Skip to content

Segmentation Fault in rfsimulator_read

While testing the OAI UE version (2025.w05), I encountered a segmentation fault (SIGSEGV) in the rfsimulator_read function when handling malformed downlink messages from the gNB.

Testing Context:

  • The test was performed using a locally modified version of 5Ghoul https://github.com/asset-group/5ghoul-5g-nr-attacks , which has been updated to work with OAI 2025.w05.
  • The testing environment consists of an OAI gNB communicating with an OAI UE, where 5Ghoul is used to intercept and modify downlink messages.
  • The goal of the test was to evaluate how OAI UE handles unexpected or malformed control messages.

During testing, I found that sending a malformed RRC message from gNB can consistently trigger a segmentation fault (SIGSEGV) in the UE, leading to a crash. The issue is specifically located in the rfsimulator_read function: https://gitlab.eurecom.fr/oai/openairinterface5g/-/blob/2025.w05/radio/rfsimulator/simulator.c?ref_type=tags#L1052

out[i].r += (short)(ptr->circularBuf[((firstIndex + i) * nbAnt_tx + a_tx) % CirSize].r * H_awgn_mimo[a][a_tx]);

This still exists in the latest develop version of OAI.

Possible Cause:

  1. Fixed-size H_awgn_mimo array: The array is defined as a 4x4 matrix, but the code doesn't check if indices exceed these dimensions. The variable a comes from the loop for (int a=0; a<nbAnt; a++), and if nbAnt exceeds 4, it will cause an out-of-bounds access.

  2. Missing boundary checks: There's no validation before accessing H_awgn_mimo[a][a_tx] to ensure these indices are within the array's bounds (0-3).

  3. Unrestricted loop variables: The loops use a < nbAnt and a_tx < nbAnt_tx as conditions without ensuring these values don't exceed the H_awgn_mimo dimensions (4x4).

I think maybe adding appropriate boundary checks could resolve this issue.

GDB logs:

Thread 20 "UEthread_0" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ac13f600640 (LWP 779711)]
0x00007ac16a00dc73 in rfsimulator_read (device=<optimized out>, ptimestamp=0x7ac13f5fcb68, samplesVoid=0x7ac13f5fcc10, nsamps=23040, nbAnt=1) at /home/qiqingh/Desktop/openairinterface5g/radio/rfsimulator/simulator.c:1052
1052                  out[i].r += (short)(ptr->circularBuf[((firstIndex + i) * nbAnt_tx + a_tx) % CirSize].r * H_awgn_mimo[a][a_tx]);
(gdb) #0  0x00007ac16a00dc73 in rfsimulator_read (device=<optimized out>, ptimestamp=0x7ac13f5fcb68, samplesVoid=0x7ac13f5fcc10, nsamps=23040, nbAnt=1) at /home/qiqingh/Desktop/openairinterface5g/radio/rfsimulator/simulator.c:1052
        a_tx = 0
        i = <optimized out>
        H_awgn_mimo = {{1, 0.20000000000000001, 0.10000000000000001, 0.050000000000000003}, {0.20000000000000001, 1, 0.20000000000000001, 0.10000000000000001}, {0.10000000000000001, 0.20000000000000001, 1, 0.20000000000000001}, {0.050000000000000003, 0.10000000000000001, 0.20000000000000001, 1}}
        nbAnt_tx = 2
        firstIndex = <optimized out>
        out = <optimized out>
        a = 0
        reGenerateChannel = false
        ptr = <optimized out>
        sock = <optimized out>
        t = 0x7ac1340017d0
        __FUNCTION__ = "rfsimulator_read"