Description
Fast-DDS crashes in XMLProfileManager::loadDefaultXMLFile() when running inside x86_64 Docker containers. The crash occurs during DDS participant initialization, before any user code interacts with the XML configuration.
Environment
- Architecture: x86_64
- Platform: Docker containers (Ubuntu-based)
- ROS2 Distro: Humble (also observed in Jazzy-based containers rebuilding Fast-DDS from the 2.6.x branch)
- Fast-DDS version: 2.6.x branch (built from source via
https://github.com/eProsima/Fast-DDS.git, branch 2.6.x)
- Fast-CDR version: 1.0.x branch
Workaround
The following environment variables prevent the crash:
ENV SKIP_DEFAULT_XML_FILE=1
ENV FASTDDS_BUILTIN_TRANSPORTS=DEFAULT
Additionally, we also set LD_PRELOAD=/lib/x86_64-linux-gnu/libgcc_s.so.1 to work around a related libunwind/libgcc_s exception handling conflict that also causes crashes in Docker environments (filed separately as #6330).
Root Cause Analysis
We audited the 2.6.x XML parser code and found several null-dereference bugs that are present on 2.6.x but have been fixed on newer branches (master, 2.10.x+). The master-branch fixes cannot be cherry-picked because the Dynamic Types API was completely rewritten between 2.6.x and 2.10.x.
The specific bugs found:
-
parseXMLConsumer() in XMLParser.cpp — Four locations where TinyXML2::GetText() can return nullptr, which is then passed to a std::string constructor (undefined behavior, typically segfault). This is the most likely crash path via loadDefaultXMLFile() → parseLogConfig() → parseXMLConsumer().
-
parseXMLUnionDynamicType() in XMLDynamicParser.cpp — Attribute(TYPE) can return nullptr when the discriminator element lacks a type attribute. The null pointer is passed to a function taking const std::string&.
-
extractXxxProfile() methods in XMLProfileManager.cpp — Six dynamic_cast results are dereferenced without null checks.
These bugs correspond to the same class of issues found by oss-fuzz on master (PRs #4961, #5007, #5080, #5565, #5668) but in 2.6.x-specific code paths.
Fix
We are submitting a PR with fixes for all identified null-dereference bugs on the 2.6.x branch.
References
Description
Fast-DDS crashes in
XMLProfileManager::loadDefaultXMLFile()when running inside x86_64 Docker containers. The crash occurs during DDS participant initialization, before any user code interacts with the XML configuration.Environment
https://github.com/eProsima/Fast-DDS.git, branch2.6.x)Workaround
The following environment variables prevent the crash:
Additionally, we also set
LD_PRELOAD=/lib/x86_64-linux-gnu/libgcc_s.so.1to work around a related libunwind/libgcc_s exception handling conflict that also causes crashes in Docker environments (filed separately as #6330).Root Cause Analysis
We audited the 2.6.x XML parser code and found several null-dereference bugs that are present on 2.6.x but have been fixed on newer branches (master, 2.10.x+). The master-branch fixes cannot be cherry-picked because the Dynamic Types API was completely rewritten between 2.6.x and 2.10.x.
The specific bugs found:
parseXMLConsumer()inXMLParser.cpp— Four locations whereTinyXML2::GetText()can returnnullptr, which is then passed to astd::stringconstructor (undefined behavior, typically segfault). This is the most likely crash path vialoadDefaultXMLFile()→parseLogConfig()→parseXMLConsumer().parseXMLUnionDynamicType()inXMLDynamicParser.cpp—Attribute(TYPE)can returnnullptrwhen the discriminator element lacks atypeattribute. The null pointer is passed to a function takingconst std::string&.extractXxxProfile()methods inXMLProfileManager.cpp— Sixdynamic_castresults are dereferenced without null checks.These bugs correspond to the same class of issues found by oss-fuzz on master (PRs #4961, #5007, #5080, #5565, #5668) but in 2.6.x-specific code paths.
Fix
We are submitting a PR with fixes for all identified null-dereference bugs on the 2.6.x branch.
References
SKIP_DEFAULT_XML_FILEenvironment variable)parseXMLMemberDynamicType#5565, [22843]+[22844] Solve fuzz XMLParser Null-dereference #5668