7a9fea8aec
[SBI] Re-factor NF Instance Context ( #3093 )
...
Fixed not using Reference Count for adding/deleting NF Instances.
Up until now, NF Instances have been managed by referencing the Reference Count.
Initially, when an NF Instance is added, the Reference Count is incremented and
when it is deleted, the Reference Count is decremented.
If a UE discovers another NF Instance through the NF Discovery function,
the Reference Count is incremented. And if a UE de-registers,
the Reference Count of the discovered NF is decremented.
However, there's a problem with this approach.
When other NF is de-registered,
there is no guarantee that it will be 100% notified.
For example, if a UDM is de-registered, but an SCP is de-registered before it,
the AMF will not be notified that the UDM has been de-registered.
In situations where this is not clear, Reference Count cannot be used.
Therefore, we have modified it to not use the Reference Count method.
Also, when a UE connects, it is modified to always search
whether an NF Instance exists by NF Instance ID whenever it is discovered.
To do this, we modified lib/sbi/path.c as shown below.
```diff
@@ -281,13 +281,15 @@ int ogs_sbi_discover_and_send(ogs_sbi_xact_t *xact)
}
/* Target NF-Instance */
- nf_instance = sbi_object->service_type_array[service_type].nf_instance;
+ nf_instance = ogs_sbi_nf_instance_find(
+ sbi_object->service_type_array[service_type].nf_instance_id);
if (!nf_instance) {
nf_instance = ogs_sbi_nf_instance_find_by_discovery_param(
target_nf_type, requester_nf_type, discovery_option);
- if (nf_instance)
- OGS_SBI_SETUP_NF_INSTANCE(
- sbi_object->service_type_array[service_type], nf_instance);
+ if (nf_instance) {
+ OGS_SBI_SETUP_NF_INSTANCE_ID(
+ sbi_object->service_type_array[service_type], nf_instance->id);
+ }
}
```
2024-05-12 10:24:15 +09:00
9d8d560be7
[DOCKER] Change UID from 1000 to 2000
...
The ubuntu docker image defaults to UID 1000 as the ubuntu username,
so change the UID of the open5gs default user acetcom to 2000.
2024-05-11 16:26:04 +09:00
b57722178a
[SEC] Heap overflow in open5gs-mmed/s1ap ( #3153 )
...
Assert shall be triggered if the mme_enb_t object is corrupted.
```
$ gdb -q -p `pidof open5gs-mmed`
..
Using host libthread_db library "/lib/aarch64-linux-gnu/libthread_db.so.1".
0x0000ffff90deb46c in __GI___sigtimedwait (set=set@entry=0xfffffe63be68, info=info@entry=0xfffffe63bda8, timeout=timeout@entry=0x0) at ../sysdeps/unix/sysv/linux/sigtimedwait.c:61
61 ../sysdeps/unix/sysv/linux/sigtimedwait.c: No such file or directory.
Breakpoint 1 at 0xaaaabef69250: file ../src/mme/s1ap-handler.c, line 199.
[Switching to Thread 0xffff1efdef00 (LWP 20348)]
Thread 38 "open5gs-mmed" hit Breakpoint 1, s1ap_handle_s1_setup_request (enb=0xffff9029b5a0, message=0xffff1efdc498) at ../src/mme/s1ap-handler.c:199
warning: Source file is more recent than executable.
199 if (maximum_number_of_enbs_is_reached()) {
(gdb) p enb.supported_ta_list
$1 = {{plmn_id = {mcc1 = 0 '\000', mcc2 = 0 '\000', mcc3 = 1 '\001', mnc1 = 15 '\017', mnc2 = 0 '\000', mnc3 = 1 '\001'}, tac = 1} <repeats 256 times>}
(gdb) p enb
$2 = (mme_enb_t *) 0xffff9029b5a0
(gdb) p *enb
$3 = {lnode = {prev = 0x0, next = 0x0}, sm = {init = 0xaaaabef66540 <s1ap_state_initial>, fini = 0xaaaabef66640 <s1ap_state_final>, state = 0xaaaabef66730 <s1ap_state_operational>}, enb_id = 1, plmn_id = {
mcc1 = 1 '\001', mcc2 = 2 '\002', mcc3 = 3 '\003', mnc1 = 15 '\017', mnc2 = 4 '\004', mnc3 = 5 '\005'}, sctp = {type = 1, sock = 0xfffedc000bd0, addr = 0xfffedc000e70, poll = {read = 0xffff9032a0f0,
write = 0x0}, write_queue = {prev = 0x0, next = 0x0}}, state = {s1_setup_success = false}, max_num_of_ostreams = 30, ostream_id = 0, num_of_supported_ta_list = 258, supported_ta_list = {{plmn_id = {
mcc1 = 0 '\000', mcc2 = 0 '\000', mcc3 = 1 '\001', mnc1 = 15 '\017', mnc2 = 0 '\000', mnc3 = 1 '\001'}, tac = 1} <repeats 256 times>}, s1_reset_ack = 0x10f100000110f100, enb_ue_list = {prev = 0x1,
next = 0x0}}
pwndbg> vmmap enb
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
Start End Perm Size Offset File
0xffff8edd4000 0xffff8ede4000 ---p 10000 0 [anon_ffff8edd4]
► 0xffff8ede4000 0xffff90650000 rw-p 186c000 0 [anon_ffff8ede4] +0x1517010
0xffff90650000 0xffff90659000 r-xp 9000 0 /usr/lib/aarch64-linux-gnu/libffi.so.8.1.0
```
The value s1_reset_ack = 0x10f100000110f100 shall contain a function pointer, but has been corrupted.
The following patch will abort the process:
```diff
$ diff --git a/src/mme/s1ap-handler.c b/src/mme/s1ap-handler.c
index dff401ded..55a1f7e1b 100644
--- a/src/mme/s1ap-handler.c
+++ b/src/mme/s1ap-handler.c
@@ -178,6 +178,7 @@ void s1ap_handle_s1_setup_request(mme_enb_t *enb, ogs_s1ap_message_t *message)
SupportedTAs_Item->broadcastPLMNs.list.array[j];
ogs_assert(pLMNidentity);
+ ogs_assert(enb->num_of_supported_ta_list < OGS_ARRAY_SIZE(enb->supported_ta_list));
memcpy(&enb->supported_ta_list[enb->num_of_supported_ta_list].tac,
tAC->buf, sizeof(uint16_t));
enb->supported_ta_list[enb->num_of_supported_ta_list].tac =
@@ -310,6 +311,7 @@ void s1ap_handle_enb_configuration_update(
SupportedTAs_Item->broadcastPLMNs.list.array[j];
ogs_assert(pLMNidentity);
+ ogs_assert(enb->num_of_supported_ta_list < OGS_ARRAY_SIZE(enb->supported_ta_list));
memcpy(&enb->supported_ta_list[
enb->num_of_supported_ta_list].tac,
tAC->buf, sizeof(uint16_t));
```
2024-05-01 16:25:33 +09:00
e89aa79efe
[SEC] Stack overflow in open5gs-hssd/s6a ( #3155 )
...
An assert shall be triggered if a stack corruption occurs.
The vulnerable code path is in src/hss/hss-s6a-path.c:
```
static int hss_ogs_diam_s6a_air_cb( struct msg **msg, struct avp *avp,
struct session *session, void *opaque, enum disp_action *act)
{
..
ogs_plmn_id_t visited_plmn_id;
..
ret = fd_msg_search_avp(qry, ogs_diam_visited_plmn_id, &avp);
ogs_assert(ret == 0);
ret = fd_msg_avp_hdr(avp, &hdr);
ogs_assert(ret == 0);
memcpy(&visited_plmn_id, hdr->avp_value->os.data, hdr->avp_value->os.len);
```
2024-04-30 22:25:52 +09:00
048a74005b
[SEC] Heap overflow in parse PLMN-ID ( #3154 )
...
An assert shall be triggered if sepp_node is corrupted.
```
pwndbg> p *sepp_node
$5 = {
lnode = {
prev = 0x0,
next = 0xaaaac920c638
},
receiver = 0xaaaac9230990 "sepp2.localdomain",
negotiated_security_scheme = OpenAPI_security_capability_TLS,
target_apiroot_supported = true,
plmn_id = {{
mcc1 = 6 '\006',
mcc2 = 6 '\006',
mcc3 = 6 '\006',
mnc1 = 6 '\006',
mnc2 = 6 '\006',
mnc3 = 6 '\006'
} <repeats 12 times>},
num_of_plmn_id = 6710887,
target_plmn_id_presence = false,
target_plmn_id = {
mcc1 = 0 '\000',
mcc2 = 0 '\000',
mcc3 = 0 '\000',
mnc1 = 0 '\000',
mnc2 = 0 '\000',
mnc3 = 0 '\000'
},
supported_features = 1,
sm = {
init = 0xaaaaada181fc <sepp_handshake_state_initial>,
fini = 0xaaaaada18390 <sepp_handshake_state_final>,
state = 0xaaaaada194b4 <sepp_handshake_state_established>
},
t_establish_interval = 0xffffa7d6c4e0,
client = 0xaaaac91af010,
n32f = {
client = 0xaaaac91af090
}
}
pwndbg> p/x sepp_node.num_of_plmn_id
$6 = 0x666667
```
2024-04-30 22:10:45 +09:00
f36fede0c8
Add CIFuzz workflow
...
Add CIFuzz workflow action to have fuzzers build and run on each PR.
This service is offered by OSS-Fuzz where open5gs already runs. CIFuzz can help
catch regressions and fuzzing build issues early, and has a variety of features
(see the URL above). In the current PR the fuzzers gets build on a pull request
and will run for 300 seconds.
Signed-off-by: David Korczynski <david@adalogics.com>
2023-07-12 22:34:05 +09:00
3bf6941cc4
Removing debug for go live.
2023-03-19 22:26:13 +00:00
9d30dba6c5
Changed time to 13:30GMT
2023-03-19 13:21:42 +00:00
2624a86b18
Adding stale-issue workflow
...
Adding stale issue workflow to close and archive old issues. Dry-run first.
2023-03-19 13:19:15 +00:00
969c116e77
[SBI] Crash occurs when ENUM in the MAP ( #2103 )
2023-03-01 17:50:25 +09:00
712d4b50aa
Remove MACOSX in github CI
2023-02-21 16:53:59 +09:00
2618e3da78
Removed 'bug' from auto-labels on new issue template
2023-02-20 09:32:13 +00:00
bafb29cd3a
Updated bugreport.yaml
...
Fixed a typo/hangover from sense-checking
2023-02-18 16:13:12 +00:00
3e61c5984d
Fixed typos in GitHub templates and bug schemas ( #2080 )
2023-02-17 12:41:00 -10:00
03791d4844
updated bugreport.yaml template
2023-02-17 21:43:38 +00:00
4746eaf5a7
Issue housekeeping ( #2078 )
...
* Added GitHub issue templates and config.yaml for issue templating
* Fixed capitalisation of labels.
2023-02-18 06:08:59 +09:00
0859dd4453
Follow-up on #1865
2022-11-12 09:37:43 +09:00
7231dafbf1
[SBI] Fixed nf_instance memory leak
...
- Rollback commit ed3444eef5
2022-08-02 09:44:13 +09:00
079bb5c40e
Remove sctp test in MacOSX CI ( #1489 )
2022-04-14 10:31:20 +09:00
35201f6ed1
Fix the MacOSX CI ( #1454 )
2022-03-31 23:06:52 +09:00
24d20bb20b
Update automatic CI ( #1454 )
2022-03-31 22:55:27 +09:00
f2aa15d99f
Added MacOSX to the Running OS for CI ( #1454 )
2022-03-31 21:31:10 +09:00
c76c7d597d
Oops! Rollback Meson Continuous integration
2022-03-31 20:26:58 +09:00
9c4287f467
update it1
2022-03-31 20:24:31 +09:00
2def8bb31b
update it
2022-03-31 19:51:51 +09:00
82241f5b84
Added Meson Continuous Integration ( #1454 )
2022-04-01 02:31:57 +09:00
b67cd1e3e1
Add stale for github issue/PR
2020-09-16 21:09:13 -04:00
00a66cb1da
Update sponsor button
2020-08-19 13:17:22 -04:00
f70b8a2972
Enable Sponsor button
2020-08-14 12:18:25 -04:00
Sukchan Lee
David Korczynski
Richard