search

jhelovuo / RustDDS

Rust implementation of Data Distribution Service
Apache License 2.0
330 stars 66 forks source link

thread 'RustDDS Participant 0 event loop' panicked at 'split_off out of bounds: 54 <= 32' #281

Closed squizz617 closed 1 year ago

squizz617 commented 1 year ago

This is the last panic I'm reporting. When a parameter list does not end with a sentinel parameter, Bytes::split_off oob is triggered while deserializing the malformed payload data (src/messages/submessages/data.rs:97).


* Hexdump of above:

0000 00 00 03 04 00 06 00 00 00 00 00 00 00 00 08 00 0010 45 00 00 54 00 01 40 00 40 11 3c 96 7f 00 00 01 0020 7f 00 00 01 05 39 1d ec 00 40 20 41 52 54 50 53 0030 02 02 ff ff 01 0f 45 d2 b3 f5 58 b9 01 00 00 00 0040 15 05 00 00 00 00 32 00 00 00 00 00 00 01 00 c2 0050 00 00 00 00 02 00 00 00 00 03 00 00 77 00 04 00 0060 00 00 00 00

thread 'RustDDS Participant 0 event loop' panicked at 'split_off out of bounds: 54 <= 32', /home/seulbae/.cargo/registry/src/index.crates.io-6f17d22bba15001f/bytes-1.4.0/src/bytes.rs:363:9 stack backtrace: 0: 0x56248ae7ae2a - std::backtrace_rs::backtrace::libunwind::trace::h9a6b80bbf328ba5d at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/../../backtrace/src/backtrace/libunwind.rs:93:5 1: 0x56248ae7ae2a - std::backtrace_rs::backtrace::trace_unsynchronized::hd162ec543a11886b at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5 2: 0x56248ae7ae2a - std::sys_common::backtrace::_print_fmt::h78a5099be12f51a6 at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:65:5 3: 0x56248ae7ae2a - ::fmt::ha1c5390454d74f71 at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:44:22 4: 0x56248aea094f - core::fmt::write::h9ffde816c577717b at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/fmt/mod.rs:1254:17 5: 0x56248ae77ea5 - std::io::Write::write_fmt::h88186074961638e4 at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/io/mod.rs:1698:15 6: 0x56248ae7abf5 - std::sys_common::backtrace::_print::h184198273ed08d59 at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:47:5 7: 0x56248ae7abf5 - std::sys_common::backtrace::print::h1b4d8e7add699453 at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:34:9 8: 0x56248ae7c29e - std::panicking::default_hook::{{closure}}::h393bcea75423915a at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:269:22 9: 0x56248ae7c045 - std::panicking::default_hook::h48c64f31d8b3fd03 at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:288:9 10: 0x56248ae7c7fe - std::panicking::rust_panic_with_hook::hafdc493a79370062 at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:691:13 11: 0x56248ae7c6f9 - std::panicking::begin_panic_handler::{{closure}}::h0a64bc82e36bedc7 at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:582:13 12: 0x56248ae7b296 - std::sys_common::backtrace::__rust_end_short_backtrace::hc203444fb7416a16 at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:150:18 13: 0x56248ae7c452 - rust_begin_unwind at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:578:5 14: 0x56248a649193 - core::panicking::panic_fmt::h0f6ef0178afce4f2 at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/panicking.rs:67:14 15: 0x56248ac84349 - bytes::bytes::Bytes::split_off::ha3b9aeb0eecb45ec at /home/seulbae/.cargo/registry/src/index.crates.io-6f17d22bba15001f/bytes-1.4.0/src/bytes.rs:363:9 16: 0x56248ac21ba7 - rustdds::messages::submessages::data::Data::deserialize_data::h89b2a2b08f1944ef at /home/seulbae/ddssecurity/targets/RustDDS/src/messages/submessages/data.rs:97:46 17: 0x56248abf7737 - rustdds::serialization::message::Message::read_from_buffer::ha0be6f55423e1870 at /home/seulbae/ddssecurity/targets/RustDDS/src/serialization/message.rs:121:13 18: 0x56248ac1e16c - rustdds::dds::message_receiver::MessageReceiver::handle_received_packet::he766cb96ae5beba0 at /home/seulbae/ddssecurity/targets/RustDDS/src/dds/message_receiver.rs:198:30 19: 0x56248abef73e - rustdds::dds::dp_event_loop::DPEventLoop::event_loop::h090b9277cdf99125 at /home/seulbae/ddssecurity/targets/RustDDS/src/dds/dp_event_loop.rs:252:19 20: 0x56248aa26783 - rustdds::dds::participant::DomainParticipantInner::new::{{closure}}::hdecfeffc8c70284e at /home/seulbae/ddssecurity/targets/RustDDS/src/dds/participant.rs:767:9 21: 0x56248a805429 - std::sys_common::backtrace::rust_begin_short_backtrace::hcf04dd068b42aae2 at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:134:18 22: 0x56248a82a890 - std::thread::Builder::spawnunchecked::{{closure}}::{{closure}}::h6021dfd9422bcc9f at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/thread/mod.rs:526:17 23: 0x56248a8231a4 - <core::panic::unwind_safe::AssertUnwindSafe as core::ops::function::FnOnce<()>>::call_once::h2fa84cede123ce53 at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/panic/unwind_safe.rs:271:9 24: 0x56248aa38708 - std::panicking::try::do_call::h9f1b103607119d4e at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:485:40 25: 0x56248aa38a2b - rust_try 26: 0x56248aa38488 - std::panicking::try::haa14520fe8729ea3 at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:449:19 27: 0x56248a82873a - std::panic::catch_unwind::h132cb257b84f036d at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panic.rs:140:14 28: 0x56248a82a29a - std::thread::Builder::spawnunchecked::{{closure}}::ha0318418a63b8186 at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/thread/mod.rs:525:30 29: 0x56248a7e15ff - core::ops::function::FnOnce::call_once{{vtable.shim}}::hcd6ea3874fef7b1b at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/ops/function.rs:250:5 30: 0x56248ae7f925 - <alloc::boxed::Box<F,A> as core::ops::function::FnOnce>::call_once::ha1f2224656a778fb at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/alloc/src/boxed.rs:1973:9 31: 0x56248ae7f925 - <alloc::boxed::Box<F,A> as core::ops::function::FnOnce>::call_once::haa29ed9703f354b7 at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/alloc/src/boxed.rs:1973:9 32: 0x56248ae7f925 - std::sys::unix::thread::Thread::new::thread_start::h33b6dae3e3692197 at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys/unix/thread.rs:108:17 33: 0x7fc5b16ad609 - start_thread at /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8 34: 0x7fc5b147d133 - clone at /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95 35: 0x0 - 



Thank you very much!
jhelovuo commented 1 year ago

Another very good catch! Thank you.

Fixed in master.

If you discover any more panic conditions, especially remotely triggered, such as these, please report them. Your reports are very good, as they have an example message on how to reproduce the bug.

jhelovuo commented 1 year ago

Released RustDDS 0.8.3 , mostly due to the reported issues #277 , #278, #279, #280, and #281. These should be now fixed.

squizz617 commented 1 year ago

Thank you @jhelovuo for quickly handling the issues.

As all five issues have been patched, could you assign CVE identifiers via GitHub? They can be remotely triggered by an attacker to cause (at least) DoS. I think these issues can be classified as CWE-617 (reachable assertion).

Thank you.