Remotely reachable `todo!()`s
squizz617 opened this issue · comments
There are five todo!() invocations in message_receiver.rs that can be remotely triggered to cause panic.
My fuzzer generated the DDS-security submessages, namely, SEC_BODY, SEC_PREFIX, SEC_POSTFIX, SRTPS_PREFIX, and SRTPS_POSTFIX messages and was able to trigger panic in RustDDS 0.8.3 by sending them to discovery ports.
It should be noted that DDSI-RTPS 8.3.4.1 states that "a Submessage with an unknown SubmessageId must be ignored and parsing must continue with the next Submessage.".
- SRTPS_POSTFIX submessage:
0000 34 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 49
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0050 00 00 00 00 00 00 00 00 00 05 ff ff 05
- Full backtrace:
thread 'RustDDS Participant 0 event loop' panicked at 'not yet implemented', src/rtps/message_receiver.rs:385:9
stack backtrace:
0: 0x560289b5e9da - std::backtrace_rs::backtrace::libunwind::trace::h9a6b80bbf328ba5d
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/../../backtrace/src/backtrace/libunwind.rs:93:5
1: 0x560289b5e9da - std::backtrace_rs::backtrace::trace_unsynchronized::hd162ec543a11886b
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
2: 0x560289b5e9da - std::sys_common::backtrace::_print_fmt::h78a5099be12f51a6
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:65:5
3: 0x560289b5e9da - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::ha1c5390454d74f71
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:44:22
4: 0x560289b8452f - core::fmt::write::h9ffde816c577717b
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/fmt/mod.rs:1254:17
5: 0x560289b5ba55 - std::io::Write::write_fmt::h88186074961638e4
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/io/mod.rs:1698:15
6: 0x560289b5e7a5 - std::sys_common::backtrace::_print::h184198273ed08d59
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:47:5
7: 0x560289b5e7a5 - std::sys_common::backtrace::print::h1b4d8e7add699453
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:34:9
8: 0x560289b5fe4e - std::panicking::default_hook::{{closure}}::h393bcea75423915a
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:269:22
9: 0x560289b5fbf5 - std::panicking::default_hook::h48c64f31d8b3fd03
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:288:9
10: 0x560289b603ae - std::panicking::rust_panic_with_hook::hafdc493a79370062
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:691:13
11: 0x560289b60262 - std::panicking::begin_panic_handler::{{closure}}::h0a64bc82e36bedc7
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:580:13
12: 0x560289b5ee46 - std::sys_common::backtrace::__rust_end_short_backtrace::hc203444fb7416a16
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:150:18
13: 0x560289b60002 - rust_begin_unwind
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:578:5
14: 0x560289318193 - core::panicking::panic_fmt::h0f6ef0178afce4f2
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/panicking.rs:67:14
15: 0x56028931822d - core::panicking::panic::h0ead933cb8f56d66
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/panicking.rs:117:5
16: 0x5602898fa836 - rustdds::rtps::message_receiver::MessageReceiver::handle_security_submessage::h9483d713587983a1
at /home/seulbae/ddssecurity/targets/rustdds-0.8.3/src/rtps/message_receiver.rs:385:9
17: 0x5602898f8379 - rustdds::rtps::message_receiver::MessageReceiver::handle_parsed_message::h0a8165bccbf2ada7
at /home/seulbae/ddssecurity/targets/rustdds-0.8.3/src/rtps/message_receiver.rs:197:40
18: 0x5602898f7cef - rustdds::rtps::message_receiver::MessageReceiver::handle_received_packet::hc7a36f69f3a2e87d
at /home/seulbae/ddssecurity/targets/rustdds-0.8.3/src/rtps/message_receiver.rs:183:5
19: 0x560289799a2e - rustdds::rtps::dp_event_loop::DPEventLoop::event_loop::h05601bd6c3c2ae31
at /home/seulbae/ddssecurity/targets/rustdds-0.8.3/src/rtps/dp_event_loop.rs:250:19
20: 0x5602894ccaa3 - rustdds::dds::participant::DomainParticipantInner::new::{{closure}}::had0cef772e58f041
at /home/seulbae/ddssecurity/targets/rustdds-0.8.3/src/dds/participant.rs:768:9
21: 0x5602897de709 - std::sys_common::backtrace::__rust_begin_short_backtrace::h3c1e3fbec170011b
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:134:18
22: 0x5602897fe660 - std::thread::Builder::spawn_unchecked_::{{closure}}::{{closure}}::heed9327ed729ac05
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/thread/mod.rs:526:17
23: 0x5602898dc764 - <core::panic::unwind_safe::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once::hd3ac06514cc9e0f4
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/panic/unwind_safe.rs:271:9
24: 0x5602897f9e78 - std::panicking::try::do_call::hed72e5162abcf112
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:485:40
25: 0x5602897fa16b - __rust_try
26: 0x5602897f9c78 - std::panicking::try::h5292baa88e55de58
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:449:19
27: 0x560289767e4a - std::panic::catch_unwind::hdcd6626c135e20a9
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panic.rs:140:14
28: 0x5602897fe40a - std::thread::Builder::spawn_unchecked_::{{closure}}::h97b9c2e3d6394ccc
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/thread/mod.rs:525:30
29: 0x5602894e0f9f - core::ops::function::FnOnce::call_once{{vtable.shim}}::h8e1e1ae7ba09c97b
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/ops/function.rs:250:5
30: 0x560289b63505 - <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once::ha1f2224656a778fb
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/alloc/src/boxed.rs:1973:9
31: 0x560289b63505 - <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once::haa29ed9703f354b7
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/alloc/src/boxed.rs:1973:9
32: 0x560289b63505 - std::sys::unix::thread::Thread::new::thread_start::h33b6dae3e3692197
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys/unix/thread.rs:108:17
33: 0x7f5b46f3c609 - start_thread
at /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
34: 0x7f5b46d0c133 - clone
at /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
35: 0x0 - <unknown>
Yes, correct finding. This is a versioning mistake, i.e. work-in-progress merged to the master branch.
This was supposed to be fixed already. And it seems that it was in 03ddf08 . Apparently, that did not yet make it to a release, or even the master branch, so you get bug / vulnerability discovery points anyway.
Fixed in Release 0.8.4 .