Описание
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6, heap can be overflowed by providing a PID_PROPERTY_LIST parameter that contains a CDR string with length larger than the size of actual content. In eprosima::fastdds::dds::ParameterPropertyList_t::push_back_helper, memcpy is called to first copy the octet'ized length and then to copy the data into properties_.data. At the second memcpy, both data and size can be controlled by anyone that sends the CDR string to the discovery multicast port. This can remotely crash any Fast-DDS process. Versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6 contain a patch for this issue.
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | DNE | |
| devel | not-affected | 2.10.1+ds-3 |
| esm-apps/jammy | released | 2.5.0+ds-3ubuntu0.1~esm1 |
| esm-apps/noble | not-affected | 2.10.1+ds-3 |
| esm-infra/focal | DNE | |
| focal | DNE | |
| jammy | needed | |
| lunar | released | 2.9.1+ds-1ubuntu0.1 |
| mantic | not-affected | 2.10.1+ds-3 |
| noble | not-affected | 2.10.1+ds-3 |
Показывать по
8.2 High
CVSS3
Связанные уязвимости
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6, heap can be overflowed by providing a PID_PROPERTY_LIST parameter that contains a CDR string with length larger than the size of actual content. In `eprosima::fastdds::dds::ParameterPropertyList_t::push_back_helper`, `memcpy` is called to first copy the octet'ized length and then to copy the data into `properties_.data`. At the second memcpy, both `data` and `size` can be controlled by anyone that sends the CDR string to the discovery multicast port. This can remotely crash any Fast-DDS process. Versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6 contain a patch for this issue.
eprosima Fast DDS is a C++ implementation of the Data Distribution Ser ...
8.2 High
CVSS3