Skip to content

SIGSEGV in RELEASE_IE_FROMLIST when processing pathlossReferenceRSToReleaseList in setup_puschpowercontrol

While testing the OAI UE version (2025.w05), I encountered a segmentation fault (SIGSEGV) in the setup_puschpowercontrol function when handling malformed downlink messages from the gNB.

Testing Context:

  • The test was performed using a locally modified version of 5Ghoul, which has been updated to work with OAI 2025.w05.
  • The testing environment consists of an OAI gNB communicating with an OAI UE, where 5Ghoul is used to intercept and modify downlink messages.
  • The goal of the test was to evaluate how OAI UE handles unexpected or malformed control messages.

During testing, I found that sending a malformed RRC message from gNB can consistently trigger a segmentation fault (SIGSEGV) in the UE, leading to a crash. The issue is specifically located in the setup_puschpowercontrol function: https://gitlab.eurecom.fr/oai/openairinterface5g/-/blob/2025.w05/openair2/LAYER2/NR_MAC_UE/config_ue.c?ref_type=tags#L963

RELEASE_IE_FROMLIST(source->pathlossReferenceRSToReleaseList,
                  target->pathlossReferenceRSToAddModList,
                  pusch_PathlossReferenceRS_Id);

The root cause appears to be a missing NULL check in this macro call. Unlike the similar code for adding items (lines 969-975), which properly verifies whether pointers are NULL before accessing them, the release operation lacks such a safeguard.

For comparison, the AddMod operation correctly includes a NULL check:

if (source->pathlossReferenceRSToAddModList) {
  if (!target->pathlossReferenceRSToAddModList)
    target->pathlossReferenceRSToAddModList = calloc(1, sizeof(*target->pathlossReferenceRSToAddModList));
  ADDMOD_IE_FROMLIST(...);
}

A similar approach may be could applied to the release operation to prevent segmentation faults when source->pathlossReferenceRSToReleaseList or target->pathlossReferenceRSToAddModList is NULL.

GDB logs:

Thread 20 "UEthread_0" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7c8c9dc00640 (LWP 1110205)]
0x000065094a7d8db3 in setup_puschpowercontrol (target=<optimized out>, source=<optimized out>, mac=<optimized out>) at /home/qiqingh/Desktop/openairinterface5g/openair2/LAYER2/NR_MAC_UE/config_ue.c:963
963	    RELEASE_IE_FROMLIST(source->pathlossReferenceRSToReleaseList,
(gdb) #0  0x000065094a7d8db3 in setup_puschpowercontrol (target=<optimized out>, source=<optimized out>, mac=<optimized out>) at /home/qiqingh/Desktop/openairinterface5g/openair2/LAYER2/NR_MAC_UE/config_ue.c:963
        eL = <optimized out>
        iJ = <optimized out>
        iI = 0
        __FUNCTION__ = "setup_puschpowercontrol"
Edited by Qiqing H