Open5GS UPF Crash: Invalid SDF Filter Fix

Introduction: The UPF Vulnerability and its Impact

In the realm of 5G and mobile network infrastructure, the User Plane Function (UPF) plays a crucial role. The UPF is responsible for handling data packets, enforcing quality of service (QoS) rules, and providing the user with internet connectivity. However, a critical vulnerability has been identified within Open5GS, a popular open-source 5G core network implementation. This bug specifically targets the processing of Session Description Filter (SDF) data within the Packet Forwarding Control Protocol (PFCP) session establishment phase. The core issue lies in how the UPF handles invalid or incomplete Flow-Description strings within the SDF filter, which can lead to a crash and a denial-of-service (DoS) condition.

Understanding the PFCP and SDF Filters

To understand the vulnerability, it's essential to understand the basics of PFCP and SDF filters. PFCP is a protocol used between the Control Plane (CP) and the UPF to establish and manage data sessions. The CP instructs the UPF on how to handle user traffic. SDF filters are used to identify and classify data packets based on various criteria, such as source/destination IP addresses, ports, and protocols. These filters are essential for applying QoS rules, charging, and other traffic management functions. The Flow-Description string is a key component within an SDF filter, which defines the specific traffic patterns to be matched.

The Vulnerability: Malformed Flow-Descriptions

The vulnerability arises when the UPF encounters an invalid or incomplete Flow-Description string within the SDF filter during a PFCP session establishment. For instance, if the Flow-Description is an empty string or lacks crucial information like the direction (e.g., 'permit in') and the specific IP addresses and ports, the UPF may fail to handle it gracefully. Instead of rejecting the invalid filter or ignoring it, the UPF attempts to process the malformed data, leading to a NULL pointer dereference within the ogs_ipfw_compile_rule() function. This critical error causes the UPF to crash, resulting in a segmentation fault, and effectively shutting down the UPF service. This crash can be exploited to cause a DoS, disrupting network services.

Technical Deep Dive: The Root Cause of the Crash

The ogs_ipfw_compile_rule() Function

The ogs_ipfw_compile_rule() function, part of the Open5GS implementation, is responsible for translating the SDF filter rules into instructions that the underlying network infrastructure can understand and enforce. This typically involves setting up firewall rules or traffic classification mechanisms. The function takes the Flow-Description string as input and parses it to create the appropriate rules. The bug occurs when this function attempts to process an invalid Flow-Description. The function tries to access data that doesn't exist, which results in a NULL pointer dereference and a crash.

The NULL Pointer Dereference

A NULL pointer dereference is a classic programming error where a program tries to access memory through a pointer that does not point to a valid memory location. In the context of the Open5GS UPF, this happens when the ogs_ipfw_compile_rule() function attempts to access data from an invalid Flow-Description, which causes the program to crash. The root cause is the lack of proper validation of the Flow-Description data before attempting to use it. The UPF should validate the integrity of the information provided by the CP, which is not being done correctly.

Steps to Reproduce the Vulnerability

The vulnerability can be triggered by sending a PFCP Session Establishment Request containing a Create PDR (Packet Detection Rule) with an incomplete or malformed SDF filter. The following are the steps to reproduce:

1. Craft a Malicious Packet: A malicious actor constructs a PFCP Session Establishment Request. Inside the request, a Create PDR is included, and this PDR contains a PDI (Packet Detection Information) with an SDF filter. The SDF filter has the FD (Flow Description) flag set, indicating that a Flow-Description is present. However, the Flow-Description itself is either empty or incomplete (e.g.,