AMF V2.2.0 crashes on Invalid Procedure Code
Bug Description:
OpenAirInterface AMF crashes when it receives an NGAP message with invalid procedure code or invalid PDU-type. For example when the message expects InitiatingMessage but received successfulOutcome
Steps to reproduce:
Launch AMF. Configuration used
Send this NGAP message (packet is in hex stream)
00 3B 00 28 00 00 03 00 0A 00 02 00 00 00 55 00 02 00 00 00 20 40 15 00 40 00 F1 10 00 00 00 00 00 00 64 00 00 00 F1 10 00 00 00 00
Expected behavior:
AMF should not crash and should reject the message.
Environment:
- OpenAirInterface Version: v2.2.0
- OS: Ubuntu 22.04 Server
- Deployment: Docker
PCAP:
Log:
[2025-12-22 21:04:07.861] [ngap] [error] Invalid procedure code 59 or present 1
Details:
[2025-12-22 16:59:38.579] [ngap] [**error**] Invalid procedure code 59 or present 1 ================================================================= **==1012445==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x786aa9b78630 in thread T4** #0 0x786ab0cb4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 #1 0x64737a0f853e in CHOICE_free /home/tasnim/oai-cn5g-amf/src/common-src/ngap/libngap/constr_CHOICE.c:181 #2 0x64737a003952 in oai::ngap::ngap_app::handle_receive(tagbstring*, unsigned int, unsigned short, unsigned short, unsigned short) /home/tasnim/oai-cn5g-amf/src/ngap/ngap_app.cpp:81 #3 0x64737a0bae8a in sctp::sctp_server::sctp_read_from_socket(int, unsigned int) /home/tasnim/oai-cn5g-amf/src/sctp/sctp_server.cpp:282 #4 0x64737a0ba0b1 in sctp::sctp_server::sctp_receiver_thread(void*) /home/tasnim/oai-cn5g-amf/src/sctp/sctp_server.cpp:198 #5 0x786aaf494ac2 in start_thread nptl/pthread_create.c:442 #6 0x786aaf5268bf (/lib/x86_64-linux-gnu/libc.so.6+0x1268bf) **Address 0x786aa9b78630 is located in stack of thread T4 at offset 96 in frame** #0 0x64737a0034cb in oai::ngap::ngap_app::handle_receive(tagbstring*, unsigned int, unsigned short, unsigned short, unsigned short) /home/tasnim/oai-cn5g-amf/src/ngap/ngap_app.cpp:56 This frame has 6 object(s): [32, 34) 'stream' (line 55) [48, 50) 'instreams' (line 56) [64, 66) 'outstreams' (line 56) [80, 84) 'assoc_id' (line 55) [96, 104) 'ngap_msg_pdu' (line 62) **<== Memory access at offset 96 is inside this variable** [128, 144) 'dec_ret' (line 64) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) Thread T4 created by T0 here: #0 0x786ab0c58685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216 #1 0x64737a0b97e6 in sctp::sctp_server::start_receive(sctp::sctp_application*) /home/tasnim/oai-cn5g-amf/src/sctp/sctp_server.cpp:158 #2 0x64737a00326d in oai::ngap::ngap_app::ngap_app(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned short) /home/tasnim/oai-cn5g-amf/src/ngap/ngap_app.cpp:45 #3 0x647379e6c93a in amf_application::amf_n2::amf_n2(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned short) /home/tasnim/oai-cn5g-amf/src/amf-app/amf_n2.cpp:310 #4 0x647379b4df6a in amf_application::amf_app::amf_app() /home/tasnim/oai-cn5g-amf/src/amf-app/amf_app.cpp:99 #5 0x647377c1e889 in main /home/tasnim/oai-cn5g-amf/src/oai-amf/main.cpp:173 #6 0x786aaf429d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: bad-free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 in __interceptor_free ==1012445==ABORTING