Skip to content

Segmentation Fault in compute_csi_bitlen

While testing the OAI UE version (2025.w05), I encountered a segmentation fault (SIGSEGV) in the setup_puschpowercontrol function when handling malformed downlink messages from the gNB.

Testing Context:

  • The test was performed using a locally modified version of 5Ghoul https://github.com/asset-group/5ghoul-5g-nr-attacks , which has been updated to work with OAI 2025.w05.
  • The testing environment consists of an OAI gNB communicating with an OAI UE, where 5Ghoul is used to intercept and modify downlink messages.
  • The goal of the test was to evaluate how OAI UE handles unexpected or malformed control messages.

During testing, I found that sending a malformed RRC message from gNB can consistently trigger a segmentation fault (SIGSEGV) in the UE, leading to a crash. The issue is specifically located in the setup_puschpowercontrol function: https://gitlab.eurecom.fr/oai/openairinterface5g/-/blob/2025.w05/openair2/LAYER2/NR_MAC_COMMON/nr_mac_common.c?ref_type=tags#L5122

LOG_D(NR_MAC,"Searching %d csi_reports\n",csi_MeasConfig->csi_ReportConfigToAddModList->list.count)

The crash occurs when trying to access csi_MeasConfig->csi_ReportConfigToAddModList->list.count. The code still exists in the latest version of OAI.

Possible Cause:

The issue appears to be a NULL pointer dereference. Specifically:

  • Either csi_MeasConfig or csi_MeasConfig->csi_ReportConfigToAddModList might be NULL at this point.
  • If this happens, the code attempts to access an invalid memory location, leading to a segmentation fault.
  • A proper NULL check should be added before dereferencing the pointer to prevent the crash.

GDB logs:

Thread 20 "UEthread_0" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7e0ebda00640 (LWP 1366995)]
0x00005a86ae204b40 in compute_csi_bitlen (csi_MeasConfig=csi_MeasConfig@entry=0x7e0e8c00e080, csi_report_template=csi_report_template@entry=0x7e0ec7f236a0) at /home/qiqingh/Desktop/openairinterface5g/openair2/LAYER2/NR_MAC_COMMON/nr_mac_common.c:5122
5122    LOG_D(NR_MAC,"Searching %d csi_reports\n",csi_MeasConfig->csi_ReportConfigToAddModList->list.count);
(gdb) #0  0x00005a86ae204b40 in compute_csi_bitlen (csi_MeasConfig=csi_MeasConfig@entry=0x7e0e8c00e080, csi_report_template=csi_report_template@entry=0x7e0ec7f236a0) at /home/qiqingh/Desktop/openairinterface5g/openair2/LAYER2/NR_MAC_COMMON/nr_mac_common.c:5122
        csi_report_id = <optimized out>
        nb_resources = <optimized out>
        reportQuantity_type = <optimized out>
        csi_ResourceConfigId = <optimized out>
        csi_resourceconfig = <optimized out>
        __FUNCTION__ = "compute_csi_bitlen"