nr-uesoftmodem crashes with SIGSEGV when receiving CSI-RS configuration changes (nrofPorts p2→p4)

Overview When conducting testing with nr-uesoftmodem(2025.w05), find a potential security issue that causes UE crashes when processing modified RRC messages.

Issue Details During the testing, I intercepted and modified the RRCSetup message, specifically changing the SRS configuration parameter nrofPorts from p2 to p4. When the UE receives and processes this modified message, it triggers a segmentation fault and crashes immediately.

Falsified RRC message and the falsified field nrofPorts message_screenshot

Modified Parameter Path in RRC message:

message[1][1].criticalExtensions[1].masterCellGroup[1].spCellConfig.spCellConfigDedicated.csi-MeasConfig[1].nzp-CSI-RS-ResourceToAddModList[0].resourceMapping.nrofPorts

GDB Debugging Output:

Thread 15 "DL__actor" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7e451f7fe640 (LWP 21531)]
0x00005b9edfd98ba4 in csi_rs_resource_mapping (dataF=dataF@entry=0x40004000c0004000, csi_rs_length=<optimized out>, mod_csi=mod_csi@entry=0x7e451f7e11c0, ofdm_symbol_size=1536, dataF_offset=<optimized out>, start_sc=900, mapping_parms=0xc000c000c0004000, start_rb=<optimized out>, nb_rbs=106, alpha=alpha@entry=-4.1875009536888683, beta=512, rho=rho@entry=-2.0937504768444342, gs=2, freq_density=2) at /home/openairinterface5g/openair1/PHY/nr_phy_common/src/nr_phy_common_csirs.c:42
42            for (int ji = 0; ji < mapping_parms->size; ji++) { // loop over CDM groups

Reproduction Environment

I can continue to provide the followings if there is a need:

  • Docker environment for easy reproduction
  • GDB commands used for debugging

Preliminary Code Analysis

In the csi_rs_resource_mapping() function in nr_generate_csi_rs.c, the port index calculation:

int p = s + mapping_parms->j[ji] * gs; // port index
dataF[p][index].r = (beta * wt * wf * mod_csi[l][mprime << 1]) >> 15;

appears to access dataF[p] without verifying that p is within the allocated bounds of the dataF array.

Potential Issue When the CSI-RS port configuration changes (e.g., from 2 ports to 4 ports), if the dataF array allocation doesn't match the mapping_parms->ports value, this could lead to out-of-bounds memory access. For example, with Row 4 configuration (4 ports) and CDM type 1:

Maximum p value could reach 3 (ports 0-3) If dataF is only allocated for 2 ports, accessing dataF[2] or dataF[3] would cause undefined behavior

Edited by Qiqing H