Low severity3.3NVD Advisory· Published Jan 1, 2026· Updated Apr 29, 2026
CVE-2025-15417
CVE-2025-15417
Description
A vulnerability was identified in Open5GS up to 2.7.6. Affected is the function sgwc_s11_handle_create_session_request of the file src/sgwc/s11-handler.c of the component GTPv2-C F-TEID Handler. Such manipulation leads to denial of service. The attack must be carried out locally. The exploit is publicly available and might be used. The name of the patch is 465273d13ba5d47b274c38c9d1b07f04859178a1. A patch should be applied to remediate this issue.
Affected products
1Patches
1465273d13ba5sgwc: avoid crash on malformed GTPv2-C F-TEID and reject gracefully
1 file changed · +167 −130
src/sgwc/s11-handler.c+167 −130 modified@@ -167,7 +167,7 @@ void sgwc_s11_handle_create_session_request( sgwc_ue_t *sgwc_ue, ogs_gtp_xact_t *s11_xact, ogs_pkbuf_t *gtpbuf, ogs_gtp2_message_t *message) { - int i; + int rv, i; uint8_t cause_value = 0; sgwc_sess_t *sess = NULL; @@ -200,12 +200,8 @@ void sgwc_s11_handle_create_session_request( cause_value = OGS_GTP2_CAUSE_CONTEXT_NOT_FOUND; } - if (cause_value != OGS_GTP2_CAUSE_REQUEST_ACCEPTED) { - ogs_gtp_send_error_message( - s11_xact, sgwc_ue ? sgwc_ue->mme_s11_teid : 0, - OGS_GTP2_CREATE_SESSION_RESPONSE_TYPE, cause_value); - return; - } + if (cause_value != OGS_GTP2_CAUSE_REQUEST_ACCEPTED) + goto cleanup; /***************************************** * Check Mandatory/Conditional IE Missing @@ -247,12 +243,8 @@ void sgwc_s11_handle_create_session_request( cause_value = OGS_GTP2_CAUSE_CONDITIONAL_IE_MISSING; } - if (cause_value != OGS_GTP2_CAUSE_REQUEST_ACCEPTED) { - ogs_gtp_send_error_message( - s11_xact, sgwc_ue ? sgwc_ue->mme_s11_teid : 0, - OGS_GTP2_CREATE_SESSION_RESPONSE_TYPE, cause_value); - return; - } + if (cause_value != OGS_GTP2_CAUSE_REQUEST_ACCEPTED) + goto cleanup; /* Add Session */ sess = sgwc_sess_find_by_ebi(sgwc_ue, @@ -294,21 +286,15 @@ void sgwc_s11_handle_create_session_request( if (!sess->pfcp_node) { ogs_error("[%s:%s] No SGWU available for session", sgwc_ue->imsi_bcd, sess->session.name); - ogs_gtp_send_error_message( - s11_xact, sgwc_ue ? sgwc_ue->mme_s11_teid : 0, - OGS_GTP2_CREATE_SESSION_RESPONSE_TYPE, - OGS_GTP2_CAUSE_SYSTEM_FAILURE); - return; + cause_value = OGS_GTP2_CAUSE_SYSTEM_FAILURE; + goto cleanup; } /* Check if selected SGW-U is associated with SGW-C */ ogs_assert(sess->pfcp_node); if (!OGS_FSM_CHECK(&sess->pfcp_node->sm, sgwc_pfcp_state_associated)) { - ogs_gtp_send_error_message( - s11_xact, sgwc_ue ? sgwc_ue->mme_s11_teid : 0, - OGS_GTP2_CREATE_SESSION_RESPONSE_TYPE, - OGS_GTP2_CAUSE_REMOTE_PEER_NOT_RESPONDING); - return; + cause_value = OGS_GTP2_CAUSE_REMOTE_PEER_NOT_RESPONDING; + goto cleanup; } /* Remove all previous bearer */ @@ -353,17 +339,26 @@ void sgwc_s11_handle_create_session_request( s1_u_enodeb_f_teid.data; dl_tunnel->remote_teid = be32toh(enb_s1u_teid->teid); - ogs_assert(OGS_OK == - ogs_gtp2_f_teid_to_ip(enb_s1u_teid, &dl_tunnel->remote_ip)); + rv = ogs_gtp2_f_teid_to_ip(enb_s1u_teid, &dl_tunnel->remote_ip); + if (rv != OGS_OK) { + ogs_error("No IPv4 or IPv6 in eNB-S1U(DL)"); + cause_value = OGS_GTP2_CAUSE_MANDATORY_IE_INCORRECT; + goto cleanup; + } far = dl_tunnel->far; ogs_assert(far); far->apply_action = OGS_PFCP_APPLY_ACTION_FORW; - ogs_assert(OGS_OK == ogs_pfcp_ip_to_outer_header_creation( + rv = ogs_pfcp_ip_to_outer_header_creation( &dl_tunnel->remote_ip, &far->outer_header_creation, - &far->outer_header_creation_len)); + &far->outer_header_creation_len); + if (rv != OGS_OK) { + ogs_error("No IPv4 or IPv6 in DL-Tunnel"); + cause_value = OGS_GTP2_CAUSE_MANDATORY_IE_INCORRECT; + goto cleanup; + } far->outer_header_creation.teid = dl_tunnel->remote_teid; } @@ -381,17 +376,26 @@ void sgwc_s11_handle_create_session_request( s5_s8_u_sgw_f_teid.data; ul_tunnel->remote_teid = be32toh(pgw_s5u_teid->teid); - ogs_assert(OGS_OK == - ogs_gtp2_f_teid_to_ip(pgw_s5u_teid, &ul_tunnel->remote_ip)); + rv = ogs_gtp2_f_teid_to_ip(pgw_s5u_teid, &ul_tunnel->remote_ip); + if (rv != OGS_OK) { + ogs_error("No IPv4 or IPv6 in PGW-S5U(UL)"); + cause_value = OGS_GTP2_CAUSE_MANDATORY_IE_INCORRECT; + goto cleanup; + } far = ul_tunnel->far; ogs_assert(far); far->apply_action = OGS_PFCP_APPLY_ACTION_FORW; - ogs_assert(OGS_OK == ogs_pfcp_ip_to_outer_header_creation( + rv = ogs_pfcp_ip_to_outer_header_creation( &ul_tunnel->remote_ip, &far->outer_header_creation, - &far->outer_header_creation_len)); + &far->outer_header_creation_len); + if (rv != OGS_OK) { + ogs_error("No IPv4 or IPv6 in UL-Tunnel"); + cause_value = OGS_GTP2_CAUSE_MANDATORY_IE_INCORRECT; + goto cleanup; + } far->outer_header_creation.teid = ul_tunnel->remote_teid; } @@ -422,13 +426,25 @@ void sgwc_s11_handle_create_session_request( ogs_assert(OGS_OK == sgwc_pfcp_send_session_establishment_request( sess, s11_xact->id, gtpbuf, 0)); + + return; + +cleanup: + ogs_assert(cause_value != OGS_GTP2_CAUSE_REQUEST_ACCEPTED); + if (sess) + sgwc_sess_remove(sess); + + ogs_gtp_send_error_message( + s11_xact, sgwc_ue ? sgwc_ue->mme_s11_teid : 0, + OGS_GTP2_CREATE_SESSION_RESPONSE_TYPE, + cause_value); } void sgwc_s11_handle_modify_bearer_request( sgwc_ue_t *sgwc_ue, ogs_gtp_xact_t *s11_xact, ogs_pkbuf_t *gtpbuf, ogs_gtp2_message_t *message) { - int i = 0; + int rv, i = 0; uint16_t decoded; uint8_t cause_value = 0; @@ -465,12 +481,8 @@ void sgwc_s11_handle_modify_bearer_request( cause_value = OGS_GTP2_CAUSE_CONTEXT_NOT_FOUND; } - if (cause_value != OGS_GTP2_CAUSE_REQUEST_ACCEPTED) { - ogs_gtp_send_error_message( - s11_xact, sgwc_ue ? sgwc_ue->mme_s11_teid : 0, - OGS_GTP2_MODIFY_BEARER_RESPONSE_TYPE, cause_value); - return; - } + if (cause_value != OGS_GTP2_CAUSE_REQUEST_ACCEPTED) + goto cleanup; /***************************************** * Check Mandatory/Conditional IE Missing @@ -547,7 +559,12 @@ void sgwc_s11_handle_modify_bearer_request( req->bearer_contexts_to_be_modified[i].s1_u_enodeb_f_teid.data; dl_tunnel->remote_teid = be32toh(enb_s1u_teid->teid); - ogs_assert(OGS_OK == ogs_gtp2_f_teid_to_ip(enb_s1u_teid, &remote_ip)); + rv = ogs_gtp2_f_teid_to_ip(enb_s1u_teid, &remote_ip); + if (rv != OGS_OK) { + ogs_error("No IPv4 or IPv6 in eNB-S1U(DL)"); + cause_value = OGS_GTP2_CAUSE_MANDATORY_IE_INCORRECT; + goto cleanup; + } memset(&zero_ip, 0, sizeof(ogs_ip_t)); @@ -578,9 +595,13 @@ void sgwc_s11_handle_modify_bearer_request( far->apply_action = OGS_PFCP_APPLY_ACTION_FORW; - ogs_assert(OGS_OK == - ogs_pfcp_ip_to_outer_header_creation(&dl_tunnel->remote_ip, - &far->outer_header_creation, &far->outer_header_creation_len)); + rv = ogs_pfcp_ip_to_outer_header_creation(&dl_tunnel->remote_ip, + &far->outer_header_creation, &far->outer_header_creation_len); + if (rv != OGS_OK) { + ogs_error("No IPv4 or IPv6 in DL-Tunnel"); + cause_value = OGS_GTP2_CAUSE_MANDATORY_IE_INCORRECT; + goto cleanup; + } far->outer_header_creation.teid = dl_tunnel->remote_teid; ogs_info(" sess_id=%d current_xact=%p flags=0x%llx, bearer[EBI=%d]", @@ -593,10 +614,7 @@ void sgwc_s11_handle_modify_bearer_request( if (i == 0) { ogs_error("No Bearer"); - ogs_gtp_send_error_message( - s11_xact, sgwc_ue ? sgwc_ue->mme_s11_teid : 0, - OGS_GTP2_MODIFY_BEARER_RESPONSE_TYPE, cause_value); - return; + goto cleanup; } if (req->user_location_information.presence == 1) { @@ -641,6 +659,15 @@ void sgwc_s11_handle_modify_bearer_request( sgwc_pfcp_send_bearer_to_modify_list(sess, pfcp_xact); } } + + return; + +cleanup: + ogs_assert(cause_value != OGS_GTP2_CAUSE_REQUEST_ACCEPTED); + + ogs_gtp_send_error_message( + s11_xact, sgwc_ue ? sgwc_ue->mme_s11_teid : 0, + OGS_GTP2_MODIFY_BEARER_RESPONSE_TYPE, cause_value); } void sgwc_s11_handle_delete_session_request( @@ -686,12 +713,8 @@ void sgwc_s11_handle_delete_session_request( } } - if (cause_value != OGS_GTP2_CAUSE_REQUEST_ACCEPTED) { - ogs_gtp_send_error_message( - s11_xact, sgwc_ue ? sgwc_ue->mme_s11_teid : 0, - OGS_GTP2_DELETE_SESSION_RESPONSE_TYPE, cause_value); - return; - } + if (cause_value != OGS_GTP2_CAUSE_REQUEST_ACCEPTED) + goto cleanup; /***************************************** * Check Mandatory/Conditional IE Missing @@ -707,11 +730,8 @@ void sgwc_s11_handle_delete_session_request( indication->operation_indication == 1 && indication->scope_indication == 1) { ogs_error("Invalid Indication"); - ogs_gtp_send_error_message( - s11_xact, sgwc_ue ? sgwc_ue->mme_s11_teid : 0, - OGS_GTP2_DELETE_SESSION_RESPONSE_TYPE, - OGS_GTP2_CAUSE_INVALID_MESSAGE_FORMAT); - return; + cause_value = OGS_GTP2_CAUSE_INVALID_MESSAGE_FORMAT; + goto cleanup; } /******************** @@ -757,6 +777,16 @@ void sgwc_s11_handle_delete_session_request( rv = ogs_gtp_xact_commit(s5c_xact); ogs_expect(rv == OGS_OK); } + + return; + +cleanup: + ogs_assert(cause_value != OGS_GTP2_CAUSE_REQUEST_ACCEPTED); + + ogs_gtp_send_error_message( + s11_xact, sgwc_ue ? sgwc_ue->mme_s11_teid : 0, + OGS_GTP2_DELETE_SESSION_RESPONSE_TYPE, + cause_value); } void sgwc_s11_handle_create_bearer_response( @@ -873,9 +903,7 @@ void sgwc_s11_handle_create_bearer_response( bearer, OGS_INVALID_POOL_ID, NULL, OGS_PFCP_MODIFY_UL_ONLY|OGS_PFCP_MODIFY_REMOVE)); } - ogs_gtp_send_error_message(s5c_xact, sess ? sess->pgw_s5c_teid : 0, - OGS_GTP2_CREATE_BEARER_RESPONSE_TYPE, cause_value); - return; + goto cleanup; } /******************** @@ -893,9 +921,7 @@ void sgwc_s11_handle_create_bearer_response( sgwc_pfcp_send_bearer_modification_request( bearer, OGS_INVALID_POOL_ID, NULL, OGS_PFCP_MODIFY_UL_ONLY|OGS_PFCP_MODIFY_REMOVE)); - ogs_gtp_send_error_message(s5c_xact, sess ? sess->pgw_s5c_teid : 0, - OGS_GTP2_CREATE_BEARER_RESPONSE_TYPE, cause_value); - return; + goto cleanup; } /******************** @@ -914,19 +940,15 @@ void sgwc_s11_handle_create_bearer_response( if (!ul_tunnel) { ogs_error("No UL-tunnel [EBI:%d, TEID:0x%x]", bearer->ebi, be32toh(sgw_s1u_teid->teid)); - ogs_gtp_send_error_message(s5c_xact, sess ? sess->pgw_s5c_teid : 0, - OGS_GTP2_CREATE_BEARER_RESPONSE_TYPE, - OGS_GTP2_CAUSE_GRE_KEY_NOT_FOUND); - return; + cause_value = OGS_GTP2_CAUSE_GRE_KEY_NOT_FOUND; + goto cleanup; } dl_tunnel = sgwc_dl_tunnel_in_bearer(bearer); if (!dl_tunnel) { ogs_error("No DL-tunnel [EBI:%d, TEID:0x%x]", bearer->ebi, be32toh(sgw_s1u_teid->teid)); - ogs_gtp_send_error_message(s5c_xact, sess ? sess->pgw_s5c_teid : 0, - OGS_GTP2_CREATE_BEARER_RESPONSE_TYPE, - OGS_GTP2_CAUSE_CONTEXT_NOT_FOUND); - return; + cause_value = OGS_GTP2_CAUSE_CONTEXT_NOT_FOUND; + goto cleanup; } /* Set EBI */ @@ -939,8 +961,12 @@ void sgwc_s11_handle_create_bearer_response( ogs_info(" ENB_S1U_TEID[%d] SGW_S1U_TEID[%d]", dl_tunnel->remote_teid, dl_tunnel->local_teid); - ogs_assert(OGS_OK == - ogs_gtp2_f_teid_to_ip(enb_s1u_teid, &dl_tunnel->remote_ip)); + rv = ogs_gtp2_f_teid_to_ip(enb_s1u_teid, &dl_tunnel->remote_ip); + if (rv != OGS_OK) { + ogs_error("No IPv4 or IPv6 in eNB-S1U"); + cause_value = OGS_GTP2_CAUSE_MANDATORY_IE_INCORRECT; + goto cleanup; + } pdr = dl_tunnel->pdr; ogs_assert(pdr); @@ -954,9 +980,13 @@ void sgwc_s11_handle_create_bearer_response( far->apply_action = OGS_PFCP_APPLY_ACTION_FORW; - ogs_assert(OGS_OK == - ogs_pfcp_ip_to_outer_header_creation(&dl_tunnel->remote_ip, - &far->outer_header_creation, &far->outer_header_creation_len)); + rv = ogs_pfcp_ip_to_outer_header_creation(&dl_tunnel->remote_ip, + &far->outer_header_creation, &far->outer_header_creation_len); + if (rv != OGS_OK) { + ogs_error("No IPv4 or IPv6 in DL-Tunnel"); + cause_value = OGS_GTP2_CAUSE_MANDATORY_IE_INCORRECT; + goto cleanup; + } far->outer_header_creation.teid = dl_tunnel->remote_teid; if (rsp->user_location_information.presence == 1) { @@ -984,6 +1014,15 @@ void sgwc_s11_handle_create_bearer_response( sgwc_pfcp_send_bearer_modification_request( bearer, s5c_xact->id, gtpbuf, OGS_PFCP_MODIFY_DL_ONLY|OGS_PFCP_MODIFY_CREATE)); + + return; + +cleanup: + ogs_assert(cause_value != OGS_GTP2_CAUSE_REQUEST_ACCEPTED); + + ogs_gtp_send_error_message(s5c_xact, sess ? sess->pgw_s5c_teid : 0, + OGS_GTP2_CREATE_BEARER_RESPONSE_TYPE, + cause_value); } void sgwc_s11_handle_update_bearer_response( @@ -1062,11 +1101,8 @@ void sgwc_s11_handle_update_bearer_response( cause_value = OGS_GTP2_CAUSE_MANDATORY_IE_MISSING; } - if (cause_value != OGS_GTP2_CAUSE_REQUEST_ACCEPTED) { - ogs_gtp_send_error_message(s5c_xact, sess ? sess->pgw_s5c_teid : 0, - OGS_GTP2_UPDATE_BEARER_RESPONSE_TYPE, cause_value); - return; - } + if (cause_value != OGS_GTP2_CAUSE_REQUEST_ACCEPTED) + goto cleanup; /******************** * Check Cause Value @@ -1078,19 +1114,15 @@ void sgwc_s11_handle_update_bearer_response( cause_value = cause->value; if (cause_value != OGS_GTP2_CAUSE_REQUEST_ACCEPTED) { ogs_error("GTP Bearer Cause [VALUE:%d]", cause_value); - ogs_gtp_send_error_message(s5c_xact, sess ? sess->pgw_s5c_teid : 0, - OGS_GTP2_UPDATE_BEARER_RESPONSE_TYPE, cause_value); - return; + goto cleanup; } cause = rsp->cause.data; ogs_assert(cause); cause_value = cause->value; if (cause_value != OGS_GTP2_CAUSE_REQUEST_ACCEPTED) { ogs_error("GTP Cause [Value:%d]", cause_value); - ogs_gtp_send_error_message(s5c_xact, sess ? sess->pgw_s5c_teid : 0, - OGS_GTP2_UPDATE_BEARER_RESPONSE_TYPE, cause_value); - return; + goto cleanup; } /******************** @@ -1121,6 +1153,14 @@ void sgwc_s11_handle_update_bearer_response( rv = ogs_gtp_xact_commit(s5c_xact); ogs_expect(rv == OGS_OK); + + return; + +cleanup: + ogs_assert(cause_value != OGS_GTP2_CAUSE_REQUEST_ACCEPTED); + + ogs_gtp_send_error_message(s5c_xact, sess ? sess->pgw_s5c_teid : 0, + OGS_GTP2_UPDATE_BEARER_RESPONSE_TYPE, cause_value); } void sgwc_s11_handle_delete_bearer_response( @@ -1415,13 +1455,8 @@ void sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request( cause_value = OGS_GTP2_CAUSE_CONTEXT_NOT_FOUND; } - if (cause_value != OGS_GTP2_CAUSE_REQUEST_ACCEPTED) { - ogs_gtp_send_error_message( - s11_xact, sgwc_ue ? sgwc_ue->mme_s11_teid : 0, - OGS_GTP2_CREATE_INDIRECT_DATA_FORWARDING_TUNNEL_RESPONSE_TYPE, - cause_value); - return; - } + if (cause_value != OGS_GTP2_CAUSE_REQUEST_ACCEPTED) + goto cleanup; /******************** * Check ALL Context @@ -1434,23 +1469,17 @@ void sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request( for (i = 0; req->bearer_contexts[i].presence; i++) { if (req->bearer_contexts[i].eps_bearer_id.presence == 0) { ogs_error("No EBI"); - ogs_gtp_send_error_message( - s11_xact, sgwc_ue ? sgwc_ue->mme_s11_teid : 0, - OGS_GTP2_CREATE_INDIRECT_DATA_FORWARDING_TUNNEL_RESPONSE_TYPE, - OGS_GTP2_CAUSE_MANDATORY_IE_MISSING); - return; + cause_value = OGS_GTP2_CAUSE_MANDATORY_IE_MISSING; + goto cleanup; } bearer = sgwc_bearer_find_by_ue_ebi(sgwc_ue, req->bearer_contexts[i].eps_bearer_id.u8); if (!bearer) { ogs_error("No Bearer Context [%d]", req->bearer_contexts[i].eps_bearer_id.u8); - ogs_gtp_send_error_message( - s11_xact, sgwc_ue ? sgwc_ue->mme_s11_teid : 0, - OGS_GTP2_CREATE_INDIRECT_DATA_FORWARDING_TUNNEL_RESPONSE_TYPE, - OGS_GTP2_CAUSE_CONTEXT_NOT_FOUND); - return; + cause_value = OGS_GTP2_CAUSE_CONTEXT_NOT_FOUND; + goto cleanup; } sess = sgwc_sess_find_by_id(bearer->sess_id); @@ -1464,22 +1493,17 @@ void sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request( OGS_GTP2_F_TEID_SGW_GTP_U_FOR_DL_DATA_FORWARDING); if (!tunnel) { ogs_error("sgwc_tunnel_add() failed"); - ogs_gtp_send_error_message( - s11_xact, sgwc_ue ? sgwc_ue->mme_s11_teid : 0, - OGS_GTP2_CREATE_INDIRECT_DATA_FORWARDING_TUNNEL_RESPONSE_TYPE, - OGS_GTP2_CAUSE_SYSTEM_FAILURE); - return; + cause_value = OGS_GTP2_CAUSE_SYSTEM_FAILURE; + goto cleanup; } tunnel->remote_teid = be32toh(req_teid->teid); rv = ogs_gtp2_f_teid_to_ip(req_teid, &tunnel->remote_ip); if (rv != OGS_OK) { - ogs_gtp_send_error_message(s11_xact, - sgwc_ue ? sgwc_ue->mme_s11_teid : 0, - OGS_GTP2_CREATE_INDIRECT_DATA_FORWARDING_TUNNEL_RESPONSE_TYPE, - OGS_GTP2_CAUSE_MANDATORY_IE_MISSING); - return; + ogs_error("No IPv4 or IPv6 in REQ-TEID"); + cause_value = OGS_GTP2_CAUSE_MANDATORY_IE_INCORRECT; + goto cleanup; } pdr = tunnel->pdr; @@ -1494,11 +1518,15 @@ void sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request( far->apply_action = OGS_PFCP_APPLY_ACTION_FORW; - ogs_assert(OGS_OK == - ogs_pfcp_ip_to_outer_header_creation( + rv = ogs_pfcp_ip_to_outer_header_creation( &tunnel->remote_ip, &far->outer_header_creation, - &far->outer_header_creation_len)); + &far->outer_header_creation_len); + if (rv != OGS_OK) { + ogs_error("No IPv4 or IPv6 in Tunnel"); + cause_value = OGS_GTP2_CAUSE_MANDATORY_IE_INCORRECT; + goto cleanup; + } far->outer_header_creation.teid = tunnel->remote_teid; ogs_info(" SGW_DL_TEID[%d] ENB_DL_TEID[%d]", @@ -1513,22 +1541,17 @@ void sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request( OGS_GTP2_F_TEID_SGW_GTP_U_FOR_UL_DATA_FORWARDING); if (!tunnel) { ogs_error("sgwc_tunnel_add() failed"); - ogs_gtp_send_error_message( - s11_xact, sgwc_ue ? sgwc_ue->mme_s11_teid : 0, - OGS_GTP2_CREATE_INDIRECT_DATA_FORWARDING_TUNNEL_RESPONSE_TYPE, - OGS_GTP2_CAUSE_SYSTEM_FAILURE); - return; + cause_value = OGS_GTP2_CAUSE_SYSTEM_FAILURE; + goto cleanup; } tunnel->remote_teid = be32toh(req_teid->teid); rv = ogs_gtp2_f_teid_to_ip(req_teid, &tunnel->remote_ip); if (rv != OGS_OK) { - ogs_gtp_send_error_message(s11_xact, - sgwc_ue ? sgwc_ue->mme_s11_teid : 0, - OGS_GTP2_CREATE_INDIRECT_DATA_FORWARDING_TUNNEL_RESPONSE_TYPE, - OGS_GTP2_CAUSE_MANDATORY_IE_MISSING); - return; + ogs_error("No IPv4 or IPv6 in REQ-TEID"); + cause_value = OGS_GTP2_CAUSE_MANDATORY_IE_INCORRECT; + goto cleanup; } pdr = tunnel->pdr; @@ -1543,11 +1566,15 @@ void sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request( far->apply_action = OGS_PFCP_APPLY_ACTION_FORW; - ogs_assert(OGS_OK == - ogs_pfcp_ip_to_outer_header_creation( + rv = ogs_pfcp_ip_to_outer_header_creation( &tunnel->remote_ip, &far->outer_header_creation, - &far->outer_header_creation_len)); + &far->outer_header_creation_len); + if (rv != OGS_OK) { + ogs_error("No IPv4 or IPv6 in Tunnel"); + cause_value = OGS_GTP2_CAUSE_MANDATORY_IE_INCORRECT; + goto cleanup; + } far->outer_header_creation.teid = tunnel->remote_teid; ogs_info(" SGW_UL_TEID[%d] ENB_UL_TEID[%d]", @@ -1564,6 +1591,16 @@ void sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request( sess, s11_xact->id, gtpbuf, OGS_PFCP_MODIFY_INDIRECT|OGS_PFCP_MODIFY_CREATE)); } + + return; + +cleanup: + ogs_assert(cause_value != OGS_GTP2_CAUSE_REQUEST_ACCEPTED); + + ogs_gtp_send_error_message(s11_xact, + sgwc_ue ? sgwc_ue->mme_s11_teid : 0, + OGS_GTP2_CREATE_INDIRECT_DATA_FORWARDING_TUNNEL_RESPONSE_TYPE, + cause_value); } void sgwc_s11_handle_delete_indirect_data_forwarding_tunnel_request(
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/open5gs/open5gs/commit/465273d13ba5d47b274c38c9d1b07f04859178a1nvdPatch
- github.com/open5gs/open5gs/issues/4203nvdExploitIssue TrackingVendor Advisory
- github.com/open5gs/open5gs/issues/4203nvdExploitIssue TrackingVendor Advisory
- github.com/open5gs/open5gs/issues/4203nvdExploitIssue TrackingVendor Advisory
- vuldb.comnvdThird Party AdvisoryVDB Entry
- vuldb.comnvdThird Party AdvisoryVDB Entry
- vuldb.comnvdPermissions RequiredVDB Entry
News mentions
0No linked articles in our index yet.