Skip to content

[16784] Malformed DATA submessage leads to bad-free during SPDP #3207

Closed
@squizz617

Description

@squizz617

Is there an already existing issue for this?

  • I have searched the existing issues

Expected behavior

Malformed submessages should be handled properly.

Current behavior

  • Compiled with gcc 9.4.0:
$ ./DDSHelloWorldExample publisher
Starting 
Publisher running 10 samples.
free(): invalid pointer
[1]    2257088 abort      ./DDSHelloWorldExample publisher
  • Compiled with ASAN + afl-clang-fast:
$ ./DDSHelloWorldExample publisher 
Starting 
Publisher running 10 samples.
=================================================================
2023-01-11 14:43:46.492 [RTPS_MSG_IN Warning] (ID:140251965019904) Serialized Payload value invalid or larger than maximum allowed size(28160/0) -> Function proc_Submsg_Data
==2252002==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x63100001482c in thread T3
    #0 0x4aa3d2 in free (/home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/examples/cpp/dds/HelloWorldExample/DDSHelloWorldExample+0x4aa3d2)
    #1 0x7f8efa4a5529 in eprosima::fastrtps::rtps::SerializedPayload_t::empty() /home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/include/fastdds/rtps/common/SerializedPayload.h:158:13
    #2 0x7f8efa4a5529 in eprosima::fastrtps::rtps::SerializedPayload_t::~SerializedPayload_t() /home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/include/fastdds/rtps/common/SerializedPayload.h:92:15
    #3 0x7f8efa4a5529 in eprosima::fastrtps::rtps::CacheChange_t::~CacheChange_t() /home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/include/fastdds/rtps/common/CacheChange.h:184:5
    #4 0x7f8efa59fb20 in eprosima::fastrtps::rtps::MessageReceiver::proc_Submsg_Data(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastrtps::rtps::SubmessageHeader_t*) const /home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:857:1
    #5 0x7f8efa5994cf in eprosima::fastrtps::rtps::MessageReceiver::processCDRMsg(eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastrtps::rtps::CDRMessage_t*) /home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:419:29
    #6 0x7f8efa5d52e0 in eprosima::fastrtps::rtps::ReceiverResource::OnDataReceived(unsigned char const*, unsigned int, eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastrtps::rtps::Locator_t const&) /home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/src/cpp/rtps/network/ReceiverResource.cpp:132:14
    #7 0x7f8efa85ac74 in eprosima::fastdds::rtps::UDPChannelResource::perform_listen_operation(eprosima::fastrtps::rtps::Locator_t) /home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/src/cpp/rtps/transport/UDPChannelResource.cpp:70:33
    #8 0x7f8efa860bdf in void std::__invoke_impl<void, void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t>(std::__invoke_memfun_deref, void (eprosima::fastdds::rtps::UDPChannelResource::*&&)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*&&, eprosima::fastrtps::rtps::Locator_t&&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/invoke.h:73:14
    #9 0x7f8efa860bdf in std::__invoke_result<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t>::type std::__invoke<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t>(void (eprosima::fastdds::rtps::UDPChannelResource::*&&)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*&&, eprosima::fastrtps::rtps::Locator_t&&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/invoke.h:95:14
    #10 0x7f8efa860bdf in void std::thread::_Invoker<std::tuple<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> >::_M_invoke<0ul, 1ul, 2ul>(std::_Index_tuple<0ul, 1ul, 2ul>) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:244:13
    #11 0x7f8efa860bdf in std::thread::_Invoker<std::tuple<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> >::operator()() /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:251:11
    #12 0x7f8efa860bdf in std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> > >::_M_run() /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:195:13
    #13 0x7f8ef980cde3  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd6de3)
    #14 0x7f8ef9cb2608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
    #15 0x7f8ef94f7132 in clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x63100001482c is located 44 bytes inside of 65500-byte region [0x631000014800,0x6310000247dc)
allocated by thread T0 here:
    #0 0x4aa63d in malloc (/home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/examples/cpp/dds/HelloWorldExample/DDSHelloWorldExample+0x4aa63d)
    #1 0x7f8efa859706 in eprosima::fastrtps::rtps::CDRMessage_t::CDRMessage_t(unsigned int) /home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/include/fastdds/rtps/common/CDRMessage_t.h:79:30
    #2 0x7f8efa859706 in eprosima::fastdds::rtps::ChannelResource::ChannelResource(unsigned int) /home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/src/cpp/rtps/transport/ChannelResource.cpp:45:7

Thread T3 created by T0 here:
    #0 0x49499c in pthread_create (/home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/examples/cpp/dds/HelloWorldExample/DDSHelloWorldExample+0x49499c)
    #1 0x7f8ef980d0a8 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd70a8)
    #2 0x7f8efa91a964 in eprosima::fastdds::rtps::UDPTransportInterface::CreateInputChannelResource(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, eprosima::fastrtps::rtps::Locator_t const&, bool, unsigned int, eprosima::fastdds::rtps::TransportReceiverInterface*) /home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/src/cpp/rtps/transport/UDPTransportInterface.cpp:233:50
    #3 0x7f8efa920142 in eprosima::fastdds::rtps::UDPTransportInterface::OpenAndBindInputSockets(eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastdds::rtps::TransportReceiverInterface*, bool, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/src/cpp/rtps/transport/UDPTransportInterface.cpp:207:34
    #4 0x7f8efa8b53cd in eprosima::fastdds::rtps::UDPv4Transport::OpenInputChannel(eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastdds::rtps::TransportReceiverInterface*, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/src/cpp/rtps/transport/UDPv4Transport.cpp:327:19
    #5 0x7f8efa5d3d86 in eprosima::fastrtps::rtps::ReceiverResource::ReceiverResource(eprosima::fastdds::rtps::TransportInterface&, eprosima::fastrtps::rtps::Locator_t const&, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/src/cpp/rtps/network/ReceiverResource.cpp:43:24
    #6 0x7f8efa5ca610 in eprosima::fastrtps::rtps::NetworkFactory::BuildReceiverResources(eprosima::fastrtps::rtps::Locator_t&, std::vector<std::shared_ptr<eprosima::fastrtps::rtps::ReceiverResource>, std::allocator<std::shared_ptr<eprosima::fastrtps::rtps::ReceiverResource> > >&, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/src/cpp/rtps/network/NetworkFactory.cpp:74:25
    #7 0x7f8efa5e1516 in eprosima::fastrtps::rtps::RTPSParticipantImpl::createReceiverResources(eprosima::fastdds::rtps::LocatorList&, bool, bool) /home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/src/cpp/rtps/participant/RTPSParticipantImpl.cpp:1680:38
    #8 0x7f8efa5db29a in eprosima::fastrtps::rtps::RTPSParticipantImpl::RTPSParticipantImpl(unsigned int, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::GuidPrefix_t const&, eprosima::fastrtps::rtps::GuidPrefix_t const&, eprosima::fastrtps::rtps::RTPSParticipant*, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/src/cpp/rtps/participant/RTPSParticipantImpl.cpp:354:5
    #9 0x7f8efa5e3c53 in eprosima::fastrtps::rtps::RTPSParticipantImpl::RTPSParticipantImpl(unsigned int, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::GuidPrefix_t const&, eprosima::fastrtps::rtps::RTPSParticipant*, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/src/cpp/rtps/participant/RTPSParticipantImpl.cpp:449:7
    #10 0x7f8efa7f1b8a in eprosima::fastdds::dds::DomainParticipantImpl::enable() /home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/src/cpp/fastdds/domain/DomainParticipantImpl.cpp:268:16
    #11 0x7f8efb07cf80 in eprosima::fastdds::statistics::dds::DomainParticipantImpl::enable() /home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/src/cpp/statistics/fastdds/domain/DomainParticipantImpl.cpp:253:52
    #12 0x7f8efa82c8d7 in eprosima::fastdds::dds::DomainParticipant::enable() /home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/src/cpp/fastdds/domain/DomainParticipant.cpp:110:36
    #13 0x4e3b08 in HelloWorldPublisher::init(bool) /home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/examples/cpp/dds/HelloWorldExample/HelloWorldPublisher.cpp:66:29
    #14 0x514bd6 in main /home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/examples/cpp/dds/HelloWorldExample/HelloWorld_main.cpp:309:23
    #15 0x7f8ef93fc082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: bad-free (/home/seulbae/ddssecurity/targets/fastdds-290-afl/src/fastrtps/examples/cpp/dds/HelloWorldExample/DDSHelloWorldExample+0x4aa3d2) in free
==2252002==ABORTING

Steps to reproduce

  1. Run DDSHelloWorldExample. Publisher/subscriber doesn't matter as the bug is in the discovery layer.
$ cd path/to/fastdds_colcon_workspace/
$ source install/setup.sh
$ cd src/fastrtps/examples/cpp/dds/HelloWorldExample
$ ./DDSHelloWorldExample publisher
  1. Send the following RTPS submessage to a relevant discovery recipient, e.g., 239.255.0.1:7400.
0000  45 00 00 4C 00 01 40 00 40 11 D9 92 80 3D F0 CF  E..L..@.@....=..                                                                                                                       
0010  EF FF 00 01 05 39 1C E8 00 38 BC EC 52 54 50 53  .....9...8..RTPS                                                                                                                       
0020  02 04 01 0F 01 03 02 42 AC 11 00 02 45 E5 E2 FD  .......B....E...                                                                                                                       
0030  15 17 18 00 00 00 10 92 00 00 00 00 00 01 00 C2  ................                                                                                                                       
0040  00 00 00 00 02 00 00 00 01 00 00 00              ............

This packet is also available in the attached pcap down below. The Data Submessage begins at offset 0x30.

Scapy dissector for rtps interprets the submessage as:

###[ RTPS Message ]### 
           \submessages\
            |###[ RTPS DATA (0x15) ]### 
            |  submessageId= 0x15
            |  submessageFlags= 0x17
            |  octetsToNextHeader= 24
            |  extraFlags= 0x0
            |  octetsToInlineQoS= 37392
            |  readerEntityIdKey= 0x0
            |  readerEntityIdKind= 0x0
            |  writerEntityIdKey= 0x100
            |  writerEntityIdKind= 0xc2
            |  writerSeqNumHi= 0
            |  writerSeqNumLow= 2
            |  \inlineQoS \
            |   |###[ Inline QoS ]### 
            |   |  \parameters\
            |   |  \sentinel  \
            |   |   |###[ PID_SENTINEL ]### 
            |   |   |  parameterId= 0x1
            |   |   |  parameterLength= 0
            |   |   |  parameterData= ''
            |  data      = ''

The same bug can be triggered by sending the same Data submessage with octetsToNextHeader = 0 instead of 24.

  1. DDSHelloWorldExample crashes. Please refer to the ASAN error message posted in the "Current behavior" section.

Fast DDS version/commit

Found on commit 0ee59f6.
Also tested on v2.9.0 (4c55488).

Platform/Architecture

Ubuntu Focal 20.04 amd64

Transport layer

Default configuration, UDPv4 & SHM

Additional context

No response

XML configuration file

No response

Relevant log output

No response

Network traffic capture

PCAP: fastdds-bad_free.zip

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugIssue to report a bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions