Version in base suite: 2.1.0+ds-9 Base version: fastdds_2.1.0+ds-9 Target version: fastdds_2.1.0+ds-9+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/f/fastdds/fastdds_2.1.0+ds-9.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/f/fastdds/fastdds_2.1.0+ds-9+deb11u1.dsc changelog | 14 gbp.conf | 4 patches/backports/CVE-2021-38425.patch | 24 patches/backports/CVE-2023-39534.patch | 109 ++ patches/backports/CVE-2023-39945_CVE-2023-39948.patch | 720 ++++++++++++++++++ patches/backports/CVE-2023-39946_CVE-2023-39947.patch | 97 ++ patches/backports/CVE-2023-39949.patch | 28 patches/series | 5 8 files changed, 1001 insertions(+) diff -Nru fastdds-2.1.0+ds/debian/changelog fastdds-2.1.0+ds/debian/changelog --- fastdds-2.1.0+ds/debian/changelog 2021-01-29 11:33:00.000000000 +0000 +++ fastdds-2.1.0+ds/debian/changelog 2023-08-18 18:19:21.000000000 +0000 @@ -1,3 +1,17 @@ +fastdds (2.1.0+ds-9+deb11u1) bullseye-security; urgency=medium + + * Backport security fixes + - CVE-2021-38425 Denial-of-service by auth package flooding + - CVE-2023-39534 Malformed GAP submessage triggers assertion failure + - CVE-2023-39945 Unhandled exception on malformed data submessage + - CVE-2023-39946 Heap overflow triggered by PID_PROPERTY_LIST + - CVE-2023-39947 Heap overflow triggered by PID_PROPERTY_LIST + - CVE-2023-39948 Uncaught fastcdr exceptions + - CVE-2023-39949 Improper validation of sequence numbers + (Closes: #1043548) + + -- Timo Röhling Fri, 18 Aug 2023 20:19:21 +0200 + fastdds (2.1.0+ds-9) unstable; urgency=medium * Disable import of fast-server-discovery target diff -Nru fastdds-2.1.0+ds/debian/gbp.conf fastdds-2.1.0+ds/debian/gbp.conf --- fastdds-2.1.0+ds/debian/gbp.conf 1970-01-01 00:00:00.000000000 +0000 +++ fastdds-2.1.0+ds/debian/gbp.conf 2023-08-18 18:19:21.000000000 +0000 @@ -0,0 +1,4 @@ +[DEFAULT] +debian-branch = bullseye +upstream-branch = + diff -Nru fastdds-2.1.0+ds/debian/patches/backports/CVE-2021-38425.patch fastdds-2.1.0+ds/debian/patches/backports/CVE-2021-38425.patch --- fastdds-2.1.0+ds/debian/patches/backports/CVE-2021-38425.patch 1970-01-01 00:00:00.000000000 +0000 +++ fastdds-2.1.0+ds/debian/patches/backports/CVE-2021-38425.patch 2023-08-18 18:19:21.000000000 +0000 @@ -0,0 +1,24 @@ +From: =?utf-8?q?Timo_R=C3=B6hling?= +Date: Fri, 18 Aug 2023 20:16:15 +0200 +Subject: Authentication exponential backoff + +Bug: https://github.com/eProsima/Fast-DDS/issues/2267 +Origin: https://github.com/eProsima/Fast-DDS/commit/01550cfa1b8313c4cb39529960b41f95e4820312 +--- + src/cpp/rtps/security/SecurityManager.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/cpp/rtps/security/SecurityManager.cpp b/src/cpp/rtps/security/SecurityManager.cpp +index 132d48f..3aac16f 100644 +--- a/src/cpp/rtps/security/SecurityManager.cpp ++++ b/src/cpp/rtps/security/SecurityManager.cpp +@@ -930,6 +930,9 @@ bool SecurityManager::on_process_handshake( + if (ret == VALIDATION_PENDING_HANDSHAKE_MESSAGE) + { + remote_participant_info->expected_sequence_number_ = expected_sequence_number; ++ // Avoid DoS attack by exponentially increasing event interval ++ auto time_ms = remote_participant_info->event_->getIntervalMilliSec(); ++ remote_participant_info->event_->update_interval_millisec(time_ms * 2); + remote_participant_info->event_->restart_timer(); + } + diff -Nru fastdds-2.1.0+ds/debian/patches/backports/CVE-2023-39534.patch fastdds-2.1.0+ds/debian/patches/backports/CVE-2023-39534.patch --- fastdds-2.1.0+ds/debian/patches/backports/CVE-2023-39534.patch 1970-01-01 00:00:00.000000000 +0000 +++ fastdds-2.1.0+ds/debian/patches/backports/CVE-2023-39534.patch 2023-08-18 18:19:21.000000000 +0000 @@ -0,0 +1,109 @@ +From: =?utf-8?q?Timo_R=C3=B6hling?= +Date: Fri, 18 Aug 2023 19:44:45 +0200 +Subject: Avoid integer underflow when processing GAP messages + +Bug: https://github.com/eProsima/Fast-DDS/pull/3343 +Origin: https://github.com/eProsima/Fast-DDS/commit/2674fdd93793fd314fcb81b795f9f62b8fcb1ea0 +--- + src/cpp/rtps/reader/StatefulReader.cpp | 6 ++--- + test/blackbox/common/RTPSBlackboxTestsBasic.cpp | 28 ++++++++++++++++++++++ + .../blackbox/common/RTPSWithRegistrationReader.hpp | 5 ++++ + .../blackbox/common/RTPSWithRegistrationWriter.hpp | 5 ++++ + 4 files changed, 41 insertions(+), 3 deletions(-) + +diff --git a/src/cpp/rtps/reader/StatefulReader.cpp b/src/cpp/rtps/reader/StatefulReader.cpp +index 8e71630..d103cb6 100644 +--- a/src/cpp/rtps/reader/StatefulReader.cpp ++++ b/src/cpp/rtps/reader/StatefulReader.cpp +@@ -583,7 +583,7 @@ bool StatefulReader::processGapMsg( + WriterProxy* pWP = nullptr; + + std::unique_lock lock(mp_mutex); +- if (!is_alive_) ++ if (!is_alive_ || gapStart < SequenceNumber_t(0, 1) || gapList.base() <= gapStart) + { + return false; + } +@@ -592,9 +592,9 @@ bool StatefulReader::processGapMsg( + { + // TODO (Miguel C): Refactor this inside WriterProxy + SequenceNumber_t auxSN; +- SequenceNumber_t finalSN = gapList.base() - 1; ++ SequenceNumber_t finalSN = gapList.base(); + History::const_iterator history_iterator = mp_history->changesBegin(); +- for (auxSN = gapStart; auxSN <= finalSN; auxSN++) ++ for (auxSN = gapStart; auxSN < finalSN; auxSN++) + { + if (pWP->irrelevant_change_set(auxSN)) + { +diff --git a/test/blackbox/common/RTPSBlackboxTestsBasic.cpp b/test/blackbox/common/RTPSBlackboxTestsBasic.cpp +index c5cbb04..16f64ba 100644 +--- a/test/blackbox/common/RTPSBlackboxTestsBasic.cpp ++++ b/test/blackbox/common/RTPSBlackboxTestsBasic.cpp +@@ -445,6 +445,34 @@ TEST_P(RTPS, RTPSAsReliableWithRegistrationAndHolesInHistory) + } + + ++/* Regression Test for improving gaps processing ++ * https://github.com/eProsima/Fast-DDS/pull/3343 ++ */ ++TEST(RTPS, RTPSCorrectGAPProcessing) ++{ ++ RTPSWithRegistrationReader reader(TEST_TOPIC_NAME); ++ RTPSWithRegistrationWriter writer(TEST_TOPIC_NAME); ++ ++ reader.durability(eprosima::fastrtps::rtps::DurabilityKind_t::TRANSIENT_LOCAL). ++ reliability(eprosima::fastrtps::rtps::ReliabilityKind_t::RELIABLE).init(); ++ ++ ASSERT_TRUE(reader.isInitialized()); ++ ++ writer.durability(eprosima::fastrtps::rtps::DurabilityKind_t::TRANSIENT_LOCAL). ++ reliability(eprosima::fastrtps::rtps::ReliabilityKind_t::RELIABLE).init(); ++ ++ ASSERT_TRUE(writer.isInitialized()); ++ ++ reader.wait_discovery(); ++ writer.wait_discovery(); ++ ++ SequenceNumberSet_t seq_set(SequenceNumber_t(0, 0)); ++ ++ //! GAP Message check ++ RTPSReader& native_reader = reader.get_native_reader(); ++ ASSERT_NO_FATAL_FAILURE(native_reader.processGapMsg(writer.guid(), {0, 0}, seq_set)); ++} ++ + #ifdef INSTANTIATE_TEST_SUITE_P + #define GTEST_INSTANTIATE_TEST_MACRO(x, y, z, w) INSTANTIATE_TEST_SUITE_P(x, y, z, w) + #else +diff --git a/test/blackbox/common/RTPSWithRegistrationReader.hpp b/test/blackbox/common/RTPSWithRegistrationReader.hpp +index d0ec2d1..5fc3b1a 100644 +--- a/test/blackbox/common/RTPSWithRegistrationReader.hpp ++++ b/test/blackbox/common/RTPSWithRegistrationReader.hpp +@@ -433,6 +433,11 @@ public: + + #endif // if HAVE_SQLITE3 + ++ eprosima::fastrtps::rtps::RTPSReader& get_native_reader() const ++ { ++ return *reader_; ++ } ++ + private: + + void receive_one( +diff --git a/test/blackbox/common/RTPSWithRegistrationWriter.hpp b/test/blackbox/common/RTPSWithRegistrationWriter.hpp +index 79cc90e..1504271 100644 +--- a/test/blackbox/common/RTPSWithRegistrationWriter.hpp ++++ b/test/blackbox/common/RTPSWithRegistrationWriter.hpp +@@ -180,6 +180,11 @@ public: + matched_ = 0; + } + ++ const eprosima::fastrtps::rtps::GUID_t& guid() const ++ { ++ return writer_->getGuid(); ++ } ++ + bool isInitialized() const + { + return initialized_; diff -Nru fastdds-2.1.0+ds/debian/patches/backports/CVE-2023-39945_CVE-2023-39948.patch fastdds-2.1.0+ds/debian/patches/backports/CVE-2023-39945_CVE-2023-39948.patch --- fastdds-2.1.0+ds/debian/patches/backports/CVE-2023-39945_CVE-2023-39948.patch 1970-01-01 00:00:00.000000000 +0000 +++ fastdds-2.1.0+ds/debian/patches/backports/CVE-2023-39945_CVE-2023-39948.patch 2023-08-18 18:19:21.000000000 +0000 @@ -0,0 +1,720 @@ +From: =?utf-8?q?Timo_R=C3=B6hling?= +Date: Fri, 18 Aug 2023 20:07:22 +0200 +Subject: Capture all fastcdr exceptions + +Bug: https://github.com/eProsima/Fast-DDS/issues/3422 +Bug-Debian: https://bugs.debian.org/1043548 +Origin: https://github.com/eProsima/Fast-DDS/commit/d3db7244df4081ae630dea98b7b27eb96245d562 +--- + src/cpp/dynamic-types/DynamicPubSubType.cpp | 18 ++-- + .../builtin/typelookup/common/TypeLookupTypes.cpp | 40 +++++---- + src/cpp/rtps/transport/tcp/TCPControlMessage.cpp | 98 ++++++++++---------- + .../security/cryptography/AESGCMGMAC_Transform.cpp | 100 ++++++++++----------- + 4 files changed, 130 insertions(+), 126 deletions(-) + +diff --git a/src/cpp/dynamic-types/DynamicPubSubType.cpp b/src/cpp/dynamic-types/DynamicPubSubType.cpp +index 1a5d1ed..733b0a5 100644 +--- a/src/cpp/dynamic-types/DynamicPubSubType.cpp ++++ b/src/cpp/dynamic-types/DynamicPubSubType.cpp +@@ -104,15 +104,16 @@ bool DynamicPubSubType::deserialize( + eprosima::fastcdr::FastBuffer fastbuffer((char*)payload->data, payload->length); // Object that manages the raw buffer. + eprosima::fastcdr::Cdr deser(fastbuffer, eprosima::fastcdr::Cdr::DEFAULT_ENDIAN, + eprosima::fastcdr::Cdr::DDS_CDR); // Object that deserializes the data. +- // Deserialize encapsulation. +- deser.read_encapsulation(); +- payload->encapsulation = deser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; + + try + { +- ((DynamicData*)data)->deserialize(deser); //Deserialize the object: ++ // Deserialize encapsulation. ++ deser.read_encapsulation(); ++ payload->encapsulation = deser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; ++ //Deserialize the object: ++ ((DynamicData*)data)->deserialize(deser); + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException& /*exception*/) ++ catch (eprosima::fastcdr::exception::Exception& /*exception*/) + { + return false; + } +@@ -179,14 +180,13 @@ bool DynamicPubSubType::serialize( + eprosima::fastcdr::Cdr ser(fastbuffer, eprosima::fastcdr::Cdr::DEFAULT_ENDIAN, eprosima::fastcdr::Cdr::DDS_CDR); + payload->encapsulation = ser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; + +- // Serialize encapsulation +- ser.serialize_encapsulation(); +- + try + { ++ // Serialize encapsulation ++ ser.serialize_encapsulation(); + ((DynamicData*)data)->serialize(ser); // Serialize the object: + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException& /*exception*/) ++ catch (eprosima::fastcdr::exception::Exception& /*exception*/) + { + return false; + } +diff --git a/src/cpp/fastdds/builtin/typelookup/common/TypeLookupTypes.cpp b/src/cpp/fastdds/builtin/typelookup/common/TypeLookupTypes.cpp +index c17b5a2..d1424df 100644 +--- a/src/cpp/fastdds/builtin/typelookup/common/TypeLookupTypes.cpp ++++ b/src/cpp/fastdds/builtin/typelookup/common/TypeLookupTypes.cpp +@@ -1204,14 +1204,15 @@ bool TypeLookup_RequestTypeSupport::serialize( + eprosima::fastcdr::Cdr ser(fastbuffer, eprosima::fastcdr::Cdr::DEFAULT_ENDIAN, + eprosima::fastcdr::Cdr::DDS_CDR); + payload->encapsulation = ser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; +- // Serialize encapsulation +- ser.serialize_encapsulation(); + + try + { +- type->serialize(ser); // Serialize the object: ++ // Serialize encapsulation ++ ser.serialize_encapsulation(); ++ // Serialize the object ++ type->serialize(ser); + } +- catch(eprosima::fastcdr::exception::NotEnoughMemoryException& /*exception*/) ++ catch (eprosima::fastcdr::exception::Exception& /*exception*/) + { + return false; + } +@@ -1229,15 +1230,16 @@ bool TypeLookup_RequestTypeSupport::deserialize( + eprosima::fastcdr::FastBuffer fastbuffer((char*)payload->data, payload->max_size); + eprosima::fastcdr::Cdr deser(fastbuffer, eprosima::fastcdr::Cdr::DEFAULT_ENDIAN, + eprosima::fastcdr::Cdr::DDS_CDR); // Object that deserializes the data. +- // Deserialize encapsulation. +- deser.read_encapsulation(); +- payload->encapsulation = deser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; + + try + { +- p_type->deserialize(deser); //Deserialize the object: ++ // Deserialize encapsulation. ++ deser.read_encapsulation(); ++ payload->encapsulation = deser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; ++ // Deserialize the object ++ p_type->deserialize(deser); + } +- catch(eprosima::fastcdr::exception::NotEnoughMemoryException& /*exception*/) ++ catch (eprosima::fastcdr::exception::Exception& /*exception*/) + { + return false; + } +@@ -1302,14 +1304,15 @@ bool TypeLookup_ReplyTypeSupport::serialize( + eprosima::fastcdr::Cdr ser(fastbuffer, eprosima::fastcdr::Cdr::DEFAULT_ENDIAN, + eprosima::fastcdr::Cdr::DDS_CDR); + payload->encapsulation = ser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; +- // Serialize encapsulation +- ser.serialize_encapsulation(); + + try + { +- type->serialize(ser); // Serialize the object: ++ // Serialize encapsulation ++ ser.serialize_encapsulation(); ++ // Serialize the object ++ type->serialize(ser); + } +- catch(eprosima::fastcdr::exception::NotEnoughMemoryException& /*exception*/) ++ catch (eprosima::fastcdr::exception::Exception& /*exception*/) + { + return false; + } +@@ -1326,15 +1329,16 @@ bool TypeLookup_ReplyTypeSupport::deserialize( + eprosima::fastcdr::FastBuffer fastbuffer(reinterpret_cast(payload->data), payload->length); // Object that manages the raw buffer. + eprosima::fastcdr::Cdr deser(fastbuffer, eprosima::fastcdr::Cdr::DEFAULT_ENDIAN, + eprosima::fastcdr::Cdr::DDS_CDR); // Object that deserializes the data. +- // Deserialize encapsulation. +- deser.read_encapsulation(); +- payload->encapsulation = deser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; + + try + { +- p_type->deserialize(deser); //Deserialize the object: ++ // Deserialize encapsulation. ++ deser.read_encapsulation(); ++ payload->encapsulation = deser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; ++ // Deserialize the object ++ p_type->deserialize(deser); + } +- catch(eprosima::fastcdr::exception::NotEnoughMemoryException& /*exception*/) ++ catch (eprosima::fastcdr::exception::Exception& /*exception*/) + { + return false; + } +diff --git a/src/cpp/rtps/transport/tcp/TCPControlMessage.cpp b/src/cpp/rtps/transport/tcp/TCPControlMessage.cpp +index 17cb8f0..d172bf2 100644 +--- a/src/cpp/rtps/transport/tcp/TCPControlMessage.cpp ++++ b/src/cpp/rtps/transport/tcp/TCPControlMessage.cpp +@@ -201,14 +201,14 @@ bool ConnectionRequest_t::serialize(SerializedPayload_t *payload) + eprosima::fastcdr::Cdr ser(fastbuffer, eprosima::fastcdr::Cdr::DEFAULT_ENDIAN, + eprosima::fastcdr::Cdr::DDS_CDR); // Object that serializes the data. + payload->encapsulation = ser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; +- // Serialize encapsulation +- ser.serialize_encapsulation(); + + try + { ++ // Serialize encapsulation ++ ser.serialize_encapsulation(); + p_type->serialize(ser); // Serialize the object: + } +- catch(eprosima::fastcdr::exception::NotEnoughMemoryException& /*exception*/) ++ catch(eprosima::fastcdr::exception::Exception& /*exception*/) + { + return false; + } +@@ -223,15 +223,15 @@ bool ConnectionRequest_t::deserialize(SerializedPayload_t* payload) + eprosima::fastcdr::FastBuffer fastbuffer((char*) payload->data, payload->length + 4); // Object that manages the raw buffer. + eprosima::fastcdr::Cdr deser(fastbuffer, eprosima::fastcdr::Cdr::DEFAULT_ENDIAN, + eprosima::fastcdr::Cdr::DDS_CDR); // Object that deserializes the data. +- // Deserialize encapsulation. +- deser.read_encapsulation(); +- payload->encapsulation = deser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; + + try + { ++ // Deserialize encapsulation. ++ deser.read_encapsulation(); ++ payload->encapsulation = deser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; + p_type->deserialize(deser); //Deserialize the object: + } +- catch(eprosima::fastcdr::exception::NotEnoughMemoryException& /*exception*/) ++ catch(eprosima::fastcdr::exception::Exception& /*exception*/) + { + return false; + } +@@ -322,14 +322,14 @@ bool OpenLogicalPortRequest_t::serialize(SerializedPayload_t *payload) + eprosima::fastcdr::Cdr ser(fastbuffer, eprosima::fastcdr::Cdr::DEFAULT_ENDIAN, + eprosima::fastcdr::Cdr::DDS_CDR); // Object that serializes the data. + payload->encapsulation = ser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; +- // Serialize encapsulation +- ser.serialize_encapsulation(); + + try + { ++ // Serialize encapsulation ++ ser.serialize_encapsulation(); + p_type->serialize(ser); // Serialize the object: + } +- catch(eprosima::fastcdr::exception::NotEnoughMemoryException& /*exception*/) ++ catch(eprosima::fastcdr::exception::Exception& /*exception*/) + { + return false; + } +@@ -344,15 +344,15 @@ bool OpenLogicalPortRequest_t::deserialize(SerializedPayload_t* payload) + eprosima::fastcdr::FastBuffer fastbuffer((char*) payload->data, payload->length + 4); // Object that manages the raw buffer. + eprosima::fastcdr::Cdr deser(fastbuffer, eprosima::fastcdr::Cdr::DEFAULT_ENDIAN, + eprosima::fastcdr::Cdr::DDS_CDR); // Object that deserializes the data. +- // Deserialize encapsulation. +- deser.read_encapsulation(); +- payload->encapsulation = deser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; + + try + { ++ // Deserialize encapsulation. ++ deser.read_encapsulation(); ++ payload->encapsulation = deser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; + p_type->deserialize(deser); //Deserialize the object: + } +- catch(eprosima::fastcdr::exception::NotEnoughMemoryException& /*exception*/) ++ catch(eprosima::fastcdr::exception::Exception& /*exception*/) + { + return false; + } +@@ -443,14 +443,14 @@ bool CheckLogicalPortsRequest_t::serialize(SerializedPayload_t *payload) + eprosima::fastcdr::Cdr ser(fastbuffer, eprosima::fastcdr::Cdr::DEFAULT_ENDIAN, + eprosima::fastcdr::Cdr::DDS_CDR); // Object that serializes the data. + payload->encapsulation = ser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; +- // Serialize encapsulation +- ser.serialize_encapsulation(); + + try + { ++ // Serialize encapsulation ++ ser.serialize_encapsulation(); + p_type->serialize(ser); // Serialize the object: + } +- catch(eprosima::fastcdr::exception::NotEnoughMemoryException& /*exception*/) ++ catch(eprosima::fastcdr::exception::Exception& /*exception*/) + { + return false; + } +@@ -465,15 +465,15 @@ bool CheckLogicalPortsRequest_t::deserialize(SerializedPayload_t* payload) + eprosima::fastcdr::FastBuffer fastbuffer((char*) payload->data, payload->length + 4); // Object that manages the raw buffer. + eprosima::fastcdr::Cdr deser(fastbuffer, eprosima::fastcdr::Cdr::DEFAULT_ENDIAN, + eprosima::fastcdr::Cdr::DDS_CDR); // Object that deserializes the data. +- // Deserialize encapsulation. +- deser.read_encapsulation(); +- payload->encapsulation = deser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; + + try + { ++ // Deserialize encapsulation. ++ deser.read_encapsulation(); ++ payload->encapsulation = deser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; + p_type->deserialize(deser); //Deserialize the object: + } +- catch(eprosima::fastcdr::exception::NotEnoughMemoryException& /*exception*/) ++ catch(eprosima::fastcdr::exception::Exception& /*exception*/) + { + return false; + } +@@ -564,14 +564,14 @@ bool KeepAliveRequest_t::serialize(SerializedPayload_t *payload) + eprosima::fastcdr::Cdr ser(fastbuffer, eprosima::fastcdr::Cdr::DEFAULT_ENDIAN, + eprosima::fastcdr::Cdr::DDS_CDR); // Object that serializes the data. + payload->encapsulation = ser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; +- // Serialize encapsulation +- ser.serialize_encapsulation(); + + try + { ++ // Serialize encapsulation ++ ser.serialize_encapsulation(); + p_type->serialize(ser); // Serialize the object: + } +- catch(eprosima::fastcdr::exception::NotEnoughMemoryException& /*exception*/) ++ catch(eprosima::fastcdr::exception::Exception& /*exception*/) + { + return false; + } +@@ -586,15 +586,15 @@ bool KeepAliveRequest_t::deserialize(SerializedPayload_t* payload) + eprosima::fastcdr::FastBuffer fastbuffer((char*) payload->data, payload->length + 4); // Object that manages the raw buffer. + eprosima::fastcdr::Cdr deser(fastbuffer, eprosima::fastcdr::Cdr::DEFAULT_ENDIAN, + eprosima::fastcdr::Cdr::DDS_CDR); // Object that deserializes the data. +- // Deserialize encapsulation. +- deser.read_encapsulation(); +- payload->encapsulation = deser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; + + try + { ++ // Deserialize encapsulation. ++ deser.read_encapsulation(); ++ payload->encapsulation = deser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; + p_type->deserialize(deser); //Deserialize the object: + } +- catch(eprosima::fastcdr::exception::NotEnoughMemoryException& /*exception*/) ++ catch(eprosima::fastcdr::exception::Exception& /*exception*/) + { + return false; + } +@@ -685,14 +685,14 @@ bool LogicalPortIsClosedRequest_t::serialize(SerializedPayload_t *payload) + eprosima::fastcdr::Cdr ser(fastbuffer, eprosima::fastcdr::Cdr::DEFAULT_ENDIAN, + eprosima::fastcdr::Cdr::DDS_CDR); // Object that serializes the data. + payload->encapsulation = ser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; +- // Serialize encapsulation +- ser.serialize_encapsulation(); + + try + { ++ // Serialize encapsulation ++ ser.serialize_encapsulation(); + p_type->serialize(ser); // Serialize the object: + } +- catch(eprosima::fastcdr::exception::NotEnoughMemoryException& /*exception*/) ++ catch(eprosima::fastcdr::exception::Exception& /*exception*/) + { + return false; + } +@@ -707,15 +707,15 @@ bool LogicalPortIsClosedRequest_t::deserialize(SerializedPayload_t* payload) + eprosima::fastcdr::FastBuffer fastbuffer((char*) payload->data, payload->length + 4); // Object that manages the raw buffer. + eprosima::fastcdr::Cdr deser(fastbuffer, eprosima::fastcdr::Cdr::DEFAULT_ENDIAN, + eprosima::fastcdr::Cdr::DDS_CDR); // Object that deserializes the data. +- // Deserialize encapsulation. +- deser.read_encapsulation(); +- payload->encapsulation = deser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; + + try + { ++ // Deserialize encapsulation. ++ deser.read_encapsulation(); ++ payload->encapsulation = deser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; + p_type->deserialize(deser); //Deserialize the object: + } +- catch(eprosima::fastcdr::exception::NotEnoughMemoryException& /*exception*/) ++ catch(eprosima::fastcdr::exception::Exception& /*exception*/) + { + return false; + } +@@ -1429,14 +1429,14 @@ bool BindConnectionResponse_t::serialize(SerializedPayload_t *payload) + eprosima::fastcdr::Cdr ser(fastbuffer, eprosima::fastcdr::Cdr::DEFAULT_ENDIAN, + eprosima::fastcdr::Cdr::DDS_CDR); // Object that serializes the data. + payload->encapsulation = ser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; +- // Serialize encapsulation +- ser.serialize_encapsulation(); + + try + { ++ // Serialize encapsulation ++ ser.serialize_encapsulation(); + p_type->serialize(ser); // Serialize the object: + } +- catch(eprosima::fastcdr::exception::NotEnoughMemoryException& /*exception*/) ++ catch(eprosima::fastcdr::exception::Exception& /*exception*/) + { + return false; + } +@@ -1451,15 +1451,15 @@ bool BindConnectionResponse_t::deserialize(SerializedPayload_t* payload) + eprosima::fastcdr::FastBuffer fastbuffer((char*) payload->data, payload->length + 4); // Object that manages the raw buffer. + eprosima::fastcdr::Cdr deser(fastbuffer, eprosima::fastcdr::Cdr::DEFAULT_ENDIAN, + eprosima::fastcdr::Cdr::DDS_CDR); // Object that deserializes the data. +- // Deserialize encapsulation. +- deser.read_encapsulation(); +- payload->encapsulation = deser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; + + try + { ++ // Deserialize encapsulation. ++ deser.read_encapsulation(); ++ payload->encapsulation = deser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; + p_type->deserialize(deser); //Deserialize the object: + } +- catch(eprosima::fastcdr::exception::NotEnoughMemoryException& /*exception*/) ++ catch(eprosima::fastcdr::exception::Exception& /*exception*/) + { + return false; + } +@@ -1550,14 +1550,14 @@ bool CheckLogicalPortsResponse_t::serialize(SerializedPayload_t *payload) + eprosima::fastcdr::Cdr ser(fastbuffer, eprosima::fastcdr::Cdr::DEFAULT_ENDIAN, + eprosima::fastcdr::Cdr::DDS_CDR); // Object that serializes the data. + payload->encapsulation = ser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; +- // Serialize encapsulation +- ser.serialize_encapsulation(); + + try + { ++ // Serialize encapsulation ++ ser.serialize_encapsulation(); + p_type->serialize(ser); // Serialize the object: + } +- catch(eprosima::fastcdr::exception::NotEnoughMemoryException& /*exception*/) ++ catch(eprosima::fastcdr::exception::Exception& /*exception*/) + { + return false; + } +@@ -1572,15 +1572,15 @@ bool CheckLogicalPortsResponse_t::deserialize(SerializedPayload_t* payload) + eprosima::fastcdr::FastBuffer fastbuffer((char*) payload->data, payload->length + 4); // Object that manages the raw buffer. + eprosima::fastcdr::Cdr deser(fastbuffer, eprosima::fastcdr::Cdr::DEFAULT_ENDIAN, + eprosima::fastcdr::Cdr::DDS_CDR); // Object that deserializes the data. +- // Deserialize encapsulation. +- deser.read_encapsulation(); +- payload->encapsulation = deser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; + + try + { ++ // Deserialize encapsulation. ++ deser.read_encapsulation(); ++ payload->encapsulation = deser.endianness() == eprosima::fastcdr::Cdr::BIG_ENDIANNESS ? CDR_BE : CDR_LE; + p_type->deserialize(deser); //Deserialize the object: + } +- catch(eprosima::fastcdr::exception::NotEnoughMemoryException& /*exception*/) ++ catch(eprosima::fastcdr::exception::Exception& /*exception*/) + { + return false; + } +diff --git a/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp b/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp +index 17493d7..612df08 100644 +--- a/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp ++++ b/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp +@@ -128,9 +128,9 @@ bool AESGCMGMAC_Transform::encode_serialized_payload( + serialize_SecureDataHeader(serializer, keyMat.transformation_kind, + keyMat.sender_key_id, session_id, initialization_vector_suffix); + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException&) ++ catch (eprosima::fastcdr::exception::Exception&) + { +- logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataHeader"); ++ logError(SECURITY_CRYPTO, "Error in fastcdr trying to serialize SecureDataHeader"); + return false; + } + +@@ -145,9 +145,9 @@ bool AESGCMGMAC_Transform::encode_serialized_payload( + return false; + } + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException&) ++ catch (eprosima::fastcdr::exception::Exception&) + { +- logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataBody"); ++ logError(SECURITY_CRYPTO, "Error in fastcdr trying to serialize SecureDataBody"); + return false; + } + +@@ -160,9 +160,9 @@ bool AESGCMGMAC_Transform::encode_serialized_payload( + return false; + } + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException&) ++ catch (eprosima::fastcdr::exception::Exception&) + { +- logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataTag"); ++ logError(SECURITY_CRYPTO, "Error in fastcdr trying to serialize SecureDataTag"); + return false; + } + +@@ -255,9 +255,9 @@ bool AESGCMGMAC_Transform::encode_datawriter_submessage( + serializer << length; + serializer.setState(current_state); + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException& ) ++ catch (eprosima::fastcdr::exception::Exception& ) + { +- logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataHeader"); ++ logError(SECURITY_CRYPTO, "Error in fastcdr trying to serialize SecureDataHeader"); + return false; + } + +@@ -273,9 +273,9 @@ bool AESGCMGMAC_Transform::encode_datawriter_submessage( + return false; + } + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException&) ++ catch (eprosima::fastcdr::exception::Exception&) + { +- logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataBody"); ++ logError(SECURITY_CRYPTO, "Error in fastcdr trying to serialize SecureDataBody"); + return false; + } + +@@ -302,9 +302,9 @@ bool AESGCMGMAC_Transform::encode_datawriter_submessage( + serializer << length; + serializer.setState(current_state); + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException&) ++ catch (eprosima::fastcdr::exception::Exception&) + { +- logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataTag"); ++ logError(SECURITY_CRYPTO, "Error in fastcdr trying to serialize SecureDataTag"); + return false; + } + +@@ -395,9 +395,9 @@ bool AESGCMGMAC_Transform::encode_datareader_submessage( + serializer << length; + serializer.setState(current_state); + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException&) ++ catch (eprosima::fastcdr::exception::Exception&) + { +- logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataHeader"); ++ logError(SECURITY_CRYPTO, "Error in fastcdr trying to serialize SecureDataHeader"); + return false; + } + +@@ -414,9 +414,9 @@ bool AESGCMGMAC_Transform::encode_datareader_submessage( + return false; + } + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException&) ++ catch (eprosima::fastcdr::exception::Exception&) + { +- logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataBody"); ++ logError(SECURITY_CRYPTO, "Error in fastcdr trying to serialize SecureDataBody"); + return false; + } + +@@ -444,9 +444,9 @@ bool AESGCMGMAC_Transform::encode_datareader_submessage( + serializer << length; + serializer.setState(current_state); + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException&) ++ catch (eprosima::fastcdr::exception::Exception&) + { +- logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataTag"); ++ logError(SECURITY_CRYPTO, "Error in fastcdr trying to serialize SecureDataTag"); + return false; + } + +@@ -536,9 +536,9 @@ bool AESGCMGMAC_Transform::encode_rtps_message( + serializer << length; + serializer.setState(current_state); + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException&) ++ catch (eprosima::fastcdr::exception::Exception&) + { +- logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataHeader"); ++ logError(SECURITY_CRYPTO, "Error in fastcdr trying to serialize SecureDataHeader"); + return false; + } + +@@ -555,9 +555,9 @@ bool AESGCMGMAC_Transform::encode_rtps_message( + return false; + } + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException&) ++ catch (eprosima::fastcdr::exception::Exception&) + { +- logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataBody"); ++ logError(SECURITY_CRYPTO, "Error in fastcdr trying to serialize SecureDataBody"); + return false; + } + +@@ -584,9 +584,9 @@ bool AESGCMGMAC_Transform::encode_rtps_message( + serializer << length; + serializer.setState(current_state); + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException&) ++ catch (eprosima::fastcdr::exception::Exception&) + { +- logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataTag"); ++ logError(SECURITY_CRYPTO, "Error in fastcdr trying to serialize SecureDataTag"); + return false; + } + +@@ -672,9 +672,9 @@ bool AESGCMGMAC_Transform::decode_rtps_message( + return false; + } + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException&) ++ catch (eprosima::fastcdr::exception::Exception&) + { +- logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataHeader"); ++ logError(SECURITY_CRYPTO, "Error in fastcdr trying to deserialize SecureDataHeader"); + return false; + } + +@@ -701,9 +701,9 @@ bool AESGCMGMAC_Transform::decode_rtps_message( + { + is_encrypted = predeserialize_SecureDataBody(decoder, body_length, body_align); + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException&) ++ catch (eprosima::fastcdr::exception::Exception&) + { +- logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataBody header"); ++ logError(SECURITY_CRYPTO, "Error in fastcdr trying to deserialize SecureDataBody header"); + return false; + } + +@@ -784,9 +784,9 @@ bool AESGCMGMAC_Transform::decode_rtps_message( + return false; + } + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException&) ++ catch (eprosima::fastcdr::exception::Exception&) + { +- logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataTag length"); ++ logError(SECURITY_CRYPTO, "Error in fastcdr trying to deserialize SecureDataTag length"); + return false; + } + +@@ -873,9 +873,9 @@ bool AESGCMGMAC_Transform::preprocess_secure_submsg( + return false; + } + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException&) ++ catch (eprosima::fastcdr::exception::Exception&) + { +- logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataHeader"); ++ logError(SECURITY_CRYPTO, "Error in fastcdr trying to deserialize SecureDataHeader"); + return false; + } + +@@ -1035,9 +1035,9 @@ bool AESGCMGMAC_Transform::decode_datawriter_submessage( + return false; + } + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException&) ++ catch (eprosima::fastcdr::exception::Exception&) + { +- logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataHeader"); ++ logError(SECURITY_CRYPTO, "Error in fastcdr trying to deserialize SecureDataHeader"); + return false; + } + +@@ -1068,9 +1068,9 @@ bool AESGCMGMAC_Transform::decode_datawriter_submessage( + { + is_encrypted = predeserialize_SecureDataBody(decoder, body_length, body_align); + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException&) ++ catch (eprosima::fastcdr::exception::Exception&) + { +- logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataBody header"); ++ logError(SECURITY_CRYPTO, "Error in fastcdr trying to deserialize SecureDataBody header"); + return false; + } + +@@ -1122,9 +1122,9 @@ bool AESGCMGMAC_Transform::decode_datawriter_submessage( + return false; + } + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException&) ++ catch (eprosima::fastcdr::exception::Exception&) + { +- logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataTag length"); ++ logError(SECURITY_CRYPTO, "Error in fastcdr trying to deserialize SecureDataTag length"); + return false; + } + +@@ -1215,9 +1215,9 @@ bool AESGCMGMAC_Transform::decode_datareader_submessage( + return false; + } + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException&) ++ catch (eprosima::fastcdr::exception::Exception&) + { +- logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataHeader"); ++ logError(SECURITY_CRYPTO, "Error in fastcdr trying to deserialize SecureDataHeader"); + return false; + } + +@@ -1248,9 +1248,9 @@ bool AESGCMGMAC_Transform::decode_datareader_submessage( + { + is_encrypted = predeserialize_SecureDataBody(decoder, body_length, body_align); + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException&) ++ catch (eprosima::fastcdr::exception::Exception&) + { +- logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataBody header"); ++ logError(SECURITY_CRYPTO, "Error in fastcdr trying to deserialize SecureDataBody header"); + return false; + } + +@@ -1302,9 +1302,9 @@ bool AESGCMGMAC_Transform::decode_datareader_submessage( + return false; + } + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException&) ++ catch (eprosima::fastcdr::exception::Exception&) + { +- logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataTag length"); ++ logError(SECURITY_CRYPTO, "Error in fastcdr trying to deserialize SecureDataTag length"); + return false; + } + +@@ -1370,9 +1370,9 @@ bool AESGCMGMAC_Transform::decode_serialized_payload( + { + header = deserialize_SecureDataHeader(decoder); + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException&) ++ catch (eprosima::fastcdr::exception::Exception&) + { +- logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataHeader"); ++ logError(SECURITY_CRYPTO, "Error in fastcdr trying to deserialize SecureDataHeader"); + return false; + } + +@@ -1417,9 +1417,9 @@ bool AESGCMGMAC_Transform::decode_serialized_payload( + body_length -= sizeof(uint32_t) + 16; + } + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException&) ++ catch (eprosima::fastcdr::exception::Exception&) + { +- logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataBody header"); ++ logError(SECURITY_CRYPTO, "Error in fastcdr trying to deserialize SecureDataBody header"); + return false; + } + +@@ -1430,9 +1430,9 @@ bool AESGCMGMAC_Transform::decode_serialized_payload( + { + deserialize_SecureDataTag(decoder, tag, {}, {}, {}, {}, {}, 0, exception); + } +- catch (eprosima::fastcdr::exception::NotEnoughMemoryException&) ++ catch (eprosima::fastcdr::exception::Exception&) + { +- logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataTag length"); ++ logError(SECURITY_CRYPTO, "Error in fastcdr trying to deserialize SecureDataTag length"); + return false; + } + diff -Nru fastdds-2.1.0+ds/debian/patches/backports/CVE-2023-39946_CVE-2023-39947.patch fastdds-2.1.0+ds/debian/patches/backports/CVE-2023-39946_CVE-2023-39947.patch --- fastdds-2.1.0+ds/debian/patches/backports/CVE-2023-39946_CVE-2023-39947.patch 1970-01-01 00:00:00.000000000 +0000 +++ fastdds-2.1.0+ds/debian/patches/backports/CVE-2023-39946_CVE-2023-39947.patch 2023-08-18 18:19:21.000000000 +0000 @@ -0,0 +1,97 @@ +From: =?utf-8?q?Timo_R=C3=B6hling?= +Date: Fri, 18 Aug 2023 20:09:02 +0200 +Subject: Improve validation on PID_PROPERTY_LIST deserialization + +Bug: https://github.com/eProsima/Fast-DDS/pull/3670 +Bug-Debian: https://bugs.debian.org/1043548 +Origin: https://github.com/eProsima/Fast-DDS/commit/7c1c611f2f70ec238fbde30a9ed044d99191e4fb +--- + .../fastdds/core/policy/ParameterSerializer.hpp | 53 +++++++++++++++++----- + 1 file changed, 42 insertions(+), 11 deletions(-) + +diff --git a/src/cpp/fastdds/core/policy/ParameterSerializer.hpp b/src/cpp/fastdds/core/policy/ParameterSerializer.hpp +index 79d4627..8d855c7 100644 +--- a/src/cpp/fastdds/core/policy/ParameterSerializer.hpp ++++ b/src/cpp/fastdds/core/policy/ParameterSerializer.hpp +@@ -634,39 +634,70 @@ inline bool ParameterSerializer::read_content_from_cdr_ + parameter.length = parameter_length; + + uint32_t pos_ref = cdr_message->pos; ++ uint32_t max_pos = pos_ref + parameter_length; ++ uint32_t remain = parameter_length; ++ if ((max_pos > cdr_message->length) || (remain < sizeof(uint32_t))) ++ { ++ return false; ++ } ++ + uint32_t num_properties = 0; + bool valid = fastrtps::rtps::CDRMessage::readUInt32(cdr_message, &num_properties); ++ remain -= sizeof(uint32_t); + if (!valid) + { + return false; + } +- //properties_.reserve(parameter_length - 4); + +- for (size_t i = 0; i < num_properties; ++i) ++ for (uint32_t i = 0; i < num_properties; ++i) + { +- uint32_t property1_size = 0, alignment1 = 0, property2_size = 0, alignment2 = 0, str1_pos = 0; ++ uint32_t property1_size = 0, alignment1 = 0, property2_size = 0, alignment2 = 0, str1_pos = 0, str2_pos = 0; + +- valid &= fastrtps::rtps::CDRMessage::readUInt32(cdr_message, &property1_size); ++ // Read and validate size of property name ++ remain = max_pos - cdr_message->pos; ++ valid &= (remain >= sizeof(uint32_t)) && fastrtps::rtps::CDRMessage::readUInt32(cdr_message, &property1_size); ++ remain -= sizeof(uint32_t); ++ valid = valid && (remain >= property1_size); + if (!valid) + { + return false; + } ++ + str1_pos = cdr_message->pos; ++ cdr_message->pos += property1_size; ++ remain -= property1_size; + alignment1 = ((property1_size + 3u) & ~3u) - property1_size; +- cdr_message->pos += (property1_size + alignment1); +- valid &= fastrtps::rtps::CDRMessage::readUInt32(cdr_message, &property2_size); ++ if (remain < alignment1) ++ { ++ return false; ++ } ++ cdr_message->pos += alignment1; ++ remain -= alignment1; ++ ++ // Read and validate size of property value ++ valid &= (remain >= sizeof(uint32_t)) && fastrtps::rtps::CDRMessage::readUInt32(cdr_message, &property2_size); ++ remain -= sizeof(uint32_t); ++ valid = valid && (remain >= property2_size); + if (!valid) + { + return false; + } +- parameter.push_back( +- &cdr_message->buffer[str1_pos], property1_size, +- &cdr_message->buffer[cdr_message->pos], property2_size); + ++ str2_pos = cdr_message->pos; ++ cdr_message->pos += property2_size; ++ remain -= property2_size; + alignment2 = ((property2_size + 3u) & ~3u) - property2_size; +- cdr_message->pos += (property2_size + alignment2); ++ if (remain < alignment2) ++ { ++ return false; ++ } ++ cdr_message->pos += alignment2; ++ remain -= alignment2; ++ ++ parameter.push_back( ++ &cdr_message->buffer[str1_pos], property1_size, ++ &cdr_message->buffer[str2_pos], property2_size); + } +- //Nproperties_ = num_properties; + + uint32_t length_diff = cdr_message->pos - pos_ref; + valid &= (parameter_length == length_diff); diff -Nru fastdds-2.1.0+ds/debian/patches/backports/CVE-2023-39949.patch fastdds-2.1.0+ds/debian/patches/backports/CVE-2023-39949.patch --- fastdds-2.1.0+ds/debian/patches/backports/CVE-2023-39949.patch 1970-01-01 00:00:00.000000000 +0000 +++ fastdds-2.1.0+ds/debian/patches/backports/CVE-2023-39949.patch 2023-08-18 18:19:21.000000000 +0000 @@ -0,0 +1,28 @@ +From: =?utf-8?q?Timo_R=C3=B6hling?= +Date: Fri, 18 Aug 2023 20:09:55 +0200 +Subject: Implement a validity check for firstSN + +Bug: https://github.com/eProsima/Fast-DDS/issues/3236 +Origin: https://github.com/eProsima/Fast-DDS/commit/3aa3ee0259deaebe3d578e0ec200947bdfe7d06f +--- + src/cpp/rtps/messages/MessageReceiver.cpp | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/cpp/rtps/messages/MessageReceiver.cpp b/src/cpp/rtps/messages/MessageReceiver.cpp +index 46fe7c9..98241bc 100644 +--- a/src/cpp/rtps/messages/MessageReceiver.cpp ++++ b/src/cpp/rtps/messages/MessageReceiver.cpp +@@ -1021,6 +1021,13 @@ bool MessageReceiver::proc_Submsg_Heartbeat( + SequenceNumber_t lastSN; + CDRMessage::readSequenceNumber(msg, &firstSN); + CDRMessage::readSequenceNumber(msg, &lastSN); ++ ++ SequenceNumber_t zeroSN; ++ if (firstSN <= zeroSN) ++ { ++ logWarning(RTPS_MSG_IN, IDSTRING "Invalid Heartbeat received (" << firstSN << " <= 0), ignoring"); ++ return false; ++ } + if (lastSN < firstSN && lastSN != firstSN - 1) + { + logWarning(RTPS_MSG_IN, IDSTRING "Invalid Heartbeat received (" << firstSN << ") - (" << diff -Nru fastdds-2.1.0+ds/debian/patches/series fastdds-2.1.0+ds/debian/patches/series --- fastdds-2.1.0+ds/debian/patches/series 2021-01-29 11:32:10.000000000 +0000 +++ fastdds-2.1.0+ds/debian/patches/series 2023-08-18 18:19:21.000000000 +0000 @@ -14,3 +14,8 @@ 0014-Include-cstdlib-for-macro-definition-of-EXIT_FAILURE.patch 0015-Link-tests-against-libatomic-where-needed.patch 0016-Do-not-import-fast-server-discovery-target.patch +backports/CVE-2023-39534.patch +backports/CVE-2023-39945_CVE-2023-39948.patch +backports/CVE-2023-39946_CVE-2023-39947.patch +backports/CVE-2023-39949.patch +backports/CVE-2021-38425.patch