eProsima Fast DDS Out-of-Memory Denial-of-Service Vulnerability in RTPS GAP Submessage Processing

A denial-of-service vulnerability causing excessive memory consumption has been identified in eProsima Fast DDS versions prior to 3.4.1, 3.3.1, and 2.6.11. The issue arises when the library processes Real-Time Publish-Subscribe (RTPS) Gap submessages under Reliable Quality of Service (QoS). An attacker can exploit this vulnerability by sending a small GAP packet with a large gap range, which triggers an unbounded loop in the 'StatefulReader::processGapMsg()' function. This loop inserts millions of sequence numbers into the 'WriterProxy::changes_received_' set, leading to multi-gigabyte heap growth and process termination. In environments without a memory limit, such as those not using AddressSanitizer, memory usage can reach approximately 64 GB.

Impact

Exploitation of this vulnerability causes the process to consume excessive amounts of memory, leading to termination of the process once the memory limit is reached. In environments without a memory limit, this can result in memory consumption of around 64 GB.

Reproduction

The vulnerability can be reproduced by sending a GAP message with a large gap range to a reader that is using Reliable QoS. This can be done using the eProsima Fast DDS library by creating a publisher and a subscriber, and then sending a GAP message that exploits the vulnerability. The 'WriterProxyTests' unit test in the Fast DDS repository includes a regression test for this vulnerability, demonstrating how it can be exploited.

Remediation

Users can upgrade to eProsima Fast DDS versions 3.4.1, 3.3.1, or 2.6.11, where this vulnerability has been fixed.