fix use of initialized memory (in this case, harmless) when a undersized packet is received

Signed-off-by: Erik Boasson <eb@ilities.com>
2019-01-04 10:37:56 +01:00 · 2019-01-04 10:37:56 +01:00 · f2d0dd2ef4
commit f2d0dd2ef4
parent 771eed118b
2 changed files with 14 additions and 25 deletions
--- a/src/core/ddsi/include/ddsi/q_protocol.h
+++ b/src/core/ddsi/include/ddsi/q_protocol.h
@ -156,6 +156,11 @@ typedef struct Header {
  nn_guid_prefix_t guid_prefix;
 } Header_t;
 #define NN_PROTOCOLID_INITIALIZER {{ 'R','T','P','S' }}
+#if PLATFORM_IS_LITTLE_ENDIAN
+#define NN_PROTOCOLID_AS_UINT32 (((uint32_t)'R' << 0) | ((uint32_t)'T' << 8) | ((uint32_t)'P' << 16) | ((uint32_t)'S' << 24))
+#else
+#define NN_PROTOCOLID_AS_UINT32 (((uint32_t)'R' << 24) | ((uint32_t)'T' << 16) | ((uint32_t)'P' << 8) | ((uint32_t)'S' << 0))
+#endif
 #define NN_PROTOCOL_VERSION_INITIALIZER { RTPS_MAJOR, RTPS_MINOR }
 #define NN_VENDORID_INITIALIER MY_VENDOR_ID
 #define NN_HEADER_INITIALIZER { NN_PROTOCOLID_INITIALIZER, NN_PROTOCOL_VERSION_INITIALIZER, NN_VENDORID_INITIALIER, NN_GUID_PREFIX_UNKNOWN_INITIALIZER }
--- a/src/core/ddsi/src/q_receive.c
+++ b/src/core/ddsi/src/q_receive.c
@ -3009,16 +3009,15 @@ static bool do_packet
    nn_rmsg_setsize (rmsg, (uint32_t) sz);
    assert (vtime_asleep_p (self->vtime));

-    if
-    (
-      (size_t) sz < RTPS_MESSAGE_HEADER_SIZE ||
-      buff[0] != 'R' || buff[1] != 'T' || buff[2] != 'P' || buff[3] != 'S' ||
-      hdr->version.major != RTPS_MAJOR || (hdr->version.major == RTPS_MAJOR && hdr->version.minor < RTPS_MINOR_MINIMUM)
-    )
+    if ((size_t)sz < RTPS_MESSAGE_HEADER_SIZE || *(uint32_t *)buff != NN_PROTOCOLID_AS_UINT32)
    {
-        if ((hdr->version.major == RTPS_MAJOR && hdr->version.minor < RTPS_MINOR_MINIMUM))
-          DDS_TRACE("HDR(%x:%x:%x vendor %d.%d) len %lu\n, version mismatch: %d.%d\n",
-                    PGUIDPREFIX (hdr->guid_prefix), hdr->vendorid.id[0], hdr->vendorid.id[1], (unsigned long) sz, hdr->version.major, hdr->version.minor);
+      /* discard packets that are really too small or don't have magic cookie */
+    }
+    else if (hdr->version.major != RTPS_MAJOR || (hdr->version.major == RTPS_MAJOR && hdr->version.minor < RTPS_MINOR_MINIMUM))
+    {
+      if ((hdr->version.major == RTPS_MAJOR && hdr->version.minor < RTPS_MINOR_MINIMUM))
+        DDS_TRACE("HDR(%x:%x:%x vendor %d.%d) len %lu\n, version mismatch: %d.%d\n",
+                  PGUIDPREFIX (hdr->guid_prefix), hdr->vendorid.id[0], hdr->vendorid.id[1], (unsigned long) sz, hdr->version.major, hdr->version.minor);
      if (NN_PEDANTIC_P)
        malformed_packet_received_nosubmsg (buff, sz, "header", hdr->vendorid);
    }
@ -3034,22 +3033,7 @@ static bool do_packet
                  PGUIDPREFIX (hdr->guid_prefix), hdr->vendorid.id[0], hdr->vendorid.id[1], (unsigned long) sz, addrstr);
      }

-      {
-        handle_submsg_sequence
-        (
-          conn,
-          &srcloc,
-          self,
-          now (),
-          now_et (),
-          &hdr->guid_prefix,
-          guidprefix,
-          buff,
-          (size_t) sz,
-          buff + RTPS_MESSAGE_HEADER_SIZE,
-          rmsg
-        );
-      }
+      handle_submsg_sequence (conn, &srcloc, self, now (), now_et (), &hdr->guid_prefix, guidprefix, buff, (size_t) sz, buff + RTPS_MESSAGE_HEADER_SIZE, rmsg);
    }
    thread_state_asleep (self);
  }