Sukchan Lee
7a9fea8aec
[SBI] Re-factor NF Instance Context ( #3093 )
...
Fixed not using Reference Count for adding/deleting NF Instances.
Up until now, NF Instances have been managed by referencing the Reference Count.
Initially, when an NF Instance is added, the Reference Count is incremented and
when it is deleted, the Reference Count is decremented.
If a UE discovers another NF Instance through the NF Discovery function,
the Reference Count is incremented. And if a UE de-registers,
the Reference Count of the discovered NF is decremented.
However, there's a problem with this approach.
When other NF is de-registered,
there is no guarantee that it will be 100% notified.
For example, if a UDM is de-registered, but an SCP is de-registered before it,
the AMF will not be notified that the UDM has been de-registered.
In situations where this is not clear, Reference Count cannot be used.
Therefore, we have modified it to not use the Reference Count method.
Also, when a UE connects, it is modified to always search
whether an NF Instance exists by NF Instance ID whenever it is discovered.
To do this, we modified lib/sbi/path.c as shown below.
```diff
@@ -281,13 +281,15 @@ int ogs_sbi_discover_and_send(ogs_sbi_xact_t *xact)
}
/* Target NF-Instance */
- nf_instance = sbi_object->service_type_array[service_type].nf_instance;
+ nf_instance = ogs_sbi_nf_instance_find(
+ sbi_object->service_type_array[service_type].nf_instance_id);
if (!nf_instance) {
nf_instance = ogs_sbi_nf_instance_find_by_discovery_param(
target_nf_type, requester_nf_type, discovery_option);
- if (nf_instance)
- OGS_SBI_SETUP_NF_INSTANCE(
- sbi_object->service_type_array[service_type], nf_instance);
+ if (nf_instance) {
+ OGS_SBI_SETUP_NF_INSTANCE_ID(
+ sbi_object->service_type_array[service_type], nf_instance->id);
+ }
}
```
2024-05-12 10:24:15 +09:00
Sukchan Lee
9d8d560be7
[DOCKER] Change UID from 1000 to 2000
...
The ubuntu docker image defaults to UID 1000 as the ubuntu username,
so change the UID of the open5gs default user acetcom to 2000.
2024-05-11 16:26:04 +09:00
Sukchan Lee
b57722178a
[SEC] Heap overflow in open5gs-mmed/s1ap ( #3153 )
...
Assert shall be triggered if the mme_enb_t object is corrupted.
```
$ gdb -q -p `pidof open5gs-mmed`
..
Using host libthread_db library "/lib/aarch64-linux-gnu/libthread_db.so.1".
0x0000ffff90deb46c in __GI___sigtimedwait (set=set@entry=0xfffffe63be68, info=info@entry=0xfffffe63bda8, timeout=timeout@entry=0x0) at ../sysdeps/unix/sysv/linux/sigtimedwait.c:61
61 ../sysdeps/unix/sysv/linux/sigtimedwait.c: No such file or directory.
Breakpoint 1 at 0xaaaabef69250: file ../src/mme/s1ap-handler.c, line 199.
[Switching to Thread 0xffff1efdef00 (LWP 20348)]
Thread 38 "open5gs-mmed" hit Breakpoint 1, s1ap_handle_s1_setup_request (enb=0xffff9029b5a0, message=0xffff1efdc498) at ../src/mme/s1ap-handler.c:199
warning: Source file is more recent than executable.
199 if (maximum_number_of_enbs_is_reached()) {
(gdb) p enb.supported_ta_list
$1 = {{plmn_id = {mcc1 = 0 '\000', mcc2 = 0 '\000', mcc3 = 1 '\001', mnc1 = 15 '\017', mnc2 = 0 '\000', mnc3 = 1 '\001'}, tac = 1} <repeats 256 times>}
(gdb) p enb
$2 = (mme_enb_t *) 0xffff9029b5a0
(gdb) p *enb
$3 = {lnode = {prev = 0x0, next = 0x0}, sm = {init = 0xaaaabef66540 <s1ap_state_initial>, fini = 0xaaaabef66640 <s1ap_state_final>, state = 0xaaaabef66730 <s1ap_state_operational>}, enb_id = 1, plmn_id = {
mcc1 = 1 '\001', mcc2 = 2 '\002', mcc3 = 3 '\003', mnc1 = 15 '\017', mnc2 = 4 '\004', mnc3 = 5 '\005'}, sctp = {type = 1, sock = 0xfffedc000bd0, addr = 0xfffedc000e70, poll = {read = 0xffff9032a0f0,
write = 0x0}, write_queue = {prev = 0x0, next = 0x0}}, state = {s1_setup_success = false}, max_num_of_ostreams = 30, ostream_id = 0, num_of_supported_ta_list = 258, supported_ta_list = {{plmn_id = {
mcc1 = 0 '\000', mcc2 = 0 '\000', mcc3 = 1 '\001', mnc1 = 15 '\017', mnc2 = 0 '\000', mnc3 = 1 '\001'}, tac = 1} <repeats 256 times>}, s1_reset_ack = 0x10f100000110f100, enb_ue_list = {prev = 0x1,
next = 0x0}}
pwndbg> vmmap enb
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
Start End Perm Size Offset File
0xffff8edd4000 0xffff8ede4000 ---p 10000 0 [anon_ffff8edd4]
► 0xffff8ede4000 0xffff90650000 rw-p 186c000 0 [anon_ffff8ede4] +0x1517010
0xffff90650000 0xffff90659000 r-xp 9000 0 /usr/lib/aarch64-linux-gnu/libffi.so.8.1.0
```
The value s1_reset_ack = 0x10f100000110f100 shall contain a function pointer, but has been corrupted.
The following patch will abort the process:
```diff
$ diff --git a/src/mme/s1ap-handler.c b/src/mme/s1ap-handler.c
index dff401ded..55a1f7e1b 100644
--- a/src/mme/s1ap-handler.c
+++ b/src/mme/s1ap-handler.c
@@ -178,6 +178,7 @@ void s1ap_handle_s1_setup_request(mme_enb_t *enb, ogs_s1ap_message_t *message)
SupportedTAs_Item->broadcastPLMNs.list.array[j];
ogs_assert(pLMNidentity);
+ ogs_assert(enb->num_of_supported_ta_list < OGS_ARRAY_SIZE(enb->supported_ta_list));
memcpy(&enb->supported_ta_list[enb->num_of_supported_ta_list].tac,
tAC->buf, sizeof(uint16_t));
enb->supported_ta_list[enb->num_of_supported_ta_list].tac =
@@ -310,6 +311,7 @@ void s1ap_handle_enb_configuration_update(
SupportedTAs_Item->broadcastPLMNs.list.array[j];
ogs_assert(pLMNidentity);
+ ogs_assert(enb->num_of_supported_ta_list < OGS_ARRAY_SIZE(enb->supported_ta_list));
memcpy(&enb->supported_ta_list[
enb->num_of_supported_ta_list].tac,
tAC->buf, sizeof(uint16_t));
```
2024-05-01 16:25:33 +09:00
Sukchan Lee
e89aa79efe
[SEC] Stack overflow in open5gs-hssd/s6a ( #3155 )
...
An assert shall be triggered if a stack corruption occurs.
The vulnerable code path is in src/hss/hss-s6a-path.c:
```
static int hss_ogs_diam_s6a_air_cb( struct msg **msg, struct avp *avp,
struct session *session, void *opaque, enum disp_action *act)
{
..
ogs_plmn_id_t visited_plmn_id;
..
ret = fd_msg_search_avp(qry, ogs_diam_visited_plmn_id, &avp);
ogs_assert(ret == 0);
ret = fd_msg_avp_hdr(avp, &hdr);
ogs_assert(ret == 0);
memcpy(&visited_plmn_id, hdr->avp_value->os.data, hdr->avp_value->os.len);
```
2024-04-30 22:25:52 +09:00
Sukchan Lee
048a74005b
[SEC] Heap overflow in parse PLMN-ID ( #3154 )
...
An assert shall be triggered if sepp_node is corrupted.
```
pwndbg> p *sepp_node
$5 = {
lnode = {
prev = 0x0,
next = 0xaaaac920c638
},
receiver = 0xaaaac9230990 "sepp2.localdomain",
negotiated_security_scheme = OpenAPI_security_capability_TLS,
target_apiroot_supported = true,
plmn_id = {{
mcc1 = 6 '\006',
mcc2 = 6 '\006',
mcc3 = 6 '\006',
mnc1 = 6 '\006',
mnc2 = 6 '\006',
mnc3 = 6 '\006'
} <repeats 12 times>},
num_of_plmn_id = 6710887,
target_plmn_id_presence = false,
target_plmn_id = {
mcc1 = 0 '\000',
mcc2 = 0 '\000',
mcc3 = 0 '\000',
mnc1 = 0 '\000',
mnc2 = 0 '\000',
mnc3 = 0 '\000'
},
supported_features = 1,
sm = {
init = 0xaaaaada181fc <sepp_handshake_state_initial>,
fini = 0xaaaaada18390 <sepp_handshake_state_final>,
state = 0xaaaaada194b4 <sepp_handshake_state_established>
},
t_establish_interval = 0xffffa7d6c4e0,
client = 0xaaaac91af010,
n32f = {
client = 0xaaaac91af090
}
}
pwndbg> p/x sepp_node.num_of_plmn_id
$6 = 0x666667
```
2024-04-30 22:10:45 +09:00
David Korczynski
f36fede0c8
Add CIFuzz workflow
...
Add CIFuzz workflow action to have fuzzers build and run on each PR.
This service is offered by OSS-Fuzz where open5gs already runs. CIFuzz can help
catch regressions and fuzzing build issues early, and has a variety of features
(see the URL above). In the current PR the fuzzers gets build on a pull request
and will run for 300 seconds.
Signed-off-by: David Korczynski <david@adalogics.com>
2023-07-12 22:34:05 +09:00
Richard
3bf6941cc4
Removing debug for go live.
2023-03-19 22:26:13 +00:00
Richard
9d30dba6c5
Changed time to 13:30GMT
2023-03-19 13:21:42 +00:00
Richard
2624a86b18
Adding stale-issue workflow
...
Adding stale issue workflow to close and archive old issues. Dry-run first.
2023-03-19 13:19:15 +00:00
Sukchan Lee
969c116e77
[SBI] Crash occurs when ENUM in the MAP ( #2103 )
2023-03-01 17:50:25 +09:00
Sukchan Lee
712d4b50aa
Remove MACOSX in github CI
2023-02-21 16:53:59 +09:00
Richard
2618e3da78
Removed 'bug' from auto-labels on new issue template
2023-02-20 09:32:13 +00:00
Richard
bafb29cd3a
Updated bugreport.yaml
...
Fixed a typo/hangover from sense-checking
2023-02-18 16:13:12 +00:00
Richard
3e61c5984d
Fixed typos in GitHub templates and bug schemas ( #2080 )
2023-02-17 12:41:00 -10:00
Richard
03791d4844
updated bugreport.yaml template
2023-02-17 21:43:38 +00:00
Richard
4746eaf5a7
Issue housekeeping ( #2078 )
...
* Added GitHub issue templates and config.yaml for issue templating
* Fixed capitalisation of labels.
2023-02-18 06:08:59 +09:00
Sukchan Lee
0859dd4453
Follow-up on #1865
2022-11-12 09:37:43 +09:00
Sukchan Lee
7231dafbf1
[SBI] Fixed nf_instance memory leak
...
- Rollback commit ed3444eef5
- Do not modify reference count when REGISTER/DEREGISTER notified from NRF
2022-08-02 09:44:13 +09:00
Sukchan Lee
079bb5c40e
Remove sctp test in MacOSX CI ( #1489 )
2022-04-14 10:31:20 +09:00
Sukchan Lee
35201f6ed1
Fix the MacOSX CI ( #1454 )
2022-03-31 23:06:52 +09:00
Sukchan Lee
24d20bb20b
Update automatic CI ( #1454 )
2022-03-31 22:55:27 +09:00
Sukchan Lee
f2aa15d99f
Added MacOSX to the Running OS for CI ( #1454 )
2022-03-31 21:31:10 +09:00
Sukchan Lee
c76c7d597d
Oops! Rollback Meson Continuous integration
2022-03-31 20:26:58 +09:00
Sukchan Lee
9c4287f467
update it1
2022-03-31 20:24:31 +09:00
Sukchan Lee
2def8bb31b
update it
2022-03-31 19:51:51 +09:00
Sukchan Lee
82241f5b84
Added Meson Continuous Integration ( #1454 )
2022-04-01 02:31:57 +09:00
Sukchan Lee
b67cd1e3e1
Add stale for github issue/PR
2020-09-16 21:09:13 -04:00
Sukchan Lee
00a66cb1da
Update sponsor button
2020-08-19 13:17:22 -04:00
Sukchan Lee
f70b8a2972
Enable Sponsor button
2020-08-14 12:18:25 -04:00