CVE-2022-39063 Information

Description

When Open5GS UPF receives a PFCP Session Establishment Request it stores related values for building the PFCP Session Establishment Response. Once UPF receives a request it gets the f_teid_len from incoming message and then uses it to copy data from incoming message to struct f_teid without checking the maximum length. If the pdi.local_f_teid.len exceeds the maximum length of the struct of f_teid the memcpy() overwrites the fields (e.g. f_teid_len) after f_teid in the pdr struct. After parsing the request the UPF starts to build a response. The f_teid_len with its overwritten value is used as a length for memcpy(). A segmentation fault occurs as a result of a memcpy() if this overwritten value is large enough.

Reference

https://www.synopsys.com/blogs/software-security/cyrc-advisory-open5gs/