fix: add missing return statements after error responses

[solar224]

@Alonza0314

[Bugs] NEF incorrectly returns 500 for missing PFD data (UDR 404) in Nnef_PfdManagement GET request (JSON parse error: invalid character 'n')

Problem:
When PFD data was not found, UDR returned 404 but continued executing and wrote 'null' to the response body after the ProblemDetails JSON. This created invalid JSON like '{...}null', causing NEF to fail parsing with 'invalid character n after top-level value' and return 500.

Solution:
Add return statements after error responses in the following functions:

• GetApplicationDataIndividualPfdFromDBProcedure
• PutApplicationDataIndividualPfdToDBProcedure
• PolicyDataBdtDataGetProcedure
• PolicyDataSubsToNotifySubsIdDeleteProcedure
• PolicyDataSubsToNotifySubsIdPutProcedure
• PolicyDataUesUeIdAmDataGetProcedure
• PolicyDataUesUeIdOperatorSpecificDataGetProcedure
• PolicyDataUesUeIdOperatorSpecificDataPatchProcedure (2 locations)

Fixes: free5gc/free5gc#753

[Alonza0314]

@roundspring2003 Please help to check it

[zfei10990-cmd]

Hi @Alonza0314,

Regarding the fixed issue #753 (NEF incorrectly returning 500), I'd like to respectfully request a re-evaluation for a potential CVE assignment.

While I appreciate @solar224's perspective viewing it as a logic bug, I believe it has measurable security implications:
Information Exposure (CWE-209): The error invalid character 'n' after top-level value is an internal parsing detail leaked to untrusted clients. Consistent exposure of such system-level error messages can aid attackers in fingerprinting server software and logic flow.
Reliable Security-Relevant Behavior (CWE-388): The bug reliably causes the system to misrepresent its state—returning a 500 (Server Error) for what should be a 404 (Client Not Found). This blurring of error boundaries is a classic flaw that can be exploited in probing attacks to distinguish system failures from user errors.

These characteristics align with established vulnerability patterns. Assigning a CVE would:
Formally document the security improvement made by the fix.
Help users and downstream dependents be aware of the patched behavior.
Follow industry best practices for handling bug-to-vulnerability transitions.

I'm happy to provide any additional technical description required for the process. Thank you for your consideration.

[roundspring2003]

@solar224 , There are still some places that should have been returned that were missed. For example: QueryAmfContext3gppProcedure (amf3_gpp_access_registration_document.go). Please help check other files.

[Alonza0314]

Hi @zfei10990-cmd,

I can help proceed with reporting this via a GitHub Security Advisory.
To complete the advisory draft, could you please help provide the following information?

### Impact
What kind of vulnerability is it, and who may be impacted?
 
### Patches
Has the issue been patched? If so, which versions should users upgrade to?
 
### Workarounds
Are there any recommended mitigations or workarounds without upgrading?
 
### References
Any relevant links, such as the fixing commit, pull request, or related discussions.

Additionally, for the Credits section of the advisory, would it be okay if I list you as the reporter of this issue?

Thanks in advance for your help.

[zfei10990-cmd]

Hi @Alonza0314,
Thank you very much for initiating the process. I'm happy to provide the requested information.

Impact
This is an Improper Error Handling vulnerability (CWE-388) with Information Exposure (CWE-209).
Security Impact: The NEF component reliably leaks internal parsing errors (e.g., invalid character 'n' after top-level value) to remote clients. This can aid attackers in fingerprinting server software and logic flows.
Functional Impact: The system misrepresents its state by returning a 500 Internal Server Error for conditions that should be a client-caused 404 Not Found. This blurs security-relevant error boundaries and hinders accurate troubleshooting.
Affected Parties: All deployments of free5GC v4.0.1 using the Nnef_PfdManagement service.

Patches
Yes, the issue has been patched.
The root cause was fixed in commit 91bb34b (fix: add missing return statements after error responses).
Users should upgrade to the next release of free5GC that includes this commit.

Workarounds
There is no direct workaround at the application level. The recommendation is to apply the provided patch.

References
Issue Report: free5gc/free5gc#753
Fixing Pull Request: #56
Fixing Commit: 91bb34b

Regarding the Credits, yes, it would be perfectly fine to list me (zfei10990-cmd) as the reporter. Thank you for asking.
Please let me know if you need any further details.

[Alonza0314]

@zfei10990-cmd
I've requested via github security advisories.
As I have seen the replies in the issue's page. Could you help to provide the description with the same format above under those issues? That will be more convenience for me to create the CVE request. Thank you very much!