Open5GS SMF Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.7, specifically within the Session Management Function (SMF) component. The issue arises in the 'smf_nsmf_handle_create_sm_context' function, where the application crashes when a 'SmContextCreateData' request includes a home-routed SMF URI but a non-full Data Network Name (DNN). This flaw allows for remote exploitation, causing the SMF to abort with an assertion failure when it attempts to process the incomplete DNN during session management operations.

Impact

Exploitation of this vulnerability leads to a crash of the Session Management Function (SMF) component, causing a denial-of-service condition by disrupting active processes and requiring a manual restart of the SMF service.

Reproduction

The vulnerability can be reproduced by sending a 'SmContextCreateData' request to the '/nsmf-pdusession/v1/sm-contexts' endpoint. The request must include a valid 'hSmfUri' to trigger home-routing mode, a short 'dnn' such as 'internet', and a minimal 'n1SmMsg' payload. After the request is processed, the SMF will crash when it tries to forward the request to the home-routed SMF, due to the missing full DNN.