nr-uesoftmodem crashes with SIGSEGV when receiving modified CSI configuration (csi-ResourceConfigId → 1)

Overview

When conducting testing with nr-uesoftmodem(2025.w05), find a potential security issue that causes UE crashes when processing modified RRC messages.

Issue Details

During the testing, I intercepted and modified the RRCSetup message, specifically changing the csi configuration parameter csi-ResourceConfigId. When the UE receives and processes this modified message, it triggers a segmentation fault and crashes immediately.

This csi-ResourceConfigId appears in two different place in the RRCSetup Message, by modifying either one to the value 1 in the falsified RRC message, and send this falsified RRC message to nr-uesoftmodem would cause segmentation fault.

First one is at the path of message[1][1].criticalExtensions[1].masterCellGroup[1].spCellConfig.spCellConfigDedicated.csi-MeasConfig[1].csi-ResourceConfigToAddModList[0].csi-ResourceConfigId in the RRC message

777_message_screenshot

The GDB Debugging Output:

    Thread 20 "UEthread_0" received signal SIGSEGV, Segmentation fault.
    [Switching to Thread 0x717dd40a6640 (LWP 29614)]
    0x0000582f4b13661d in compute_csi_bitlen (...) at /home/openairinterface5g/openair2/LAYER2/NR_MAC_COMMON/nr_mac_common.c:5167
    5167                  *(csi_resourceconfig->csi_RS_ResourceSetList.choice.nzp_CSI_RS_SSB->nzp_CSI_RS_ResourceSetList->list.array[0])) {

Second one is at the path of message[1][1].criticalExtensions[1].masterCellGroup[1].spCellConfig.spCellConfigDedicated.csi-MeasConfig[1].csi-ResourceConfigToAddModList[2].csi-ResourceConfigId in the RRC message

787_message_screenshot

The GDB Debugging Output:

    Thread 19 "UL__actor" received signal SIGSEGV, Segmentation fault.
    [Switching to Thread 0x7e9f2ffff640 (LWP 30496)]
    0x000061a17e9a90d6 in get_csirs_RI_PMI_CQI_payload (mac=0x7e9f3ec78010, csi_reportconfig=0x7e9f10010880, csi_ResourceConfigId=1, csi_MeasConfig=0x7e9f1000ece0, mapping_type=WIDEBAND_ON_PUCCH) at /home/openairinterface5g/openair2/LAYER2/NR_MAC_UE/nr_ue_procedures.c:2800
    2800                *(csi_resourceconfig->csi_RS_ResourceSetList.choice.nzp_CSI_RS_SSB->nzp_CSI_RS_ResourceSetList->list.array[0])) {

Reproduction Environment

I can continue to provide the followings if there is a need:

  • Docker environment for easy reproduction
  • GDB commands used for debugging
Edited by Qiqing H