关键信息总结 Bug Description Bug Title: SMF crashes on PFCP SessionReportRequest with ReportType.USAR=1 and UsageReport missing URRID Issue Number: #807 Status: Closed Bug Details Bug Description: The free5gc SMF crashes when it receives a malformed PFCP SessionReportRequest from a UPF or attacker, specifically when the report sets ReportType.USAR=1 and includes a UsageReport IE but omits the mandatory URRID sub-IE. This causes a nil pointer dereference in the SMF code, resulting in a panic. Impact: Denial of Service (SMF panic) Vulnerability: SMF does not properly validate the SessionReportRequest message, allowing an attacker to crash the SMF by sending a malformed request. To Reproduce Steps: 1. Start the fake UPF code provided in the issue description. 2. Attach the UE and establish a PDU session using UERANSIM. 3. Trigger RRC release (M-IDL) without releasing the PDU session. 4. The fake UPF should crash the SMF. Expected Behavior The SMF should validate the required sub-IEs in the UsageReport (including URRID) and reject malformed SessionReportRequests without crashing. Environment Free5GC Version: v4.1.0 OS: Ubuntu 22.04.4 Kernel: 5.15.0-0ubuntu3-generic Go Version: go1.20.4 linux/amd64 Trace Files Configuration Files: Provided in the issue description. PCAP File: Not attached in the screenshot. Log File: Logs showing the crash and error messages. Comments and Fixes Contributors: @Alonza0314, @DBGr18, @LinZiyuu Fix: The issue was addressed by ensuring proper validation of required sub-IEs in PFCP messages and handling nil pointer dereferences gracefully.