Skip to content

Segmentation Fault in compute_cqi_bitlen

While testing the OAI UE version (2025.w05), I encountered a segmentation fault (SIGSEGV) in the compute_cqi_bitlen function when handling malformed downlink messages from the gNB.

Testing Context:

  • The test was performed using a locally modified version of 5Ghoul https://github.com/asset-group/5ghoul-5g-nr-attacks , which has been updated to work with OAI 2025.w05.
  • The testing environment consists of an OAI gNB communicating with an OAI UE, where 5Ghoul is used to intercept and modify downlink messages.
  • The goal of the test was to evaluate how OAI UE handles unexpected or malformed control messages.

During testing, I found that sending a malformed RRC message from gNB can consistently trigger a segmentation fault (SIGSEGV) in the UE, leading to a crash. The issue is specifically located in the compute_cqi_bitlen function: https://gitlab.eurecom.fr/oai/openairinterface5g/-/blob/2025.w05/openair2/LAYER2/NR_MAC_COMMON/nr_mac_common.c?ref_type=tags#L5086

if (*freq_config->cqi_FormatIndicator == NR_CSI_ReportConfig__reportFreqConfiguration__cqi_FormatIndicator_widebandCQI) {

This still exists in the latest develop version of OAI.

Possible Cause: The error occurs due to a missing pointer validation check in the compute_cqi_bitlen function in nr_mac_common.c. Specifically, the code attempts to dereference freq_config->cqi_FormatIndicator without first verifying that either freq_config or freq_config->cqi_FormatIndicator is not NULL. This causes a segmentation fault when either of these pointers is NULL, which can happen depending on how the CSI report is configured.

GDB logs:

Thread 20 "UEthread_0" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7237de000640 (LWP 1450724)]
compute_cqi_bitlen (csi_reportconfig=csi_reportconfig@entry=0x7237a8010b70, ri_restriction=0 '\000', csi_report=csi_report@entry=0x7237f4523720) at /home/qiqingh/Desktop/openairinterface5g/openair2/LAYER2/NR_MAC_COMMON/nr_mac_common.c:5086
5086    if (*freq_config->cqi_FormatIndicator == NR_CSI_ReportConfig__reportFreqConfiguration__cqi_FormatIndicator_widebandCQI) {
(gdb) #0  compute_cqi_bitlen (csi_reportconfig=csi_reportconfig@entry=0x7237a8010b70, ri_restriction=0 '\000', csi_report=csi_report@entry=0x7237f4523720) at /home/qiqingh/Desktop/openairinterface5g/openair2/LAYER2/NR_MAC_COMMON/nr_mac_common.c:5086
        codebookConfig = 0x0
        freq_config = 0x0
        __FUNCTION__ = "compute_cqi_bitlen"