Skip to content

Segmentation Fault in is_ss_monitor_occasion

While testing the OAI UE version (2025.w05), I encountered a segmentation fault (SIGSEGV) in the is_ss_monitor_occasion function when handling malformed downlink messages from the gNB.

Testing Context:

  • The test was performed using a locally modified version of 5Ghoul https://github.com/asset-group/5ghoul-5g-nr-attacks , which has been updated to work with OAI 2025.w05.
  • The testing environment consists of an OAI gNB communicating with an OAI UE, where 5Ghoul is used to intercept and modify downlink messages.
  • The goal of the test was to evaluate how OAI UE handles unexpected or malformed control messages.

During testing, I found that sending a malformed RRC message from gNB can consistently trigger a segmentation fault (SIGSEGV) in the UE, leading to a crash. The issue is specifically located in the is_ss_monitor_occasion function: https://gitlab.eurecom.fr/oai/openairinterface5g/-/blob/2025.w05/openair2/LAYER2/NR_MAC_UE/nr_ue_dci_configuration.c?ref_type=tags#L416

const int duration = ss->duration ? *ss->duration : 1;

The code still exists in the latest develop version of OAI.

Possible Cause:

The segmentation fault is likely caused by one of the following:

  • Null SearchSpace Pointer: The ss pointer might be NULL when the function is_ss_monitor_occasion or search_space_monitoring_ocasion_other_si is called.
  • Uninitialized/Corrupt SearchSpace Structure: The ss structure might be incorrectly initialized or somehow corrupted.

GDB logs:

Thread 20 "UEthread_0" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x741a8f200640 (LWP 400969)]
0x000059191680ba48 in is_ss_monitor_occasion (frame=frame@entry=43, slot=slot@entry=17, slots_per_frame=slots_per_frame@entry=20, ss=0x0) at /home/qiqingh/Desktop/openairinterface5g/openair2/LAYER2/NR_MAC_UE/nr_ue_dci_configuration.c:416
416   const int duration = ss->duration ? *ss->duration : 1;
(gdb) #0  0x000059191680ba48 in is_ss_monitor_occasion (frame=frame@entry=43, slot=slot@entry=17, slots_per_frame=slots_per_frame@entry=20, ss=0x0) at /home/qiqingh/Desktop/openairinterface5g/openair2/LAYER2/NR_MAC_UE/nr_ue_dci_configuration.c:416
        duration = <optimized out>
        monitor = <optimized out>
        period = 0
        offset = 0
#1  0x000059191680c5b0 in ue_dci_configuration (mac=mac@entry=0x741aa4400010, dl_config=dl_config@entry=0x591925d493e8, frame=frame@entry=43, slot=slot@entry=17) at /home/qiqingh/Desktop/openairinterface5g/openair2/LAYER2/NR_MAC_UE/nr_ue_dci_configuration.c:563
        current_DL_BWP = <optimized out>
        dl_bwp_id = <optimized out>
        pdcch_config = <optimized out>
        scs = <optimized out>
        slots_per_frame = 20
        __FUNCTION__ = "ue_dci_configuration"
Edited by Qiqing H