nptl/pthread_kill.c:44 44 ./nptl/pthread_kill.c: No such file or directory.

or

Thread 2 "open5gs-amfd" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff33fa640 (LWP 135288)] 0x00007ffff717179f in unlink_chunk (p=p@entry=0x7fffec01f140, av=0x7fffec000030) at ./malloc/malloc.c:1628 1628 ./malloc/malloc.c: No such file or directory.

So yes I'd be glad if you could show me

Thanks
Matthieu

[acetcom]

Hi @Ma2tGt

I hope this is reproducible. Basically, you need to compile and run the source code according to following document.
https://open5gs.org/open5gs/docs/guide/02-building-open5gs-from-sources/

This can be summarized as follows:

$ git clone https://github.com/open5gs/open5gs
$ cd open5gs
$ meson build --prefix=`pwd`/install
$ ninja -C build install

Then run gdb as follows.

$ gdb ./install/bin/open5gs-amfd     
GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./install/bin/open5gs-amfd...
(gdb) 

open5gs-amfd can be executed in the gdb with r command.

(gdb) r
Starting program: /home/acetcom/Documents/git/open5gs/install/bin/open5gs-amfd 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Open5GS daemon v2.6.4-90-g2f8ae91

09/05 23:03:27.150: [app] INFO: Configuration: '/home/acetcom/Documents/git/open5gs/install/etc/open5gs/amf.yaml' (../lib/app/ogs-init.c:126)
09/05 23:03:27.150: [app] INFO: File Logging: '/home/acetcom/Documents/git/open5gs/install/var/log/open5gs/amf.log' (../lib/app/ogs-init.c:129)
09/05 23:03:27.153: [metrics] INFO: metrics_server() [http://127.0.0.5]:9090 (../lib/metrics/prometheus/context.c:299)
09/05 23:03:27.153: [sbi] INFO: NF Service [namf-comm] (../lib/sbi/context.c:1438)
09/05 23:03:27.154: [sbi] INFO: nghttp2_server() [http://127.0.0.5]:7777 (../lib/sbi/nghttp2-server.c:395)
09/05 23:03:27.154: [amf] INFO: ngap_server() [127.0.0.5]:38412 (../src/amf/ngap-sctp.c:61)
[New Thread 0x7ffff33ed640 (LWP 93883)]
09/05 23:03:27.154: [sctp] INFO: AMF initialize...done (../src/amf/app.c:33)
09/05 23:03:27.154: [sbi] WARNING: [7] Failed to connect to 127.0.1.10 port 7777 after 0 ms: Connection refused (../lib/sbi/client.c:626)
09/05 23:03:27.154: [sbi] WARNING: ogs_sbi_client_handler() failed [-1] (../lib/sbi/path.c:59)

If a problem occurs, please backtrace using bt command and share the results.

(gdb) bt
...
...

Please let me know if you have any other questions.

Thanks a lot!
Sukchan

[Ma2tGt]

Thanks for the details. Here's the result of bt:

#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737274422848) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140737274422848) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140737274422848, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007ffff7112476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007ffff70f87f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff71596f6 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff72abb8c "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#6  0x00007ffff7170d7c in malloc_printerr (str=str@entry=0x7ffff72ae640 "corrupted size vs. prev_size in fastbins") at ./malloc/malloc.c:5664
#7  0x00007ffff7171a1c in malloc_consolidate (av=av@entry=0x7fffec000030) at ./malloc/malloc.c:4771
#8  0x00007ffff7172f20 in _int_free (av=0x7fffec000030, p=0x7fffec031f70, have_lock=<optimized out>) at ./malloc/malloc.c:4674
#9  0x00007ffff71754d3 in __GI___libc_free (mem=<optimized out>) at ./malloc/malloc.c:3391
#10 0x00007ffff72fc2a4 in ?? () from /lib/x86_64-linux-gnu/libtalloc.so.2
#11 0x00007ffff7f7d7a9 in ogs_talloc_free (ptr=0x7fffec031fe0, location=0x7ffff7f95aa3 "../lib/core/ogs-pkbuf.c:292") at ../lib/core/ogs-memory.c:107
#12 0x00007ffff7f7d14a in ogs_pkbuf_free (pkbuf=0x7fffec031fe0) at ../lib/core/ogs-pkbuf.c:292
#13 0x00007ffff7f6798b in ogs_sctp_senddata (sock=0x7fffec01b690, pkbuf=0x7fffec031fe0, addr=0x0) at ../lib/sctp/ogs-sctp.c:73
#14 0x00007ffff7f67e22 in sctp_write_callback (when=2, fd=12, data=0x7ffff437f040) at ../lib/sctp/ogs-sctp.c:110
#15 0x00007ffff7f947db in epoll_process (pollset=0x555555636a00, timeout=5578823) at ../lib/core/ogs-epoll.c:283
#16 0x000055555555e19a in amf_main (data=0x0) at ../src/amf/init.c:118
#17 0x00007ffff7f8097a in thread_worker (arg=0x5555556ebec0) at ../lib/core/ogs-thread.c:67
#18 0x00007ffff7164b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#19 0x00007ffff71f6a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

BR,
Matthieu

[acetcom]

Can you show the output of git log below? I would like to check which version you are using.

$ git log
commit 2aa12449aade5f50ed4710d9ac2eb8e1b96c43b9 (HEAD -> main, origin/main, origin/HEAD)
Author: Sukchan Lee <acetcom@gmail.com>
Date:   Tue Sep 5 22:10:25 2023 +0900

    [NRF] Fixed NRF crash when Custom nfType (#2576)
    
    NF Instance Registration to reproduce crash:
    
    curl -v -X PUT -d '{"nfInstanceId":"0b8a8d59-af80-4fb7-8645-b832fd69d94a","nfType":"CUSTOM_INF","nfStatus":"REGISTERED","ipv4Addresses":["127.0.13.37"]}' --http2-prior-knowledge http://127.0.0.10:7777/nnrf-nfm/v1/nf-instances/0b8a8d59-af80-4fb7-8645-b832fd69d94a

commit 2f8ae91b0b9467f94f128090c88cae91bd73e008
Author: Sukchan Lee <acetcom@gmail.com>
Date:   Tue Sep 5 21:56:53 2023 +0900

    Fixed dynamic-stack-buffer-overflow (#2578, #2577)

commit 78f64aaccb5dfde35c611b8bc1acec11edc79bdf
Author: Gabriel <41166074+gckopper@users.noreply.github.com>
Date:   Mon Sep 4 14:32:53 2023 -0300

    Update open5gs-dbctl
    
    This is now consistent with the webui (check /webui/src/components/Subscriber/Edit.js:175)

...

[Ma2tGt]

~/open5gs$ git log
commit 78f64aaccb5dfde35c611b8bc1acec11edc79bdf (HEAD -> main, origin/main, origin/HEAD)
Author: Gabriel <41166074+gckopper@users.noreply.github.com>
Date:   Mon Sep 4 14:32:53 2023 -0300

    Update open5gs-dbctl

    This is now consistent with the webui (check /webui/src/components/Subscriber/Edit.js:175)

commit 298fed260b3b19c024c96ff6c142ef43e8229005
Author: Sukchan Lee <acetcom@gmail.com>
Date:   Mon Sep 4 07:01:24 2023 +0900

    [UDM] Fixed crash for invalid SUCI (#2571)

    Modifications were made to resolve the following assertion..

    Invalid HNET PKI Value [0] (../lib/sbi/conv.c:135)
    ogs_supi_from_supi_or_suci: Expectation `supi' failed. (../lib/sbi/conv.c:262)
    udm_ue_add: Assertion `udm_ue->supi' failed. (../src/udm/context.c:144)
    backtrace() returned 8 addresses (../lib/core/ogs-abort.c:37)

commit d3a10ed0cad6a1e06cc3b8e39ea86807d6ecddec
Author: Sukchan Lee <acetcom@gmail.com>
Date:   Sun Sep 3 20:03:47 2023 +0900

    [WebUI] Update NodeJS installation Guide

commit dcdf821542c3bfbdb68a37bbb314dafce39ba202
Author: Sukchan Lee <acetcom@gmail.com>
Date:   Sun Sep 3 17:56:50 2023 +0900

    [AMF] amf_ue_set_suci: Assertion `suci` (#2567)

    Cannot convert SUCI in `Not implemented SUPI format [4]`

[acetcom]

I'll look at this problem now. Things that will probably take time.

Thank you so much for sharing this problem.

Sukchan

[Ma2tGt]

Thank you for your help.

BR
Matthieu

[acetcom]

@Ma2tGt

It's currently difficult to determine the root cause of this issue based on gdb log. Can you turn on the trace level and send me the log file?

You can do this as follows:

$ rm ./install/var/log/open5gs/*.log
$ gdb --args ./install/bin/open5gs-amfd -t
(gdb) run
..
.. if crashed..
(gdb) bt

And send me all log files in ./install/var/log/open5gs/*.log.

Thanks a lot!
Sukchan

[Ma2tGt]

Hi @acetcom,

Here gdb log:

munmap_chunk(): invalid pointer

Thread 2 "open5gs-amfd" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff33fa640 (LWP 163336)]
__pthread_kill_implementation (no_tid=0, signo=6, threadid=140737274422848) at ./nptl/pthread_kill.c:44
44      ./nptl/pthread_kill.c: No such file or directory.
(gdb) bt
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737274422848) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140737274422848) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140737274422848, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007ffff7112476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007ffff70f87f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff71596f6 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff72abb8c "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#6  0x00007ffff7170d7c in malloc_printerr (str=str@entry=0x7ffff72ae230 "munmap_chunk(): invalid pointer") at ./malloc/malloc.c:5664
#7  0x00007ffff717105c in munmap_chunk (p=<optimized out>) at ./malloc/malloc.c:3060
#8  0x00007ffff717551a in __GI___libc_free (mem=<optimized out>) at ./malloc/malloc.c:3381
#9  0x00007ffff72fc2a4 in ?? () from /lib/x86_64-linux-gnu/libtalloc.so.2
#10 0x00007ffff7f7d7a9 in ogs_talloc_free (ptr=0x7fffec042a40, location=0x7ffff7f987bd "../lib/core/ogs-hash.c:119") at ../lib/core/ogs-memory.c:107
#11 0x00007ffff7f9013f in ogs_hash_destroy (ht=0x7fffec044200) at ../lib/core/ogs-hash.c:119
#12 0x00007ffff7a50427 in ogs_sbi_http_hash_free (hash=0x7fffec044200) at ../lib/sbi/message.c:978
#13 0x00007ffff7a5a6e0 in http_message_free (http=0x7ffff57e7130) at ../lib/sbi/message.c:2647
#14 0x00007ffff7a4cac7 in ogs_sbi_request_free (request=0x7ffff57e70c0) at ../lib/sbi/message.c:258
#15 0x00007ffff7a77ac4 in ogs_sbi_xact_remove (xact=0x7ffff45b86d0) at ../lib/sbi/context.c:1838
#16 0x000055555558d6dd in amf_state_operational (s=0x7ffff33f9bb0, e=0x7fffec0069f0) at ../src/amf/amf-sm.c:394
#17 0x00007ffff7f8fc0c in ogs_fsm_dispatch (fsm=0x7ffff33f9bb0, event=0x7fffec0069f0) at ../lib/core/ogs-fsm.c:127
#18 0x000055555555e2c9 in amf_main (data=0x0) at ../src/amf/init.c:147
#19 0x00007ffff7f8097a in thread_worker (arg=0x5555556ebec0) at ../lib/core/ogs-thread.c:67
#20 0x00007ffff7164b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#21 0x00007ffff71f6a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Here my logs files: DebugCrashAMF.zip

BR,
Matthieu

[acetcom]

@Ma2tGt

Looking at the log now, I saw that a crash occurred 2 minutes after starting AMF. If so, I guess the pcap size won't be that big.

Can you reproduce the crash situation in a short period of time and create a Wireshark pcap and share it with me?

If that is possible, I can simulate that situation as is.

Thank you so much for your effort.
Sukchan

[Ma2tGt]

Hi @acetcom,

I already take some PCAP traces. I have 2 cases:

1st: debug-TurnOnAirPlaneMode.pcap: AMF crash when I turn ON air plane mode
2nd: debug-TurnOffAirPlaneMode.pcap: AMF crash after turn OFF air plane mode (I turned on and few second later, I turned it off)

PCAP-Traces-AMFCrash.zip

Thanks
BR,
Matthieu

[acetcom]

@Ma2tGt

All NAS messages are now encrypted. Probably because I set amf like below:

$ diff --git a/configs/open5gs/amf.yaml.in b/configs/open5gs/amf.yaml.in
index b022552db..a73de1040 100644
--- a/configs/open5gs/amf.yaml.in
+++ b/configs/open5gs/amf.yaml.in
@@ -498,7 +498,7 @@ amf:
           - sst: 1
     security:
         integrity_order : [ NIA2, NIA1, NIA0 ]
-        ciphering_order : [ NEA0, NEA1, NEA2 ]
+        ciphering_order : [ NEA1, NEA0, NEA2 ]
     network_name:
         full: Open5GS
     amf_name: open5gs-amf0

Are crashes occurring even if the NAS messages are not encrypted? If so, could you please share the pcap that the NAS has unencrypted?

Thanks a lot!
Sukchan

[Ma2tGt]

@acetcom,

You're right. I don't have any crash with this configuration

    security:
      integrity_order : [ NIA2, NIA1, NIA0 ]
      ciphering_order : [ NEA1, NEA0, NEA2 ]

In fact, I had changed this configuration in order to connect iPhone. Without encryption iphone canno't be connected. So I had:

    security:
      # For iphone
      integrity_order : [ NIA3, NIA2, NIA1 ]
      ciphering_order : [ NEA1, NEA2, NEA3 ]

BR,
Matthieu

[acetcom]

@Ma2tGt

I confirmed in the Open5gs simulation environment that changing the NAS security to NIA3 and NEA1 causes a crash.

I'll get back to you once I resolve this issue.

Thank you so much for raising this issue.

Thanks a lot!
Sukchan

[Ma2tGt]

Thank you @acetcom

BR,
Matthieu

[acetcom]

@Ma2tGt

The crash only occurs when the ciphering order starts with NEA1 in Open5GS simulator, as shown below.

$ diff --git a/configs/open5gs/amf.yaml.in b/configs/open5gs/amf.yaml.in
index b022552db..a73de1040 100644
--- a/configs/open5gs/amf.yaml.in
+++ b/configs/open5gs/amf.yaml.in
@@ -498,7 +498,7 @@ amf:
           - sst: 1
     security:
         integrity_order : [ NIA2, NIA1, NIA0 ]
-        ciphering_order : [ NEA0, NEA1, NEA2 ]
+        ciphering_order : [ NEA1, NEA0, NEA2 ]
     network_name:
         full: Open5GS
     amf_name: open5gs-amf0

It works well in NEA0 (No encrypt), NEA2, and NEA3. Can you confirm if this is the case in your environment as well?

In other words, it works well if you set it as below. integrity_order doesn't matter.

• NEA2

$ diff --git a/configs/open5gs/amf.yaml.in b/configs/open5gs/amf.yaml.in
index b022552db..450353d53 100644
--- a/configs/open5gs/amf.yaml.in
+++ b/configs/open5gs/amf.yaml.in
@@ -498,7 +498,7 @@ amf:
           - sst: 1
     security:
         integrity_order : [ NIA2, NIA1, NIA0 ]
-        ciphering_order : [ NEA0, NEA1, NEA2 ]
+        ciphering_order : [ NEA2, NEA1, NEA0 ]
     network_name:
         full: Open5GS
     amf_name: open5gs-amf0

• NEA3

diff --git a/configs/open5gs/amf.yaml.in b/configs/open5gs/amf.yaml.in
index b022552db..05074071c 100644
--- a/configs/open5gs/amf.yaml.in
+++ b/configs/open5gs/amf.yaml.in
@@ -498,7 +498,7 @@ amf:
           - sst: 1
     security:
         integrity_order : [ NIA2, NIA1, NIA0 ]
-        ciphering_order : [ NEA0, NEA1, NEA2 ]
+        ciphering_order : [ NEA3, NEA1, NEA0 ]
     network_name:
         full: Open5GS
     amf_name: open5gs-amf0

Thank you so much!
Sukchan

[acetcom]

@Ma2tGt

I've fixed this issue in the main branch.

Please let me know if you have any other problem.

Thank you so much for your help.
Sukchan

[Ma2tGt]

HI @acetcom,

It's works fine with your last commit. Thank you for your help

BR
Matthieu