Headline
CVE-2023-42459: [19416] Fix bad-free when receiving malformed DATA submessage by MiguelCompany · Pull Request #3824 · eProsima/Fast-DDS
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). In affected versions specific DATA submessages can be sent to a discovery locator which may trigger a free error. This can remotely crash any Fast-DDS process. The call to free() could potentially leave the pointer in the attackers control which could lead to a double free. This issue has been addressed in versions 2.12.0, 2.11.3, 2.10.3, and 2.6.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation 13 Commits 9 Checks 8 Files changed
Conversation
Description
This PR:
- Adds a custom transport that enables injecting arbitrary RTPS datagrams
- Adds a black-box test that reads RTPS datagrams from binary files and injects them using the new transport
- Adds a regression datagram for [16784] Malformed DATA submessage leads to bad-free during SPDP #3207
- Fixes [16784] Malformed DATA submessage leads to bad-free during SPDP #3207
@Mergifyio backport 2.11.x 2.10.x 2.6.x
Contributor Checklist
- Commit messages follow the project guidelines.
- The code follows the style guidelines of this project.
- Tests that thoroughly check the new feature have been added/Regression tests checking the bug and its fix have been added; the added tests pass locally
- N/A Any new/modified methods have been properly documented using Doxygen.
- Changes are ABI compatible.
- Changes are API compatible.
- N/A New feature has been added to the versions.md file (if applicable).
- N/A New feature has been documented/Current behavior is correctly described in the documentation.
- Applicable backports have been included in the description.
Reviewer Checklist
- The PR has a milestone assigned.
- Check contributor checklist is correct.
- Check CI results: changes do not issue any warning.
- Check CI results: failing tests are unrelated with the changes.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A much needed tool indeed!
Just a some NITs.
Signed-off-by: Miguel Company [email protected]
Signed-off-by: Miguel Company [email protected]
Signed-off-by: Miguel Company [email protected]
Signed-off-by: Miguel Company [email protected]
Signed-off-by: Miguel Company [email protected]
Signed-off-by: Miguel Company [email protected]
Signed-off-by: Miguel Company [email protected]
Signed-off-by: Miguel Company [email protected]
Signed-off-by: Miguel Company [email protected]
mergify bot pushed a commit that referenced this pull request
Sep 20, 2023
* Refs #16784. Added basic custom chaining transport.
Signed-off-by: Miguel Company [email protected]
* Refs #16784. Use custom transport to get list of receiver interfaces.
Signed-off-by: Miguel Company [email protected]
* Refs #16784. Added regression file.
Signed-off-by: Miguel Company [email protected]
* Refs #16784. Processing regression files.
Signed-off-by: Miguel Company [email protected]
* Refs #16784. Separation of transport and descriptor.
Signed-off-by: Miguel Company [email protected]
* Refs #16784. Small refactor.
Signed-off-by: Miguel Company [email protected]
* Refs #16784. Fix issue.
Signed-off-by: Miguel Company [email protected]
* Refs #19416. Fix build error in Mac.
Signed-off-by: Miguel Company [email protected]
* Refs #19416. Fix include order.
Signed-off-by: Miguel Company [email protected]
Signed-off-by: Miguel Company [email protected] (cherry picked from commit 47fe5d7)
mergify bot pushed a commit that referenced this pull request
Sep 20, 2023
* Refs #16784. Added basic custom chaining transport.
Signed-off-by: Miguel Company [email protected]
* Refs #16784. Use custom transport to get list of receiver interfaces.
Signed-off-by: Miguel Company [email protected]
* Refs #16784. Added regression file.
Signed-off-by: Miguel Company [email protected]
* Refs #16784. Processing regression files.
Signed-off-by: Miguel Company [email protected]
* Refs #16784. Separation of transport and descriptor.
Signed-off-by: Miguel Company [email protected]
* Refs #16784. Small refactor.
Signed-off-by: Miguel Company [email protected]
* Refs #16784. Fix issue.
Signed-off-by: Miguel Company [email protected]
* Refs #19416. Fix build error in Mac.
Signed-off-by: Miguel Company [email protected]
* Refs #19416. Fix include order.
Signed-off-by: Miguel Company [email protected]
Signed-off-by: Miguel Company [email protected] (cherry picked from commit 47fe5d7)
mergify bot pushed a commit that referenced this pull request
Sep 20, 2023
* Refs #16784. Added basic custom chaining transport.
Signed-off-by: Miguel Company [email protected]
* Refs #16784. Use custom transport to get list of receiver interfaces.
Signed-off-by: Miguel Company [email protected]
* Refs #16784. Added regression file.
Signed-off-by: Miguel Company [email protected]
* Refs #16784. Processing regression files.
Signed-off-by: Miguel Company [email protected]
* Refs #16784. Separation of transport and descriptor.
Signed-off-by: Miguel Company [email protected]
* Refs #16784. Small refactor.
Signed-off-by: Miguel Company [email protected]
* Refs #16784. Fix issue.
Signed-off-by: Miguel Company [email protected]
* Refs #19416. Fix build error in Mac.
Signed-off-by: Miguel Company [email protected]
* Refs #19416. Fix include order.
Signed-off-by: Miguel Company [email protected]
Signed-off-by: Miguel Company [email protected] (cherry picked from commit 47fe5d7)
Conflicts:
src/cpp/rtps/messages/MessageReceiver.cpp
test/blackbox/CMakeLists.txt
MiguelCompany added a commit that referenced this pull request
Sep 21, 2023
* Fix bad-free when receiving malformed DATA submessage (#3824)
* Refs #16784. Added basic custom chaining transport.
Signed-off-by: Miguel Company [email protected]
* Refs #16784. Use custom transport to get list of receiver interfaces.
Signed-off-by: Miguel Company [email protected]
* Refs #16784. Added regression file.
Signed-off-by: Miguel Company [email protected]
* Refs #16784. Processing regression files.
Signed-off-by: Miguel Company [email protected]
* Refs #16784. Separation of transport and descriptor.
Signed-off-by: Miguel Company [email protected]
* Refs #16784. Small refactor.
Signed-off-by: Miguel Company [email protected]
* Refs #16784. Fix issue.
Signed-off-by: Miguel Company [email protected]
* Refs #19416. Fix build error in Mac.
Signed-off-by: Miguel Company [email protected]
* Refs #19416. Fix include order.
Signed-off-by: Miguel Company [email protected]
Signed-off-by: Miguel Company [email protected] (cherry picked from commit 47fe5d7)
Conflicts:
src/cpp/rtps/messages/MessageReceiver.cpp
test/blackbox/CMakeLists.txt
* Fixed conflicts
Signed-off-by: Miguel Company [email protected]
Signed-off-by: Miguel Company [email protected] Co-authored-by: Miguel Company [email protected]
2 participants
Related news
Debian Linux Security Advisory 5568-1 - It was discovered that incorrect memory management in Fast DDS, a C++ implementation of the DDS (Data Distribution Service) might result in denial of service.