Open5GS PCF Denial-of-Service Vulnerability via Improper IPv6 Prefix Handling

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.7, specifically within the PCF component. The issue arises in the 'pcf_sess_set_ipv6prefix' function, located in '/src/pcf/context.c'. When the 'SmPolicyContextData.ipv6AddressPrefix' argument is manipulated to include a syntactically valid but non-'/' 128 prefix, it can cause a crash by triggering an assertion failure. This vulnerability can be exploited remotely, leading to a process termination of the PCF service.

Impact

Exploiting this vulnerability causes the PCF process to crash, disrupting service and requiring a manual restart of the application.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/npcf-smpolicycontrol/v1/sm-policies' endpoint with an 'ipv6AddressPrefix' value that is valid but not '/128', such as '/64'. This request will cause the PCF to crash by violating an assertion that expects the prefix length to be exactly '/128'.