From f2d0dd2ef4753e61a1fa08f356918f946d20cfa2 Mon Sep 17 00:00:00 2001
From: Erik Boasson <eb@ilities.com>
Date: Fri, 4 Jan 2019 10:37:56 +0100
Subject: [PATCH] fix use of initialized memory (in this case, harmless) when a
 undersized packet is received

Signed-off-by: Erik Boasson <eb@ilities.com>
---
 src/core/ddsi/include/ddsi/q_protocol.h |  5 ++++
 src/core/ddsi/src/q_receive.c           | 34 +++++++------------------
 2 files changed, 14 insertions(+), 25 deletions(-)

diff --git a/src/core/ddsi/include/ddsi/q_protocol.h b/src/core/ddsi/include/ddsi/q_protocol.h
index d1243f0..209719a 100644
--- a/src/core/ddsi/include/ddsi/q_protocol.h
+++ b/src/core/ddsi/include/ddsi/q_protocol.h
@@ -156,6 +156,11 @@ typedef struct Header {
   nn_guid_prefix_t guid_prefix;
 } Header_t;
 #define NN_PROTOCOLID_INITIALIZER {{ 'R','T','P','S' }}
+#if PLATFORM_IS_LITTLE_ENDIAN
+#define NN_PROTOCOLID_AS_UINT32 (((uint32_t)'R' << 0) | ((uint32_t)'T' << 8) | ((uint32_t)'P' << 16) | ((uint32_t)'S' << 24))
+#else
+#define NN_PROTOCOLID_AS_UINT32 (((uint32_t)'R' << 24) | ((uint32_t)'T' << 16) | ((uint32_t)'P' << 8) | ((uint32_t)'S' << 0))
+#endif
 #define NN_PROTOCOL_VERSION_INITIALIZER { RTPS_MAJOR, RTPS_MINOR }
 #define NN_VENDORID_INITIALIER MY_VENDOR_ID
 #define NN_HEADER_INITIALIZER { NN_PROTOCOLID_INITIALIZER, NN_PROTOCOL_VERSION_INITIALIZER, NN_VENDORID_INITIALIER, NN_GUID_PREFIX_UNKNOWN_INITIALIZER }
diff --git a/src/core/ddsi/src/q_receive.c b/src/core/ddsi/src/q_receive.c
index cc66e56..d4e6cd3 100644
--- a/src/core/ddsi/src/q_receive.c
+++ b/src/core/ddsi/src/q_receive.c
@@ -3009,16 +3009,15 @@ static bool do_packet
     nn_rmsg_setsize (rmsg, (uint32_t) sz);
     assert (vtime_asleep_p (self->vtime));
 
-    if
-    (
-      (size_t) sz < RTPS_MESSAGE_HEADER_SIZE ||
-      buff[0] != 'R' || buff[1] != 'T' || buff[2] != 'P' || buff[3] != 'S' ||
-      hdr->version.major != RTPS_MAJOR || (hdr->version.major == RTPS_MAJOR && hdr->version.minor < RTPS_MINOR_MINIMUM)
-    )
+    if ((size_t)sz < RTPS_MESSAGE_HEADER_SIZE || *(uint32_t *)buff != NN_PROTOCOLID_AS_UINT32)
     {
-        if ((hdr->version.major == RTPS_MAJOR && hdr->version.minor < RTPS_MINOR_MINIMUM))
-          DDS_TRACE("HDR(%x:%x:%x vendor %d.%d) len %lu\n, version mismatch: %d.%d\n",
-                    PGUIDPREFIX (hdr->guid_prefix), hdr->vendorid.id[0], hdr->vendorid.id[1], (unsigned long) sz, hdr->version.major, hdr->version.minor);
+      /* discard packets that are really too small or don't have magic cookie */
+    }
+    else if (hdr->version.major != RTPS_MAJOR || (hdr->version.major == RTPS_MAJOR && hdr->version.minor < RTPS_MINOR_MINIMUM))
+    {
+      if ((hdr->version.major == RTPS_MAJOR && hdr->version.minor < RTPS_MINOR_MINIMUM))
+        DDS_TRACE("HDR(%x:%x:%x vendor %d.%d) len %lu\n, version mismatch: %d.%d\n",
+                  PGUIDPREFIX (hdr->guid_prefix), hdr->vendorid.id[0], hdr->vendorid.id[1], (unsigned long) sz, hdr->version.major, hdr->version.minor);
       if (NN_PEDANTIC_P)
         malformed_packet_received_nosubmsg (buff, sz, "header", hdr->vendorid);
     }
@@ -3034,22 +3033,7 @@ static bool do_packet
                   PGUIDPREFIX (hdr->guid_prefix), hdr->vendorid.id[0], hdr->vendorid.id[1], (unsigned long) sz, addrstr);
       }
 
-      {
-        handle_submsg_sequence
-        (
-          conn,
-          &srcloc,
-          self,
-          now (),
-          now_et (),
-          &hdr->guid_prefix,
-          guidprefix,
-          buff,
-          (size_t) sz,
-          buff + RTPS_MESSAGE_HEADER_SIZE,
-          rmsg
-        );
-      }
+      handle_submsg_sequence (conn, &srcloc, self, now (), now_et (), &hdr->guid_prefix, guidprefix, buff, (size_t) sz, buff + RTPS_MESSAGE_HEADER_SIZE, rmsg);
     }
     thread_state_asleep (self);
   }