When Open5GS UPF receives a PFCP Session Establishment Request, it stores related values for building the PFCP Session Establishment Response. Once UPF receives a request, it gets the f_teid_len from incoming message, and then uses it to copy data from incoming message to struct f_teid without checking the maximum length. If the pdi.local_f_teid.len exceeds the maximum length of the struct of f_teid, the memcpy() overwrites the fields (e.g., f_teid_len) after f_teid in the pdr struct. After parsing the request, the UPF starts to build a response. The f_teid_len with its overwritten value is used as a length for memcpy(). A segmentation fault occurs, as a result of a memcpy(), if this overwritten value is large enough.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: SNPS
Published: 2022-09-16T18:02:12
Updated: 2024-08-03T11:10:32.459Z
Reserved: 2022-08-31T00:00:00
Link: CVE-2022-39063
Vulnrichment
No data.
NVD
Status : Modified
Published: 2022-09-16T19:15:10.030
Modified: 2024-11-21T07:17:28.977
Link: CVE-2022-39063
Redhat
No data.