[Bug]: Stack-Buffer-Overflow in GTP header parsing

[raefko]

Open5GS Release, Revision, or Tag

Open5GS daemon v2.6.4-94-g05ed95d+

Steps to reproduce

We (https://github.com/FuzzingLabs) found a stack-buffer-overflow in GTP header parsing.

GTP_2023-09-14_11-13-06.zip

Launch testing program:

import socket
import os
from time import sleep

UDP_IP = "172.22.0.8"
UDP_PORT = 2152
dir_path = "GTP_2023-09-14_11-13-06/"

file_list = os.listdir(dir_path)
sorted_numbers = []
for filename in file_list:
    sorted_numbers.append(int(str(filename).replace(".txt", "")))
sorted_numbers.sort()
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
for filename in sorted_numbers:
    with open(f"{dir_path}{filename}.txt", "rb") as file:
        content = file.read()
        sock.sendto(content, (UDP_IP, UDP_PORT))
        sleep(1 / 1000)


### Logs

```shell
=================================================================
upf_open5gs  | ==24==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f568aaf0113 at pc 0x7f569a4b658d bp 0x7f568aaf0080 sp 0x7f568aaef828

Expected behaviour

Not to crash

Observed Behaviour

=================================================================
upf_open5gs  | ==24==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f568aaf0113 at pc 0x7f569a4b658d bp 0x7f568aaf0080 sp 0x7f568aaef828
upf_open5gs  | WRITE of size 92 at 0x7f568aaf0113 thread T1
upf_open5gs  |     #0 0x7f569a4b658c in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
upf_open5gs  |     #1 0x7f569a17f1bf in ogs_gtpu_parse_header ../lib/gtp/util.c:89
upf_open5gs  |     #2 0x55e0d132c259 in _gtpv1_u_recv_cb ../src/upf/gtp-path.c:304
upf_open5gs  |     #3 0x7f569a3c7bd1 in epoll_process ../lib/core/ogs-epoll.c:273
upf_open5gs  |     #4 0x55e0d13186b1 in upf_main ../src/upf/init.c:115
upf_open5gs  |     #5 0x7f569a39d76b in thread_worker ../lib/core/ogs-thread.c:67
upf_open5gs  |     #6 0x7f569a0f0608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8608)
upf_open5gs  |     #7 0x7f5699d50132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
upf_open5gs  | 
upf_open5gs  | Address 0x7f568aaf0113 is located in stack of thread T1 at offset 83 in frame
upf_open5gs  |     #0 0x7f569a17e894 in ogs_gtpu_parse_header ../lib/gtp/util.c:24
upf_open5gs  | 
upf_open5gs  |   This frame has 1 object(s):
upf_open5gs  |     [48, 83) 'ext_hdesc' (line 26) <== Memory access at offset 83 overflows this variable
upf_open5gs  | HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
upf_open5gs  |       (longjmp and C++ exceptions *are* supported)
upf_open5gs  | Thread T1 created by T0 here:
upf_open5gs  |     #0 0x7f569a455815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
upf_open5gs  |     #1 0x7f569a39da2f in ogs_thread_create ../lib/core/ogs-thread.c:96
upf_open5gs  |     #2 0x55e0d13184aa in upf_initialize ../src/upf/init.c:73
upf_open5gs  |     #3 0x55e0d1316ddd in app_initialize ../src/upf/app.c:26
upf_open5gs  |     #4 0x55e0d13180e1 in main ../src/main.c:214
upf_open5gs  |     #5 0x7f5699c55082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
upf_open5gs  | 
upf_open5gs  | SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 in __interceptor_memcpy
upf_open5gs  | Shadow bytes around the buggy address:
upf_open5gs  |   0x0feb51555fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
upf_open5gs  |   0x0feb51555fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
upf_open5gs  |   0x0feb51555ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
upf_open5gs  |   0x0feb51556000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
upf_open5gs  |   0x0feb51556010: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00
upf_open5gs  | =>0x0feb51556020: 00 00[03]f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
upf_open5gs  |   0x0feb51556030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
upf_open5gs  |   0x0feb51556040: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1
upf_open5gs  |   0x0feb51556050: 02 f2 00 00 04 f2 f2 f2 f2 f2 00 00 00 00 00 00
upf_open5gs  |   0x0feb51556060: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
upf_open5gs  |   0x0feb51556070: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
upf_open5gs  | Shadow byte legend (one shadow byte represents 8 application bytes):
upf_open5gs  |   Addressable:           00
upf_open5gs  |   Partially addressable: 01 02 03 04 05 06 07 
upf_open5gs  |   Heap left redzone:       fa
upf_open5gs  |   Freed heap region:       fd
upf_open5gs  |   Stack left redzone:      f1
upf_open5gs  |   Stack mid redzone:       f2
upf_open5gs  |   Stack right redzone:     f3
upf_open5gs  |   Stack after return:      f5
upf_open5gs  |   Stack use after scope:   f8
upf_open5gs  |   Global redzone:          f9
upf_open5gs  |   Global init order:       f6
upf_open5gs  |   Poisoned by user:        f7
upf_open5gs  |   Container overflow:      fc
upf_open5gs  |   Array cookie:            ac
upf_open5gs  |   Intra object redzone:    bb
upf_open5gs  |   ASan internal:           fe
upf_open5gs  |   Left alloca redzone:     ca
upf_open5gs  |   Right alloca redzone:    cb
upf_open5gs  |   Shadow gap:              cc
upf_open5gs  | ==24==ABORTING
upf_open5gs exited with code 1

eNodeB/gNodeB

No response

UE Models and versions

No response

[acetcom]

@raefko

I've fixed it in the main branch.

Thanks a lot!
Sukchan

[github-actions]

This issue has been closed automatically due to lack of activity. This has been done to try and reduce the amount of noise. Please do not comment any further. The Open5GS Team may choose to re-open this issue if necessary.