Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF [CVE-2021-41794]
Original Post:
We discussed this vulnerability during Episode 90 on 12 October 2021
When parsing session establishment request packets in ogs_fqdn_parse()
, the function would take an unmitigated length and pass it directly to memcpy()
. The blogpost indicates the destination is a stack buffer, leading to stack overflow. It’s worth noting the build config does enable stack cookies, so it wouldn’t be a straightforward exploit.