Another remotely reachable assertion in ddsi_serdata_pserop.c

[squizz617]

Hi,

Our fuzzer triggered another assertion failure in CycloneDDS 0.10.2. After PDP, the following malformed DATA submessage delivered to the unicast locator of a subscriber process triggers the this assert.

• Malformed DATA submessage:

0000   15 05 18 00 00 00 10 00 00 01 00 c7 00 02 00 c2
0010   00 00 00 00 01 00 00 00 00 00 a4 81

The ParticipantMessageData (last four bytes) is malformed; nothing follows the encapsulation kind (CDR_BE) and options (0xa481) fields.

This triggers the following assertion in serdata_pserop_fix:

    assert (d->pos >= 16 && tp->memsize >= 16);

Here, d->pos is zero:

pwndbg> print *d
$5 = {
  c = {
    ops = 0x9e2ee0 <ddsi_serdata_ops_pserop>,
    hash = 0,
    refc = {
      v = 1
    },
    kind = SDK_DATA,
    type = 0x60c0000001c0,
    timestamp = {
      v = -9223372036854775808
    },
    statusinfo = 0,
    twrite = {
      v = -9223372036854775808
    }
  },
  sample = 0x603000004120,
  keyless = false,
  pos = 0,
  size = 4,
  pad = 0x60800000426c "",
  identifier = 0,
  options = 33188,
  data = 0x608000004270 "\276\276\276\276"
}

• stderr:

HelloworldSubscriber: /home/seulbae/ddssecurity/targets/cyclonedds-0.10.2-hotfix/src/core/ddsi/src/ddsi_serdata_pserop.c:97: struct ddsi_serdata *serdata_pserop_fix(const struct ddsi_sertype_pserop *, struct ddsi_serdata_pserop *): Assertion `d->pos >= 16 && tp->memsize >= 16' failed.
Aborted

• PCAP: cyclonedds-assert-20230717.zip

Thank you!

[eboasson]

Thank you! This one really is simply an assert that shouldn't be there. It looks like a copy-paste-like mistake, but I've gone over the history and it hasn't been introduced by a little bit of refactoring where that is a plausible explanation.