A malformed GAP submessage can trigger assertion failure, crashing FastDDS.
Found and tested on Fast-DDS 2.9.1, Ubuntu 20.04.
DDSSecureHelloWorldExample: /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/include/fastdds/rtps/common/SequenceNumber.h:247: eprosima::fastrtps::rtps::SequenceNumber_t eprosima::fastrtps::rtps::operator-(const eprosima::fastrtps::rtps::SequenceNumber_t &, const uint32_t): Assertion `0 < res.high' failed.
submessageId: GAP (0x08)
Flags: 0x01, Endianness bit
octetsToNextHeader: 28
readerEntityId: ENTITYID_UNKNOWN (0x00000000)
writerEntityId: ENTITYID_P2P_BUILTIN_PARTICIPANT_MESSAGE_WRITER (0x000200c2)
gapStart: 223692704932764539
gapList
bitmapBase: 0
numBits: 0
pwndbg> bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff4369859 in __GI_abort () at abort.c:79
#2 0x00007ffff4369729 in __assert_fail_base (fmt=0x7ffff44ff588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x7ffff75dcc80 <str> "0 < res.high", file=0x7ffff75dccc0 <str> "/home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/include/fastdds/rtps/common/SequenceNumber.h", line=247, function=<optimized out>) at assert.c:92
#3 0x00007ffff437afd6 in __GI___assert_fail (assertion=0x7ffff75dcc80 <str> "0 < res.high", file=0x7ffff75dccc0 <str> "/home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/include/fastdds/rtps/common/SequenceNumber.h", line=247, function=0x7ffff75dcd60 <__PRETTY_FUNCTION__._ZN8eprosima8fastrtps4rtpsmiERKNS1_16SequenceNumber_tEj> "eprosima::fastrtps::rtps::SequenceNumber_t eprosima::fastrtps::rtps::operator-(const eprosima::fastrtps::rtps::SequenceNumber_t &, const uint32_t)") at assert.c:101
#4 0x00007ffff5eb032c in eprosima::fastrtps::rtps::operator- (seq=..., inc=1) at /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/include/fastdds/rtps/common/SequenceNumber.h:247
#5 0x00007ffff609e1d1 in eprosima::fastrtps::rtps::StatefulReader::processGapMsg (this=0x618000000880, writerGUID=..., gapStart=..., gapList=...) at /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/reader/StatefulReader.cpp:863
#6 0x00007ffff6171b84 in eprosima::fastrtps::rtps::MessageReceiver::proc_Submsg_Gap(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastrtps::rtps::SubmessageHeader_t*) const::$_3::operator()(eprosima::fastrtps::rtps::RTPSReader*) const (this=0x7ffff01d9c00, reader=0x618000000880) at /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:1176
#7 0x00007ffff615844c in eprosima::fastrtps::rtps::MessageReceiver::findAllReaders<eprosima::fastrtps::rtps::MessageReceiver::proc_Submsg_Gap(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastrtps::rtps::SubmessageHeader_t*) const::$_3>(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::MessageReceiver::proc_Submsg_Gap(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastrtps::rtps::SubmessageHeader_t*) const::$_3 const&) const (this=0x614000007040, readerID=..., callback=...) at /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:680
#8 0x00007ffff6147f00 in eprosima::fastrtps::rtps::MessageReceiver::proc_Submsg_Gap (this=0x614000007040, msg=0x7ffff01dd5a0, smh=0x7ffff01da070) at /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:1173
#9 0x00007ffff6131739 in eprosima::fastrtps::rtps::MessageReceiver::processCDRMsg (this=0x614000007040, source_locator=..., reception_locator=..., msg=0x7ffff01dd5a0) at /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:442
#10 0x00007ffff61a62f7 in eprosima::fastrtps::rtps::ReceiverResource::OnDataReceived (this=0x610000000740, data=0x631000014800 "RTPS\002\002\377\377\001\017Eҳ\365X\271\001", size=52, localLocator=..., remoteLocator=...) at /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/network/ReceiverResource.cpp:132
#11 0x00007ffff65dd754 in eprosima::fastdds::rtps::UDPChannelResource::perform_listen_operation (this=0x60d000000110, input_locator=...) at /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/transport/UDPChannelResource.cpp:70
#12 0x00007ffff65e82be in std::__invoke_impl<void, void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> (__f=@0x606000000b28: (void (eprosima::fastdds::rtps::UDPChannelResource::*)(class eprosima::fastdds::rtps::UDPChannelResource * const, class eprosima::fastrtps::rtps::Locator_t)) 0x7ffff65dd2c0 <eprosima::fastdds::rtps::UDPChannelResource::perform_listen_operation(eprosima::fastrtps::rtps::Locator_t)>, __t=@0x606000000b20: 0x60d000000110, __args=...) at /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/invoke.h:73
#13 0x00007ffff65e7eab in std::__invoke<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> (__fn=@0x606000000b28: (void (eprosima::fastdds::rtps::UDPChannelResource::*)(class eprosima::fastdds::rtps::UDPChannelResource * const, class eprosima::fastrtps::rtps::Locator_t)) 0x7ffff65dd2c0 <eprosima::fastdds::rtps::UDPChannelResource::perform_listen_operation(eprosima::fastrtps::rtps::Locator_t)>, __args=..., __args=...) at /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/invoke.h:95
#14 0x00007ffff65e7e1b in std::thread::_Invoker<std::tuple<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> >::_M_invoke<0ul, 1ul, 2ul> (this=0x606000000b08) at /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:244
#15 0x00007ffff65e7d85 in std::thread::_Invoker<std::tuple<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> >::operator() (this=0x606000000b08) at /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:251
#16 0x00007ffff65e7699 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> > >::_M_run (this=0x606000000b00) at /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:195
#17 0x00007ffff477bde4 in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
#18 0x00007ffff4c22609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#19 0x00007ffff4466133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
SequenceNumber_t finalSN = gapList.base() - 1;
inline SequenceNumber_t operator -(
const SequenceNumber_t& seq,
const uint32_t inc) noexcept
{
SequenceNumber_t res(seq.high, seq.low - inc);
if (inc > seq.low)
{
// Being the type of the parameter an 'uint32_t', the decrement of 'high' will be as much as 1.
assert(0 < res.high); // <- HERE
--res.high;
}
return res;
}
After PDP, send a RTPS packet with the malformed GAP submessage above to the multicast metatraffic port.
Please refer to the attached packet capture for details. (It seems that Github doesn't allow attaching zip anymore..?)
Reachable assertion (CWE-617) - remote attackers can crash FastDDS.
squizz617 Reporter
Summary
A malformed GAP submessage can trigger assertion failure, crashing FastDDS.
Details
Found and tested on Fast-DDS 2.9.1, Ubuntu 20.04.
Stderr:
Submessage that triggers the bug:
GDB backtrace:
Source at fault: StatefulReader.cpp:863:
-> when gapList.base is zero, the computation of
0 - 1leads to assertion failure at SequenceNumber.h:247:PoC
After PDP, send a RTPS packet with the malformed GAP submessage above to the multicast metatraffic port.
Please refer to the attached packet capture for details. (It seems that Github doesn't allow attaching zip anymore..?)
Impact
Reachable assertion (CWE-617) - remote attackers can crash FastDDS.