Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF [CVE-2021-41794]

We discussed this vulnerability during Episode 90 on 12 October 2021

When parsing session establishment request packets in ogs_fqdn_parse(), the function would take an unmitigated length and pass it directly to memcpy(). The blogpost indicates the destination is a stack buffer, leading to stack overflow. It’s worth noting the build config does enable stack cookies, so it wouldn’t be a straightforward exploit.