FastDDS has heap buffer overflow in readData via Manipulated DATA Submessage when DDS Security is enabled

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with — specially `readOctetVector` reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter — the attacker-contro lled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause large alloca tion attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termination. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.

N/A

堆缓冲区溢出

Fast-DDS 安全漏洞

Fast-DDS是eProsima开源的一个完整的DDS系统。 Fast-DDS 3.4.1之前版本、3.3.1之前版本和2.6.11之前版本存在安全漏洞，该漏洞源于修改DATA子消息中的PID_IDENTITY_TOKEN或PID_PERMISSIONS_TOKEN字段导致整数溢出，可能引发内存耗尽和远程进程终止。

N/A

N/A