thread 'RustDDS Participant 0 event loop' panicked at 'attempt to subtract with overflow'

[squizz617]

Hi,

RustDDS panics while processing a submessage if octets_to_inline_qos field is zero (which is allowed by DDS specification).

• Env: RustDDS 0.8.2, Ubuntu 20.04

• Submessage that triggers the panic:

  submessageId: DATA (0x15)
  Flags: 0x00
  octetsToNextHeader: 0
  0001 0000 0000 0000 = Extra flags: 0x1000
  Octets to inline QoS: 0
  readerEntityId: 0x00000001 (Application-defined participant: 0x000000)
  writerEntityId: 0x00c252a0 (unknown kind (a0): 0x00c252)
  writerSeqNumber: 14662118489911066625

• Stderr and trace:

  thread 'RustDDS Participant 0 event loop' panicked at 'attempt to subtract with overflow', src/messages/submessages/data.rs:83:24
  stack backtrace:
  0: rust_begin_unwind
           at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:578:5
  1: core::panicking::panic_fmt
           at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/panicking.rs:67:14
  2: core::panicking::panic
           at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/panicking.rs:117:5
  3: rustdds::messages::submessages::data::Data::deserialize_data
           at /home/seulbae/ddssecurity/targets/RustDDS/src/messages/submessages/data.rs:83:24
  4: rustdds::serialization::message::Message::read_from_buffer
           at /home/seulbae/ddssecurity/targets/RustDDS/src/serialization/message.rs:121:13
  5: rustdds::dds::message_receiver::MessageReceiver::handle_received_packet
           at /home/seulbae/ddssecurity/targets/RustDDS/src/dds/message_receiver.rs:198:30
  6: rustdds::dds::dp_event_loop::DPEventLoop::event_loop
           at /home/seulbae/ddssecurity/targets/RustDDS/src/dds/dp_event_loop.rs:252:19
  7: rustdds::dds::participant::DomainParticipantInner::new::{{closure}}
           at /home/seulbae/ddssecurity/targets/RustDDS/src/dds/participant.rs:767:9

• Analysis: In data.rs, both octets_to_inline_qos and rtps_v23_data_header_size are of type u16. Therefore, when octets_to_inline_qos == 0, the above panic is triggered.

Thank you.

[jhelovuo]

Very good find! Thank you for reporting this.

Your analysis seems otherwise correct, except I cannot think of how octets_to_inline_qos could legitimately be zero (or less than 16), so you have crafted a malformed submessage.

In any case, such input should cause just submessage parsing to fail, not a panic, so this is good catch.

This should now be fixed in the latest master commit in Github, and will be included in the next release.

Does it still panic for you?

[squizz617]

Thank you for confirming and quickly fixing the issue!

I cannot think of how octets_to_inline_qos could legitimately be zero (or less than 16)

You are actually right, and I stand corrected; octets_to_inline_qos cannot legitimately be zero. This indeed is an malformed packet.

Does it still panic for you?

It doesn't panic anymore in the latest master branch. Thank you!