rmw_implementation icon indicating copy to clipboard operation
rmw_implementation copied to clipboard

Published 20 hours ago verified publisher icon ros2

Added tampered buffer deserialization tests

Open MiguelCompany opened this issue 4 years ago • 2 comments

Add tests for deserialization of a corrupted buffer.

The message type has been chosen on purpose to be UnboundedSequences in order to check the fixes on ros2/rmw_fastrtps#505 and eProsima/Fast-CDR#98.

They perform the following sequence:

  1. Serialization of a default constructed UnboundedSequences message, this would produce a buffer with a lot of zero bytes indicating the length of each sequence, which are 0.
  2. Modify the resulting buffer to all FF's. This may produce crashes as they will be interpreted as sequences of 2^32 - 1 elements and either allocation errors or access beyond the end of the serialized buffer may occur
  3. Expect the deserialization to fail

These tests fail with rmw_fastrtps_cpp and rmw_fastrtps_dynamic_cpp unless Fast CDR is updated to v1.0.19 and ros2/rmw_fastrtps#505 is applied

These new tests fail locally on rmw_cyclonedds, so it may need to be updated

MiguelCompany avatar Feb 03 '21 15:02 MiguelCompany

@eboasson FYI, it seems there is an issue on rmw_cyclonedds with the deserialization of corrupted buffers.

MiguelCompany avatar Feb 03 '21 15:02 MiguelCompany

@eboasson FYI, it seems there is an issue on rmw_cyclonedds with the deserialization of corrupted buffers.

Thanks, yes, the ROS2-specific deserialiser is a bit cavalier. The planned clean up still hasn't happened.

eboasson avatar Feb 03 '21 15:02 eboasson