Malformed locator triggers panic while the port field is being unwrapped

[squizz617]

Hi @jhelovuo , My fuzzer discovered another remotely reachable panic in version 0.8.3.

It happens due to the fact that RTPS defines Locator_t types as the following,

struct Locator_t {
 long kind;
 unsigned long port;
 octet address[16];
};

where port can "legitimately" have values larger than UDP v4 allows.

When parsing the value in locator.rs, the unwrap fails.

• Hexdump of the DATA submessage with the malformed locator:

  0000   15 05 00 00 00 00 10 00 00 01 00 c7 00 01 00 c2
  0010   00 00 00 00 01 00 00 00 00 03 00 00 15 00 04 00
  0020   02 02 00 00 16 00 04 00 0b 0f 00 00 50 00 10 00
  0030   01 0f 11 3e f6 42 cd 90 00 00 00 00 00 00 01 c1
  0040   32 00 18 00 01 00 00 00 f2 1c 00 01 00 00 00 00
  0050   00 00 00 00 00 00 00 00 0a 00 00 0f 31 00 18 00
  0060   01 00 00 00 f3 1c 00 00 00 00 00 00 00 00 00 00
  0070   00 00 00 00 0a 00 00 0f 02 00 08 00 14 00 00 00
  0080   00 00 00 00 58 00 04 00 3f 0c 00 00 62 00 10 00
  0090   0a 00 00 00 70 75 62 6c 69 73 68 65 72 00 00 00
  00a0   59 00 28 00 01 00 00 00 11 00 00 00 50 41 52 54
  00b0   49 43 49 50 41 4e 54 5f 54 59 50 45 00 00 00 00
  00c0   07 00 00 00 53 49 4d 50 4c 45 00 00 01 00 00 00

  (The malformed locator is from bytes 0x40 to 0x5b.)

• Full backtrace:

  thread 'RustDDS discovery thread' panicked at 'called `Result::unwrap()` on an `Err` value: TryFromIntError(())', src/structure/locator.rs:91:73
  stack backtrace:
  0:     0x55e2582e59da - std::backtrace_rs::backtrace::libunwind::trace::h9a6b80bbf328ba5d
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/../../backtrace/src/backtrace/libunwind.rs:93:5
  1:     0x55e2582e59da - std::backtrace_rs::backtrace::trace_unsynchronized::hd162ec543a11886b
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
  2:     0x55e2582e59da - std::sys_common::backtrace::_print_fmt::h78a5099be12f51a6
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:65:5
  3:     0x55e2582e59da - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::ha1c5390454d74f71
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:44:22
  4:     0x55e25830b52f - core::fmt::write::h9ffde816c577717b
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/fmt/mod.rs:1254:17
  5:     0x55e2582e2a55 - std::io::Write::write_fmt::h88186074961638e4
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/io/mod.rs:1698:15
  6:     0x55e2582e57a5 - std::sys_common::backtrace::_print::h184198273ed08d59
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:47:5
  7:     0x55e2582e57a5 - std::sys_common::backtrace::print::h1b4d8e7add699453
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:34:9
  8:     0x55e2582e6e4e - std::panicking::default_hook::{{closure}}::h393bcea75423915a
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:269:22
  9:     0x55e2582e6bf5 - std::panicking::default_hook::h48c64f31d8b3fd03
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:288:9
  10:     0x55e2582e73ae - std::panicking::rust_panic_with_hook::hafdc493a79370062
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:691:13
  11:     0x55e2582e72a9 - std::panicking::begin_panic_handler::{{closure}}::h0a64bc82e36bedc7
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:582:13
  12:     0x55e2582e5e46 - std::sys_common::backtrace::__rust_end_short_backtrace::hc203444fb7416a16
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:150:18
  13:     0x55e2582e7002 - rust_begin_unwind
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:578:5
  14:     0x55e257a9f193 - core::panicking::panic_fmt::h0f6ef0178afce4f2
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/panicking.rs:67:14
  15:     0x55e257a9f733 - core::result::unwrap_failed::h8090202169109f9c
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/result.rs:1687:5
  16:     0x55e257ef71a9 - core::result::Result<T,E>::unwrap::h45c6e29e126780a4
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/result.rs:1089:23
  17:     0x55e257f2702c - <rustdds::structure::locator::Locator as core::convert::From<rustdds::structure::locator::repr::Locator>>::from::h0eb3ae9587bd98ce
                             at /home/seulbae/ddssecurity/targets/rustdds-0.8.3/src/structure/locator.rs:91:52
  18:     0x55e257f5e8de - <T as core::convert::Into<U>>::into::h8f84e60481c7b902
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/convert/mod.rs:727:9
  19:     0x55e257ed2d3e - <rustdds::structure::locator::Locator as speedy::readable::Readable<C>>::read_from::hbbe2c16abda7025b
                             at /home/seulbae/ddssecurity/targets/rustdds-0.8.3/src/structure/locator.rs:68:8
  20:     0x55e257ed2b37 - speedy::readable::Readable::read_with_length_from_buffer_with_ctx::h30abdcb97daee72a
                             at /home/seulbae/.cargo/registry/src/index.crates.io-6f17d22bba15001f/speedy-0.8.6/src/readable.rs:492:21
  21:     0x55e257ed295b - speedy::readable::Readable::read_from_buffer_with_ctx::haa5e7be6d20a56c3
                             at /home/seulbae/.cargo/registry/src/index.crates.io-6f17d22bba15001f/speedy-0.8.6/src/readable.rs:480:9
  22:     0x55e257e09fda - rustdds::serialization::speedy_pl_cdr_helpers::get_all_from_pl_map::{{closure}}::h64c8a3f25f0d54b2
                             at /home/seulbae/ddssecurity/targets/rustdds-0.8.3/src/serialization/speedy_pl_cdr_helpers.rs:164:7
  23:     0x55e25803c083 - core::iter::adapters::map::map_try_fold::{{closure}}::hee7925faf4658375
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/iter/adapters/map.rs:91:28
  24:     0x55e257f3ddcf - core::iter::traits::iterator::Iterator::try_fold::h15efa83ceb6851e2
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/iter/traits/iterator.rs:2304:21
  25:     0x55e25803966f - <core::iter::adapters::map::Map<I,F> as core::iter::traits::iterator::Iterator>::try_fold::hdb7567c4f131c046
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/iter/adapters/map.rs:117:9
  26:     0x55e258027051 - <core::iter::adapters::GenericShunt<I,R> as core::iter::traits::iterator::Iterator>::try_fold::h94c0db77ce80e055
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/iter/adapters/mod.rs:195:9
  27:     0x55e258026f6d - core::iter::traits::iterator::Iterator::try_for_each::h32dd57f3ea0ceaae
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/iter/traits/iterator.rs:2366:9
  28:     0x55e258026f6d - <core::iter::adapters::GenericShunt<I,R> as core::iter::traits::iterator::Iterator>::next::hc8463a35741d9181
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/iter/adapters/mod.rs:178:14
  29:     0x55e257eb18ac - <alloc::vec::Vec<T> as alloc::vec::spec_from_iter_nested::SpecFromIterNested<T,I>>::from_iter::h996fe6680eb7d2f6
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/alloc/src/vec/spec_from_iter_nested.rs:26:32
  30:     0x55e257ec6efe - <alloc::vec::Vec<T> as alloc::vec::spec_from_iter::SpecFromIter<T,I>>::from_iter::h5d34072dd2ad68c4
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/alloc/src/vec/spec_from_iter.rs:33:9
  31:     0x55e257ec6037 - <alloc::vec::Vec<T> as core::iter::traits::collect::FromIterator<T>>::from_iter::h45dd9ab30f671afd
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/alloc/src/vec/mod.rs:2712:9
  32:     0x55e257eef512 - core::iter::traits::iterator::Iterator::collect::hbe34d50edb275022
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/iter/traits/iterator.rs:1896:9
  33:     0x55e257eef512 - <core::result::Result<V,E> as core::iter::traits::collect::FromIterator<core::result::Result<A,E>>>::from_iter::{{closure}}::h01b8559cecd4cf65
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/result.rs:1969:51
  34:     0x55e25802745b - core::iter::adapters::try_process::h2f4e247048039693
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/iter/adapters/mod.rs:164:17
  35:     0x55e257eef4d9 - <core::result::Result<V,E> as core::iter::traits::collect::FromIterator<core::result::Result<A,E>>>::from_iter::h156de832a163615d
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/result.rs:1969:9
  36:     0x55e25803b13e - core::iter::traits::iterator::Iterator::collect::hcf61110f58915a17
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/iter/traits/iterator.rs:1896:9
  37:     0x55e257e09f13 - rustdds::serialization::speedy_pl_cdr_helpers::get_all_from_pl_map::h500ff1c49e2cee80
                             at /home/seulbae/ddssecurity/targets/rustdds-0.8.3/src/serialization/speedy_pl_cdr_helpers.rs:159:3
  38:     0x55e25801e673 - <rustdds::discovery::spdp_participant_data::SpdpDiscoveredParticipantData as rustdds::serialization::pl_cdr_adapters::PlCdrDeserialize>::from_pl_cdr_bytes::hfd01a1e3a22effdc
                             at /home/seulbae/ddssecurity/targets/rustdds-0.8.3/src/discovery/spdp_participant_data.rs:231:54
  39:     0x55e258022cad - <rustdds::serialization::pl_cdr_adapters::PlCdrDeserializerAdapter<D> as rustdds::dds::adapters::no_key::DeserializerAdapter<D>>::from_bytes::h8ce90d9ed6632548
                             at /home/seulbae/ddssecurity/targets/rustdds-0.8.3/src/serialization/pl_cdr_adapters.rs:83:9
  40:     0x55e257e3724b - rustdds::dds::with_key::simpledatareader::SimpleDataReader<D,DA>::deserialize::h44eeca5ee3107ec2
                             at /home/seulbae/ddssecurity/targets/rustdds-0.8.3/src/dds/with_key/simpledatareader.rs:256:17
  41:     0x55e257e3c829 - rustdds::dds::with_key::simpledatareader::SimpleDataReader<D,DA>::try_take_one::hc8dc6fb525f49d50
                             at /home/seulbae/ddssecurity/targets/rustdds-0.8.3/src/dds/with_key/simpledatareader.rs:334:11
  42:     0x55e257ee98c8 - rustdds::dds::with_key::datareader::DataReader<D,DA>::fill_and_lock_local_datasample_cache::hc3b20117985c9469
                             at /home/seulbae/ddssecurity/targets/rustdds-0.8.3/src/dds/with_key/datareader.rs:100:27
  43:     0x55e257eea963 - rustdds::dds::with_key::datareader::DataReader<D,DA>::take::h7ded1bc7933479ec
                             at /home/seulbae/ddssecurity/targets/rustdds-0.8.3/src/dds/with_key/datareader.rs:244:5
  44:     0x55e257eeaea9 - rustdds::dds::with_key::datareader::DataReader<D,DA>::take_next_sample::h43fb15b4aeee9da9
                             at /home/seulbae/ddssecurity/targets/rustdds-0.8.3/src/dds/with_key/datareader.rs:329:18
  45:     0x55e258014517 - rustdds::discovery::discovery::Discovery::handle_participant_reader::ha207bcc821504c3c
                             at /home/seulbae/ddssecurity/targets/rustdds-0.8.3/src/discovery/discovery.rs:898:15
  46:     0x55e25801256a - rustdds::discovery::discovery::Discovery::discovery_event_loop::h0efa6dfc06fd4b9a
                             at /home/seulbae/ddssecurity/targets/rustdds-0.8.3/src/discovery/discovery.rs:683:13
  47:     0x55e257c527a6 - rustdds::dds::participant::DomainParticipant::new::{{closure}}::h00ee919d85522143
                             at /home/seulbae/ddssecurity/targets/rustdds-0.8.3/src/dds/participant.rs:121:11
  48:     0x55e257f656f9 - std::sys_common::backtrace::__rust_begin_short_backtrace::h2801cfe15fd71954
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:134:18
  49:     0x55e257f85630 - std::thread::Builder::spawn_unchecked_::{{closure}}::{{closure}}::h00974a0733231b0b
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/thread/mod.rs:526:17
  50:     0x55e2580636f4 - <core::panic::unwind_safe::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once::h5297936d382df1cb
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/panic/unwind_safe.rs:271:9
  51:     0x55e257f80e28 - std::panicking::try::do_call::hc01a6c995ce42e50
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:485:40
  52:     0x55e257f8116b - __rust_try
  53:     0x55e257f80bc8 - std::panicking::try::h4f53de6a125ab3ab
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:449:19
  54:     0x55e257eeee2a - std::panic::catch_unwind::h782c15e86b39edcc
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panic.rs:140:14
  55:     0x55e257f84ffa - std::thread::Builder::spawn_unchecked_::{{closure}}::h2665ee0e0128ca07
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/thread/mod.rs:525:30
  56:     0x55e257c67f4f - core::ops::function::FnOnce::call_once{{vtable.shim}}::h75c4211b85cd975f
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/ops/function.rs:250:5
  57:     0x55e2582ea505 - <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once::ha1f2224656a778fb
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/alloc/src/boxed.rs:1973:9
  58:     0x55e2582ea505 - <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once::haa29ed9703f354b7
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/alloc/src/boxed.rs:1973:9
  59:     0x55e2582ea505 - std::sys::unix::thread::Thread::new::thread_start::h33b6dae3e3692197
                             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys/unix/thread.rs:108:17
  60:     0x7f087edc1609 - start_thread
                             at /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
  61:     0x7f087eb91133 - clone
                             at /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
  62:                0x0 - <unknown>

Thank you.

[jhelovuo]

Thank you, @squizz617 . We are a bit slow to respond due to the summer holiday season, but I can confirm that this is a genuine bug.

[jhelovuo]

Fixed in Release 0.8.4 .