eProsima Fast-DDS Integer Overflow Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in eProsima Fast-DDS version 3.3, caused by an integer overflow when processing the DataFrag sub-message of the RTPS protocol. This overflow allows attackers to craft malicious RTPS packets that exploit the vulnerability, leading to out-of-bounds memory access, segmentation faults, or arbitrary memory reads.

Impact

Exploitation of this vulnerability causes a segmentation fault or arbitrary memory read, disrupting the application's normal operation.

Reproduction

To reproduce this vulnerability, send crafted RTPS packets over UDP that exploit the integer overflow in the 'proc_Submsg_DataFrag' function of 'MessageReceiver.cpp'. The packets must be designed to cause out-of-bounds access, triggering a 'memcpy' operation that copies excessively large data, leading to a segmentation fault or arbitrary memory read.