Open5GS SMF Denial-of-Service Vulnerability via Oversized QoS Flow Modification

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.7, specifically within the SMF component. The issue arises in the 'smf_n4_build_qos_flow_to_modify_list' function, where the application fails to properly validate the size of 'flowInfos' data before processing it. This flaw allows for remote exploitation, as demonstrated by an incident where a callback with 24 flow information entries caused the SMF process to crash. The vulnerability has been publicly disclosed and is being tracked as issue #4444 on the Open5GS GitHub repository.

Impact

Exploitation of this vulnerability leads to a crash of the SMF process, causing a disruption in service.

Reproduction

The vulnerability can be reproduced by sending a callback to the SMF with an 'sm-policy-notify' update that includes an oversized 'flowInfos' list. This can be done after establishing a PDU session using UERANSIM, by using a crafted payload that exceeds the maximum flow limit allowed by the application.