AUSF V2.2.0 crashes on large authentication response(res*) from AMF (Buffer Overflow)
Bug Description:
OpenAirInterface AUSF crashes when AMF sends a large resStar as a authentication response.
Steps to reproduce:
Used this for AMF and AUSF configuration.
Setup Subscriber Information
Setup subscriber information in database
PLMN ID 00101
SUPI (IMSI) 001010000000001
Authentication Management Field (AMF) 8000
Authentication Method 5G_AKA
K 0C0A34601D4F07677303652C0462535B
Operator Code Type OPc
Operator Code Value 63bfa50ee6523365ff14c1f45f88737d
SQN 000000000020
Send NGSetup
00 15 00 38 00 00 06 00 1b 00 08 00 00 f1 10 00 00 06 6c 00 52 40 05 01 00 52 41 4e 00 66 00 0d 00 00 00 00 07 00 00 f1 10 00 00 00 08 00 15 40 01 20 00 93 40 01 00 00 cc 40 01 00
Send InitialUEMessage
00 0f 40 45 00 00 05 00 55 00 02 00 00 00 26 00 1b 1a 7e 00 41 79 00 0d 01 00 f1 10 00 00 00 00 00 00 00 00 10 2e 02 80 f0 10 01 00 00 79 00 0f 40 00 f1 10 00 00 00 00 00 00 f1 10 00 00 07 00 5a 40 01 18 00 70 40 01 00
Send the authentication response
00 2e 40 80 90 00 00 04 00 0a 00 02 00 01 00 55 00 02 00 00 00 26 00 6a 69 7e 00 57 2d 64 b1 96 23 4b 4a 9a a1 15 53 61 dd 77 50 f7 1a 1f 34 d1 3b d3 82 8a 4f 50 0c 7a 64 15 93 53 9d e7 a4 2f 19 a6 80 b4 10 7c 67 e2 ff eb c5 b5 c0 21 06 80 3b bf a9 6c 5d 12 11 8f f2 57 5b 7b 50 cd e2 93 20 55 72 fd 0c 60 3d 77 28 63 d9 83 a9 1f b5 57 23 f3 98 e9 b8 84 8f b8 72 ee 59 73 90 2f fa d6 46 74 00 79 40 0f 40 00 f1 10 00 00 00 00 00 00 f1 10 00 00 07
Expected behavior:
AMF should have rejected this message earlier as it is malformed and contains response larger than the specification required. Even the message reached AUSF, it should have checked the length and discarded the message and sent the failure message with reason.
Environment:
- OpenAirInterface Version: v2.2.0
- OS: Ubuntu 22.04 Server
- Deployment: Docker
PCAP:
AMF Log:
[2026-01-20 01:30:29.020] [nas] [debug] Decoded AuthenticationResponse message len (105) [2026-01-20 01:30:29.020] [amf_n1] [debug] 5G AKA Confirmation from AUSF [2026-01-20 01:30:29.020] [common] [debug] [amf_n1]resStar b1 96 23 4b 4a 9a a1 15 53 61 dd 77 50 f7 1a 1f 34 d1 3b d3 82 8a 4f 50 0c 7a 64 15 93 53 9d e7 a4 2f 19 a6 80 b4 10 7c 67 e2 ff eb c5 b5 c0 21 06 80 3b bf a9 6c 5d 12 11 8f f2 57 5b 7b 50 cd e2 93 20 55 72 fd 0c 60 3d 77 28 63 d9 83 a9 1f b5 57 23 f3 98 e9 b8 84 8f b8 72 ee 59 73 90 2f fa d6 46 74 [2026-01-20 01:30:29.020] [amf_n1] [info] resStar_s (B196234B4A9AA1155361DD7750F71A1F34D13BD3828A4F500C7A641593539DE7A42F19A680B4107C67E2FFEBC5B5C02106803BBFA96C5D12118FF2575B7B50CDE293205572FD0C603D772863D983A91FB55723F398E9B8848FB872EE5973902FFAD64674) [2026-01-20 01:30:29.020] [amf_n1] [debug] Promise ID generated 2 [2026-01-20 01:30:29.020] [amf_sbi] [info] Receive UE Authentication Confirmation message, handling ... [2026-01-20 01:30:29.020] [amf_sbi] [debug] Send UE Authentication Confirmation to AUSF [2026-01-20 01:30:29.020] [amf_sbi] [info] Send HTTP message to http://192.168.70.138:8080/nausf-auth/v1/ue-authentications/bc7b069838da8000b49b8537e25591b3/5g-aka-confirmation[2026-01-20 01:30:29.020] [amf_sbi] [info] HTTP message Body: {"resStar":"B196234B4A9AA1155361DD7750F71A1F34D13BD3828A4F500C7A641593539DE7A42F19A680B4107C67E2FFEBC5B5C02106803BBFA96C5D12118FF2575B7B50CDE293205572FD0C603D772863D983A91FB55723F398E9B8848FB872EE5973902FFAD64674"} [2026-01-20 01:30:29.020] [amf_sbi] [debug] Send a simple HTTP request [2026-01-20 01:30:29.082] [amf_sbi] [info] Cannot get response when callinghttp://192.168.70.138:8080/nausf-auth/v1/ue-authentications/bc7b069838da8000b49b8537e25591b3/5g-aka-confirmation [2026-01-20 01:30:29.082] [amf_app] [debug] Trigger process response: Set promise with ID 2 to ready [2026-01-20 01:30:29.083] [amf_n1] [debug] Got result for promise ID 2 [2026-01-20 01:30:29.083] [amf_n1] [debug] Got ConfirmationDataResponse from AUSF: null [2026-01-20 01:30:29.088] [amf_n1] [warning] Could not parse Confirmation Data Response from Json [2026-01-20 01:30:29.088] [amf_n1] [info] Could not get expected response from AUSF [2026-01-20 01:30:29.088] [amf_n1] [error] Authentication failed for UE with amf_ue_ngap_id 1 [2026-01-20 01:30:29.088] [amf_n1] [debug] Create Registration Reject and send to UE [2026-01-20 01:30:29.088] [nas] [debug] Initiating RegistrationReject [2026-01-20 01:30:29.088] [nas_mm] [debug] Size of Registration Reject message 4 [2026-01-20 01:30:29.088] [nas] [debug] Encoding RegistrationReject message [2026-01-20 01:30:29.088] [nas] [debug] Encoding NasMmPlainHeader [2026-01-20 01:30:29.088] [nas] [debug] Encoded NasMmPlainHeader (len 3 octets) [2026-01-20 01:30:29.088] [nas] [debug] Encoding 5GMM Cause [2026-01-20 01:30:29.088] [nas] [debug] Encoded 5GMM Cause, len (1) [2026-01-20 01:30:29.088] [nas] [debug] IE GPRS Timer 2 is not available [2026-01-20 01:30:29.088] [nas] [debug] IE GPRS Timer 2 is not available [2026-01-20 01:30:29.088] [nas] [debug] IE EAP Message is not available [2026-01-20 01:30:29.088] [nas] [debug] IE Rejected NSSAI is not available [2026-01-20 01:30:29.088] [nas] [debug] Encoded RegistrationReject message len (4) [2026-01-20 01:30:29.088] [common] [debug] [amf_n1]Registration-Reject message buffer
AUSF Log:
[2026-01-20 01:30:15.473] [ausf_app] [info] Handle UE Authentication Request [2026-01-20 01:30:15.473] [ausf_app] [info] ServingNetworkName 5G:mnc001.mcc001.3gppnetwork.org [2026-01-20 01:30:15.473] [ausf_app] [info] supiOrSuci imsi-001010000000001 [2026-01-20 01:30:15.473] [ausf_app] [debug] UDM's URI http://oai-udm:8080/nudm-ueau/v1/imsi-001010000000001/security-information/generate-auth-data [2026-01-20 01:30:15.473] [ausf_app] [info] Received authInfo from AMF without ResynchronizationInfo IE [2026-01-20 01:30:15.473] [ausf_client] [debug] Send a simple HTTP request [2026-01-20 01:30:15.509] [ausf_app] [info] Response from UDM: {"authType":"5G_AKA","authenticationVector":{"autn":"bc7b069838da8000b49b8537e25591b3","avType":"5G_HE_AKA","kausf":"0453931ce3a571c260dfb6f15aeb49dcab40d4cda2ef127fe3fcbc8103267b95","rand":"c6a5a7db32927b689be0d26f429e45d5","xresStar":"f7aa3ad0794736b9ec0af3118423d0ac"}} [2026-01-20 01:30:15.509] [ausf_app] [debug] authType 5G_AKA [2026-01-20 01:30:15.509] [ausf_app] [debug] autn_udm bc7b069838da8000b49b8537e25591b3 [2026-01-20 01:30:15.509] [ausf_app] [debug] av_type_udm 5G_HE_AKA [2026-01-20 01:30:15.509] [ausf_app] [debug] kausf_udm 0453931ce3a571c260dfb6f15aeb49dcab40d4cda2ef127fe3fcbc8103267b95 [2026-01-20 01:30:15.509] [ausf_app] [debug] rand_udm c6a5a7db32927b689be0d26f429e45d5 [2026-01-20 01:30:15.509] [ausf_app] [debug] xres*_udm f7aa3ad0794736b9ec0af3118423d0ac [2026-01-20 01:30:15.509] [ausf_app] [debug] Generating 5G AV [2026-01-20 01:30:15.509] [ausf_app] [debug] HXresStar calculated: 76175996241ffc7c255febcc02019d25 [2026-01-20 01:30:15.509] [ausf_app] [debug] Derive_kseaf ... [2026-01-20 01:30:15.509] [ausf_app] [debug] SNN: 5G:mnc001.mcc001.3gppnetwork.org [2026-01-20 01:30:15.509] [common] [debug] [ausf_app]derive_kseaf Kausf 04 53 93 1c e3 a5 71 c2 60 df b6 f1 5a eb 49 dc ab 40 d4 cd a2 ef 12 7f e3 fc bc 81 03 26 7b 95 [2026-01-20 01:30:15.509] [common] [debug] [ausf_app]derive_kseaf Kseaf 52 14 37 e6 6c 2f 9b 99 fb d8 a2 ab 9c 2d f7 76 e4 4d 5d f4 fb ae 2f 14 da 39 18 30 de 44 fc b2 [2026-01-20 01:30:15.509] [ausf_app] [debug] Kseaf calculated: 521437e66c2f9b99fbd8a2ab9c2df776e44d5df4fbae2f14da391830de44fcb2 [2026-01-20 01:30:15.509] [ausf_app] [debug] Create a new security context with SUPI [2026-01-20 01:30:15.509] [ausf_app] [debug] Auth Response: {"5gAuthData":{"autn":"bc7b069838da8000b49b8537e25591b3","hxresStar":"76175996241ffc7c255febcc02019d25","rand":"c6a5a7db32927b689be0d26f429e45d5"},"_links":{"5g-aka":{"href":"http://192.168.70.138:8080/nausf-auth/v1/ue-authentications/bc7b069838da8000b49b8537e25591b3/5g-aka-confirmation"}},"authType":"5G_AKA"} [2026-01-20 01:30:15.510] [ausf_server] [debug] Auth response: {"5gAuthData":{"autn":"bc7b069838da8000b49b8537e25591b3","hxresStar":"76175996241ffc7c255febcc02019d25","rand":"c6a5a7db32927b689be0d26f429e45d5"},"_links":{"5g-aka":{"href":"http://192.168.70.138:8080/nausf-auth/v1/ue-authentications/bc7b069838da8000b49b8537e25591b3/5g-aka-confirmation"}},"authType":"5G_AKA"} [2026-01-20 01:30:15.510] [ausf_server] [info] Send Auth response to SEAF (Code 201) [2026-01-20 01:30:21.315] [ausf_nrf] [info] Sending NF heartbeat request [2026-01-20 01:30:21.315] [ausf_client] [debug] Send a simple HTTP request [2026-01-20 01:30:29.021] [ausf_server] [info] Received 5g_aka_confirmation Request [2026-01-20 01:30:29.021] [ausf_server] [info] 5gaka confirmation received with authctxID bc7b069838da8000b49b8537e25591b3 [2026-01-20 01:30:29.021] [ausf_app] [debug] Handling 5g-aka-confirmation [2026-01-20 01:30:29.021] [ausf_app] [debug] Retrieve security context with authCtxId: [2026-01-20 01:30:29.021] [ausf_app] [info] Received authCtxId bc7b069838da8000b49b8537e25591b3 [2026-01-20 01:30:29.021] [ausf_app] [info] Received res* B196234B4A9AA1155361DD7750F71A1F34D13BD3828A4F500C7A641593539DE7A42F19A680B4107C67E2FFEBC5B5C02106803BBFA96C5D12118FF2575B7B50CDE293205572FD0C603D772863D983A91FB55723F398E9B8848FB872EE5973902FFAD64674 [2026-01-20 01:30:29.021] [ausf_app] [debug] authCtxId in AUSF: bc7b069838da8000b49b8537e25591b3 [2026-01-20 01:30:29.021] [ausf_app] [info] AV is up to date, handling received res*... [2026-01-20 01:30:29.021] [ausf_app] [debug] xres* in AUSF: f7aa3ad0794736b9ec0af3118423d0ac [2026-01-20 01:30:29.021] [ausf_app] [debug] xres in AMF: b196234b4a9aa1155361dd7750f71a1f [2026-01-20 01:30:29.021] [ausf_app] [error] Authentication failure by home network with authCtxId bc7b069838da8000b49b8537e25591b3: res* != xres* [2026-01-20 01:30:29.021] [ausf_app] [error] Serving Network Not Authorized [2026-01-20 01:30:29.021] [ausf_app] [info] Send 403 Forbidden response *** stack smashing detected ***: terminated