Issue with Data Length unmarshalling

[Javiplz]

There is an issue related with the unmarshal function in incomingMessage if the dis packet is malformed. Application crashes with some udp packets with malformed lenght field.

In concrete it seems that occurs if the lenght is greater than expected at this location:

void Pdu::unmarshal(DataStream& dataStream) { dataStream >> _protocolVersion; dataStream >> _exerciseID; dataStream >> _pduType; dataStream >> _protocolFamily; dataStream >> _timestamp; dataStream >> _length; // <----- length malformed , greater than expected dataStream >> _padding;
}

After this code execution, the exectution continues in the final class (i.e. EntityStatePdu::unmarshall) and the application crashes. I think It is because the malformed length, as it seems to be used en EntityStatePdu...

This is an example of a udp packet causing a crash: 0x020001020000001d2500167374642d7363616e....

[chuismiguel]

Same issue here.

[Duxy1996]

I'm having the same issue. The length of the PDU is not the real one.

[leif81]

Thank-you for the bug report and comments.

I've been swamped with other projects. Would anyone be interested in submitting a pull request that resolve this? I'd be happy to review and merge it.

[Javiplz]

I could add some basic protection against this, just an extra check.

[Javiplz]

This is my proposal (src/dis6/Pdu.cpp, line 111):

void Pdu::unmarshal(DataStream& dataStream)
{
    dataStream >> _protocolVersion;
    dataStream >> _exerciseID;
    dataStream >> _pduType;
    dataStream >> _protocolFamily;
    dataStream >> _timestamp;
    dataStream >> _length;
    dataStream >> _padding;
    if (dataStream.size() != _length)    // added lines
    {
        throw std::runtime_error("error size"); 
    }
}

Regards.