When Open5GS UPF receives a PFCP Session Establishment Request, it stores related values for building the PFCP Session Establishment Response. Once UPF receives a request, it gets the fteidlen from incoming message, and then uses it to copy data from incoming message to struct fteid without checking the maximum length. If the pdi.localfteid.len exceeds the maximum length of the struct of fteid, the memcpy() overwrites the fields (e.g., fteidlen) after fteid in the pdr struct. After parsing the request, the UPF starts to build a response. The fteid_len with its overwritten value is used as a length for memcpy(). A segmentation fault occurs, as a result of a memcpy(), if this overwritten value is large enough.