thread 'RustDDS Participant 0 event loop' panicked at 'split_to out of bounds: 28 <= 24'
squizz617 opened this issue · comments
Panic case 4 out of 5!
This and the next panic happens in bytes-1.4.0 crate, which is unhandled and crashes RustDDS.
Specifically, submessages_left.split_to in message.rs is invoked with an insufficient length, causing oob error.
- RTPS message (malformed DATA submessge's octetsToNextHeader field):
Real-Time Publish-Subscribe Wire Protocol
Magic: RTPS
Protocol version: 2.2
vendorId: 255.255 (Unknown)
guidPrefix: 010f45d2b3f558b901000000
Default port mapping: domainId=1, participantIdx=0, nature=UNICAST_METATRAFFIC
submessageId: DATA (0x15)
Flags: 0x0b, Serialized Key, Inline QoS, Endianness bit
octetsToNextHeader: 24
[Expert Info (Warning/Protocol): (Error: should be >= 28)]
[(Error: should be >= 28)]
[Severity level: Warning]
[Group: Protocol]
- Hexdump of above:
0000 00 00 03 04 00 06 00 00 00 00 00 00 00 00 08 00
0010 45 00 00 48 00 01 40 00 40 11 3c a2 7f 00 00 01
0020 7f 00 00 01 05 39 1d ec 00 34 38 56 52 54 50 53
0030 02 02 ff ff 01 0f 45 d2 b3 f5 58 b9 01 00 00 00
0040 15 0b 18 00 00 00 00 00 00 00 02 c2 00 00 00 00
0050 7d 00 00 00 00 01 00 00
- stderr and trace:
thread 'RustDDS Participant 0 event loop' panicked at 'split_to out of bounds: 28 <= 24', /home/seulbae/.cargo/registry/src/index.crates.io-6f17d22bba15001f/bytes-1.4.0/src/bytes.rs:412:9
stack backtrace:
0: 0x557d4ffd9e2a - std::backtrace_rs::backtrace::libunwind::trace::h9a6b80bbf328ba5d
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/../../backtrace/src/backtrace/libunwind.rs:93:5
1: 0x557d4ffd9e2a - std::backtrace_rs::backtrace::trace_unsynchronized::hd162ec543a11886b
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
2: 0x557d4ffd9e2a - std::sys_common::backtrace::_print_fmt::h78a5099be12f51a6
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:65:5
3: 0x557d4ffd9e2a - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::ha1c5390454d74f71
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:44:22
4: 0x557d4ffff94f - core::fmt::write::h9ffde816c577717b
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/fmt/mod.rs:1254:17
5: 0x557d4ffd6ea5 - std::io::Write::write_fmt::h88186074961638e4
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/io/mod.rs:1698:15
6: 0x557d4ffd9bf5 - std::sys_common::backtrace::_print::h184198273ed08d59
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:47:5
7: 0x557d4ffd9bf5 - std::sys_common::backtrace::print::h1b4d8e7add699453
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:34:9
8: 0x557d4ffdb29e - std::panicking::default_hook::{{closure}}::h393bcea75423915a
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:269:22
9: 0x557d4ffdb045 - std::panicking::default_hook::h48c64f31d8b3fd03
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:288:9
10: 0x557d4ffdb7fe - std::panicking::rust_panic_with_hook::hafdc493a79370062
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:691:13
11: 0x557d4ffdb6f9 - std::panicking::begin_panic_handler::{{closure}}::h0a64bc82e36bedc7
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:582:13
12: 0x557d4ffda296 - std::sys_common::backtrace::__rust_end_short_backtrace::hc203444fb7416a16
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:150:18
13: 0x557d4ffdb452 - rust_begin_unwind
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:578:5
14: 0x557d4f7a8193 - core::panicking::panic_fmt::h0f6ef0178afce4f2
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/panicking.rs:67:14
15: 0x557d4fde3549 - bytes::bytes::Bytes::split_to::h1b577b0bb4b2dd37
at /home/seulbae/.cargo/registry/src/index.crates.io-6f17d22bba15001f/bytes-1.4.0/src/bytes.rs:412:9
16: 0x557d4fd54b95 - rustdds::serialization::message::Message::read_from_buffer::ha0be6f55423e1870
at /home/seulbae/ddssecurity/targets/RustDDS/src/serialization/message.rs:98:28
17: 0x557d4fd7d16c - rustdds::dds::message_receiver::MessageReceiver::handle_received_packet::he766cb96ae5beba0
at /home/seulbae/ddssecurity/targets/RustDDS/src/dds/message_receiver.rs:198:30
18: 0x557d4fd4e73e - rustdds::dds::dp_event_loop::DPEventLoop::event_loop::h090b9277cdf99125
at /home/seulbae/ddssecurity/targets/RustDDS/src/dds/dp_event_loop.rs:252:19
19: 0x557d4fb85783 - rustdds::dds::participant::DomainParticipantInner::new::{{closure}}::hdecfeffc8c70284e
at /home/seulbae/ddssecurity/targets/RustDDS/src/dds/participant.rs:767:9
20: 0x557d4f964429 - std::sys_common::backtrace::__rust_begin_short_backtrace::hcf04dd068b42aae2
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:134:18
21: 0x557d4f989890 - std::thread::Builder::spawn_unchecked_::{{closure}}::{{closure}}::h6021dfd9422bcc9f
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/thread/mod.rs:526:17
22: 0x557d4f9821a4 - <core::panic::unwind_safe::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once::h2fa84cede123ce53
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/panic/unwind_safe.rs:271:9
23: 0x557d4fb97708 - std::panicking::try::do_call::h9f1b103607119d4e
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:485:40
24: 0x557d4fb97a2b - __rust_try
25: 0x557d4fb97488 - std::panicking::try::haa14520fe8729ea3
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:449:19
26: 0x557d4f98773a - std::panic::catch_unwind::h132cb257b84f036d
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panic.rs:140:14
27: 0x557d4f98929a - std::thread::Builder::spawn_unchecked_::{{closure}}::ha0318418a63b8186
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/thread/mod.rs:525:30
28: 0x557d4f9405ff - core::ops::function::FnOnce::call_once{{vtable.shim}}::hcd6ea3874fef7b1b
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/ops/function.rs:250:5
29: 0x557d4ffde925 - <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once::ha1f2224656a778fb
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/alloc/src/boxed.rs:1973:9
30: 0x557d4ffde925 - <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once::haa29ed9703f354b7
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/alloc/src/boxed.rs:1973:9
31: 0x557d4ffde925 - std::sys::unix::thread::Thread::new::thread_start::h33b6dae3e3692197
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys/unix/thread.rs:108:17
32: 0x7fa00c3ed609 - start_thread
at /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
33: 0x7fa00c1bd133 - clone
at /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
34: 0x0 - <unknown>
Thank you.
Again a good find, thank you!
This is now fixed in the latest master commit. Also added your test message as a unit test case.