From 056b50c9c8cf2b69e3a057d9aedde3b00634b6ca Mon Sep 17 00:00:00 2001
From: Sukchan Lee <acetcom@gmail.com>
Date: Thu, 6 Feb 2025 21:24:39 +0900
Subject: [PATCH] [AMF] Fix crash on duplicate PDU session requests due to NULL
 SUPI (#3710)

When a duplicate PDU session establishment is received, the AMF logs a
warning and proceeds to update the SM context via the SBI interface. This
process eventually calls amf_nsmf_pdusession_build_create_sm_context(), which
uses the SUPI to build the SBI URI header. If the SUPI is NULL, then the header's
resource component becomes NULL. This leads to a call to ogs_uridup() that
asserts on the NULL value, causing a crash.

This commit adds a check before invoking the SBI update. If the SUPI is NULL,
the update is skipped and a warning is logged. This prevents the invalid URI
build process and avoids the subsequent crash in ogs_uridup().
---
 src/amf/nsmf-handler.c | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/src/amf/nsmf-handler.c b/src/amf/nsmf-handler.c
index 50828d93ff..c681ad156b 100644
--- a/src/amf/nsmf-handler.c
+++ b/src/amf/nsmf-handler.c
@@ -681,7 +681,29 @@ int amf_nsmf_pdusession_handle_update_sm_context(
                 ogs_warn("[%s:%d] Receive Update SM context"
                         "(DUPLICATED_PDU_SESSION_ID)", amf_ue->supi, sess->psi);
 
-                if (ran_ue) {
+            /*
+             * Issue #3710
+             *
+             * A duplicate PDU Session Establishment is received.
+             * The system intends to update the SM context via the SBI.
+             *
+             * The process is as follows:
+             * 1. Log a warning including the SUPI (subscriber ID) and psi.
+             * 2. Call amf_sess_sbi_discover_and_send() with a pointer
+             *    to amf_nsmf_pdusession_build_create_sm_context().
+             * 3. This function (amf_nsmf_pdusession_build_create_sm_context)
+             *    will eventually build the SBI request header and call
+             *    ogs_sbi_server_uri(), which internally calls ogs_uridup().
+             * 4. If the SUPI (used as header.resource.component[0]) is NULL,
+             *    ogs_uridup asserts on the NULL value and causes a crash.
+             *
+             * To prevent this, we check for a NULL SUPI before calling the
+             * update function.
+             */
+                if (!amf_ue->supi) {
+                    ogs_warn("SUPI is NULL. Skipping update SM context for "
+                            "duplicated PDU Session (psi: %d)", sess->psi);
+                } else if (ran_ue) {
                     r = amf_sess_sbi_discover_and_send(
                             OGS_SBI_SERVICE_TYPE_NSMF_PDUSESSION, NULL,
                             amf_nsmf_pdusession_build_create_sm_context,