In lib/sbi/message.c parse_multipart(), http->content may be NULL.
This occurs on empty-body multipart POSTs and causes a segfault.
Add guard to check http->content, log an error, and return OGS_ERROR.
In lib/sbi/client.c, the conditional compilation for
CURLMOPT_MAX_CONCURRENT_STREAMS was using #ifdef, which does not
ensure the option is set when the symbol is undefined.
Replace the check with #if CURL_AT_LEAST_VERSION(7,67,0) so that the
client applies the max concurrent streams setting on supported
libcurl versions. This fixes pool.event always showing the default
value and enables dynamic adjustment according to pool.stream.
Previously, Open5GS assumed the _links map contained an array under the key
"items". However, the 3GPP specification (TS29.510 section 4.9.4 and TS29.501
Table 6.1.6.2.25-1) defines this member name as "item".
As a result, when interacting with vendor NRF implementations that use "item",
Open5GS could not find the array and logged "No items", causing JSON errors.
This change updates both serialization and parsing in lib/sbi/custom/links.c:
- In ogs_sbi_links_convertToJSON(), replace the property name "items" with
"item" when building JSON.
- In ogs_sbi_links_parseFromJSON(), retrieve the array under "item" and adjust
the error message to "No item" if the member is missing.
With these corrections, Open5GS will correctly handle NRF responses using "item"
and remain compliant with the indirect communication model defined by 3GPP.
Prior to this change, `session_write_callback()` unconditionally asserted that
`sbi_sess->poll.write` was non-NULL when the write queue drained, then removed
it from the poll set. In edge cases—particularly when using curl 8.x with
external epoll and `SIGPIPE` disabled—a late `EPOLLOUT` or errant write-ready
notification could arrive after `poll.write` had already been cleared. This
triggered the assertion in `nghttp2-server.c:1765`, aborting the process on
shutdown or session teardown.
This commit replaces the hard assertion with a runtime guard. If `poll.write`
is present, it is removed and reset to NULL as before. If it is already NULL,
we emit an warning log (`ogs_warn`) instead of aborting. This ensures any stray
write events after cleanup are safely ignored, allowing a clean exit without
crashing.
- Wrap `ogs_pollset_remove()` and pointer clear in `if (sbi_sess->poll.write)`
- Log an warning when `poll.write` is unexpectedly absent
- Preserve original behavior when `poll.write` is valid
This change resolves the fatal assertion observed on process exit after the
EPOLLERR/SIGPIPE fix and improves overall shutdown robustness.
- Check ran_ue existence and abort if NG context has already been removed
- Detect deassociated RAN-UE (invalid amf_ue_id) and
break to avoid further processing
- Validate AMF-UE ID matches ran_ue->amf_ue_id and skip on mismatch
- Add support for PDU Session Release in 3GPP TS 23.502 section 4.3.4.3
Note: PCF-initiated release flow for Home-Routed Roaming is not implemented;
- Fix N4 release step ordering in 3GPP TS 23.502 section 4.3.4.2 UE or network requested PDU Session Release for Non-Roaming and Roaming with Local Breakout
This commit fixes an issue where the callback header (3gpp-Sbi-Callback)
was incorrectly added in non-callback requests. Specifically, for registration
(PUT) and subscription requests in the AMF and SMF modules, the callback
header was included even though these are not asynchronous notifications.
Changes include:
- Removing the callback header assignment in src/amf/nudm-build.c and
src/smf/nudm-build.c for registration and subscription requests.
- Removing the callback header in NRF subscription-related builds in
lib/sbi/nnrf-build.c where it was not required.
- Adding the callback header only for actual notification or callback
operations (e.g. in src/amf/nsmf-build.c for N1/N2 transfer failure and
in src/nrf/nnrf-build.c for NF status notifications).
- Introducing a new callback macro in lib/sbi/message.h for
Namf_Communication_onN1N2TransferFailure.
This aligns the implementation with the standard, ensuring that callback
headers are only included in genuine callback/notification messages.
- Changed amf_region_id type from uint16_t to uint8_t in context.h.
- Updated context.c to use ogs_amf_region_id() for extracting and comparing
the region ID.
Previously, sample.yaml was used for both 5GC and EPC attach tests.
Because SMF had SBI configured, it sent a register PUT to NRF even in
EPC-only tests (where nrf/scp was not run), leading to a missing HTTP
response and connection timer expiry.
Now, attach.yaml is used for EPC, preventing the unwanted NRF registration.
When another NF restarts, curl reuses the existing connection, which in
curl 8.9.1 causes the nghttp2 server to send an RST. This commit sends a
GOAWAY frame to every active session on shutdown, ensuring a graceful
termination and avoiding RST errors.
Previous versions such as curl 7.81.0 did not exhibit this behavior.
Previously, nf_instance pointers were stored in nf_type_array and
service_type_array. This led to dangling pointers when an NF instance
was removed via ogs_sbi_nf_instance_remove(), causing incomplete cleanup
and improper recovery on UDR or other NF restarts. The issue resulted in
the system falling back to nf_instance->client with the default port 80,
leading to connection failures.
To resolve the problem, nf_instance_id is now stored instead of the
pointer. The validity of an NF instance is verified using
ogs_sbi_nf_instance_find(nf_instance_id), which ensures proper cleanup
and correct recovery.
Before this, there were 2 different ways to search for neighbouring
NF's:
a) in the case AMF was started _before_ UDM, AMF would create
subscription to NRF to notify it when a UDM would (un)register. In this
case, NF instance would remain in AMF's context indefinitely.
b) in the case AMF was started _after_ UDM, AMF would have to use NF
discovery mechanism to search for NF's. In this case, NF instance would
remain in AMF's context for the duration of Search's validity (defaults
to 30 seconds). After validity expires, NF would expire. This means that
for heavy traffic situations, AMF would constantly issue discovery
requests.
[SBI] save only wanted NF instances on NF List Retrieval
When retrieving a list of NF Instances from NRF, save only the NF's that
we want. Check the NF instance against our subscription list for either
the NF type or NF Service.
This can still cause a DoS on NRF when NF starts in case there are 100's
of NF's in the network, but prevents using too much memory on NF.
* [UDM][UDR] Add support for nssai resource in nudm-sdm
* Resolve Memory Issue
* Protect from multiple field entries, remove macros
* remove request_from_server, make use of xact state
* typo....
* definition cleanup
Previously, policies were configured via YAML files without MongoDB.
This update enhances the YAML approach by adding the 'supi_range' key to
filter policies based on UE SUPI ranges. When both 'supi_range' and
'plmn_id' are provided, both conditions must be met.
Note that PLMN-ID filtering will be deprecated in a future release.
Wrap SSL_CTX_set_keylog_callback calls with an OpenSSL version check
to ensure compatibility with versions older than 1.1.1.
This prevents compilation issues on earlier OpenSSL releases,
such as those found on Ubuntu 18.04(bionic).
3GPP TS 23.003: 28.4.2 Format of the S-NSSAI
The SST field may have standardized and non-standardized values. Values
0 to 127 belong to the standardized SST range and they are defined in
3GPP TS 23.501 [119]. Values 128 to 255 belong to the Operator-specific
range.
Introduce client_delegated_config to manage delegation settings for NRF and SCP
separately. This ensures that in Model C, all NRF-related procedures
(registration, heartbeat, deregistration, etc.) communicate directly with the
NRF without routing through the SCP. This change aligns Open5GS behavior with
3GPP standards, providing consistent direct communication for both discovery
and management in Model C, and maintaining indirect communication in Model D.
- Direct Communication with NRF
```
sbi:
client:
nrf:
- uri: http://127.0.0.10:7777
```
- Indirect Communication by Delegating to SCP
```
sbi:
client:
scp:
- uri: http://127.0.0.200:7777
```
- Indirect Communication without Delegation
```
sbi:
client:
nrf:
- uri: http://127.0.0.10:7777
scp:
- uri: http://127.0.0.200:7777
delegated:
nrf:
nfm: no # Directly communicate NRF management functions
disc: no # Directly communicate NRF discovery
scp:
next: no # Do not delegate to SCP for next-hop
```
- Indirect Communication with Delegated Discovery
```
sbi:
client:
nrf:
- uri: http://127.0.0.10:7777
scp:
- uri: http://127.0.0.200:7777
delegated:
nrf:
nfm: no # Directly communicate NRF management functions
disc: yes # Delegate discovery to SCP
scp:
next: yes # Delegate to SCP for next-hop communications
```
- Default delegation: all communications are delegated to the SCP
```
sbi:
client:
nrf:
- uri: http://127.0.0.10:7777
scp:
- uri: http://127.0.0.200:7777
# No 'delegated' section; defaults to AUTO delegation
```
This update allows the parsing and handling of user-defined port numbers
in the `advertise` field or explicitly in the `server` configuration for
SBI. Users can now specify non-default ports for both binding and
advertising while maintaining compatibility with existing configurations.
The feature includes logic to handle FQDNs with embedded port numbers
(e.g., `example.com:8080`) and ensures proper memory management during
parsing. Updated the client association logic to utilize custom ports
when specified.
Examples:
- Bind to the address on the eth0 and advertise as open5gs-amf.svc.local
```
sbi:
server:
- dev:eth0
advertise: open5gs-amf.svc.local
```
- Specify a custom port number 7777 while binding to the given address
```
sbi:
server:
- address: amf.localdomain
port: 7777
```
- Bind to 127.0.0.5 and advertise as open5gs-amf.svc.local
```
sbi:
server:
- address: 127.0.0.5
port: 7777
advertise: open5gs-amf.svc.local
```
- Bind to port 7777 but advertise with a different port number 8888
```
sbi:
server:
- address: 127.0.0.5
port: 7777
advertise: open5gs-amf.svc.local:8888
```
- Add `sslkeylogfile` configuration options to `*.yaml.in` in NFs.
- Update `open5gs-common.dirs` to include `var/log/open5gs/tls` directory
- Extend `ogs_sbi_context_s` structure in `context.h` to include `sslkeylog`
- Modify `context.c` to parse and handle `sslkeylogfile` settings
- Update `server.c` and `server.h` to manage the `sslkeylog` field
in server structures
- Update `ogs_sbi_client_add` and `ogs_sbi_client_remove` functions to handle
`sslkeylog` field.
- Adjust `meson.build` to create the TLS log directory during installation
This commit introduces SSL key logging functionality to Open5GS,
enabling the capture of SSL/TLS keys. This feature is essential
for debugging encrypted traffic and allows integration with tools
like Wireshark for decrypting TLS sessions.
- Added functionality to parse and validate the plmnList JSON array
during a PATCH request.
- Updated the nf_instance structure with new PLMN data from the request.
- Ensured robust error handling for invalid PLMN entries
and excessive PLMN counts.
- Responded with appropriate HTTP status codes for success and error scenarios.
Modified the PCF logic to bypass the BSF dependency when it is not available.
This change ensures that the 5G Core can operate without requiring a BSF,
allowing PDU sessions to be established successfully in setups
where only a single PCF is used.
According to TS 29.510, the NFProfile structure in the NFDiscovery API does not
include the nfProfileChangesSupportInd attribute. However, Open5GS NRF currently
includes this attribute in NFDiscovery API responses, which has led to
complaints from certain NF vendors.
This commit modifies the nrf_nnrf_handle_nf_discover function
in src/nrf/nnrf-handler.c to ensure that the nfProfileChangesSupportInd
attribute is excluded when constructing NFProfile for NFDiscovery responses.
TS 29.571 - 5.5.2 Simple Data Types defines BitRate type as
String representing a bit rate that shall be formatted as follows:
Pattern: '^\d+(\.\d+)? (bps|Kbps|Mbps|Gbps|Tbps)$'
Examples: "125 Mbps", "0.125 Gbps", "125000 Kbps"
Taking the "0.125 Gbps" example, rather than round 0.125 down to 0, parse it as
a double-float first before multiplying by 10^9, resulting in 1.25e8 (bps).
Fixed an issue in SCP TLS communication for Open5GS where omitted port numbers
in HTTP/HTTPS URIs (e.g., "https://scp.localdomain" implying port 443) were not
handled correctly.
Updated the code to ensure that during FQDN and port comparisons,
cases where the port number is set to 0 are accounted for.
This fix resolves the problem with indirect SBI communication over SCP using TLS
allowing proper connectivity between network functions like BSF and NRF.
Implement Control Message handling between V-SMF and H-SMF
during Home Routed Roaming process
Completed the implementation of control messages exchanged
between V-SMF and H-SMF as part of the Home Routed Roaming process
SMF selection according to 4.3.2.2.3 of TS23.502.
V-SMF makes discovery in the V-NRF according to V-NSSF.
H-SMF makes discovery in the H-NRF according to H-NSSF.
(The AMF goes through the V-NSSF and forwards the message seeking the NRF to the H-NSSF.)
The clang scan-build procedure
```
Assume Ubuntu docker container with open5gs mounted to /src.
Assume these tools are installed to docker container:
sudo apt install -y clang-tools clang
For easy reference to clang scan-build tool:
Put normal open5gs build procedure into a file called /src/build
=======================
Inside docker container:
=======================
export CLANG_OUT_DIR=/src/scan_build_results
scan-build -disable-checker deadcode.DeadStores --override-compiler --keep-going
--exclude subprojects --exclude tests --exclude lib/asn1c -maxloop 200 -o $CLANG_OUT_DIR -plist-html /src/build 2>&1 | tee /src/logclang.txt
=======================
Results:
=======================
Results are in html format in $CLANG_OUT_DIR - top level index.html
```
Note that in this analysis the following suppressions were assumed:
- no deadcode.DeadStores analysis since those are not functional findings
- exclude lib/asn1c for reason that is outside of open5gs control
- exclude tests for reason that those are not functional findings
- exclude subprojects since those are outside of open5gs control
- create SDM subscription to UDM when PDU session is created, just
before sending SMF registration to UDM
- delete SDM subscription when PDU session is released
- handle SDM Change Notification, but not yet process items in it
