Headline
CVE-2023-39946: Validate lengths before using them. · eProsima/Fast-DDS@3492270
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6, heap can be overflowed by providing a PID_PROPERTY_LIST parameter that contains a CDR string with length larger than the size of actual content. In eprosima::fastdds::dds::ParameterPropertyList_t::push_back_helper, memcpy is called to first copy the octet’ized length and then to copy the data into properties_.data. At the second memcpy, both data and size can be controlled by anyone that sends the CDR string to the discovery multicast port. This can remotely crash any Fast-DDS process. Versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6 contain a patch for this issue.
Expand Up
@@ -671,18 +671,24 @@ inline bool ParameterSerializer<ParameterPropertyList_t>::read_content_from_cdr_
parameter.length = parameter_length;
uint32_t pos_ref = cdr_message->pos;
uint32_t max_pos = pos_ref + parameter_length;
if (max_pos > cdr_message->length)
{
return false;
}
uint32_t num_properties = 0;
bool valid = fastrtps::rtps::CDRMessage::readUInt32(cdr_message, &num_properties);
if (!valid)
{
return false;
}
//properties_.reserve(parameter_length - 4);
for (size_t i = 0; i < num_properties; ++i)
{
uint32_t property1_size = 0, alignment1 = 0, property2_size = 0, alignment2 = 0, str1_pos = 0;
uint32_t property1_size = 0, alignment1 = 0, property2_size = 0, alignment2 = 0, str1_pos = 0, str2_pos = 0;
// Read and validate size of property name
valid &= fastrtps::rtps::CDRMessage::readUInt32(cdr_message, &property1_size);
if (!valid)
{
Expand All
@@ -691,19 +697,29 @@ inline bool ParameterSerializer<ParameterPropertyList_t>::read_content_from_cdr_
str1_pos = cdr_message->pos;
alignment1 = ((property1_size + 3u) & ~3u) - property1_size;
cdr_message->pos += (property1_size + alignment1);
if (cdr_message->pos > max_pos)
{
return false;
}
// Read and validate size of property value
valid &= fastrtps::rtps::CDRMessage::readUInt32(cdr_message, &property2_size);
if (!valid)
{
return false;
}
parameter.push_back(
&cdr_message->buffer[str1_pos], property1_size,
&cdr_message->buffer[cdr_message->pos], property2_size);
str2_pos = cdr_message->pos;
alignment2 = ((property2_size + 3u) & ~3u) - property2_size;
cdr_message->pos += (property2_size + alignment2);
if (cdr_message->pos > max_pos)
{
return false;
}
parameter.push_back(
&cdr_message->buffer[str1_pos], property1_size,
&cdr_message->buffer[str2_pos], property2_size);
}
//Nproperties_ = num_properties;
uint32_t length_diff = cdr_message->pos - pos_ref;
valid &= (parameter_length >= length_diff);
Expand Down
Related news
Ubuntu Security Notice 6306-1 - It was discovered that Fast DDS incorrectly handled certain inputs. A remote attacker could possibly use this issue to cause a denial of service and information exposure. This issue only affected Ubuntu 22.04 LTS. It was discovered that Fast DDS incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash.
Debian Linux Security Advisory 5481-1 - Multiple security issues were discovered in Fast DDS, a C++ implementation of the DDS (Data Distribution Service), which might result in denial of service or potentially the execution of arbitrary code when processing malformed RTPS packets.