Skip to content

Remote memory corruption in DDS Security key material deserialization (dds.sec.participant_crypto_tokens) in Fast DDS #6345

Open
Open
Remote memory corruption in DDS Security key material deserialization (dds.sec.participant_crypto_tokens) in Fast DDS#6345
Labels
triageIssue pending classification
@Fuzz0X

Description

@Fuzz0X
Fuzz0X
opened on Mar 23, 2026

Is there an already existing issue for this?

  • I have searched the existing issues

Expected behavior

  • Malformed dds.cryp.keymat payloads must be rejected safely.
  • The parser must validate minimum length before fixed-offset reads.
  • The parser must validate per-field boundaries before each memcpy.
  • Invalid token payloads must return an error (false/exception), not crash the process.

Current behavior

  • KeyMaterialCDRDeserialize() reads data[3] without checking CDR->size() >= 4.
  • Multiple memcpy calls use attacker-controlled key_len without checking source or destination bounds.
  • This can cause deterministic crashes (DoS), with both OOB read and OOB write conditions reachable from network token data.

Steps to reproduce

  1. Configure and build Fast DDS with security enabled:
  cmake -S . -B build -DSECURITY=ON -DCMAKE_BUILD_TYPE=RelWithDebInfo
  cmake --build build -j
  1. Run two DDS participants with security enabled in the same domain (victim + attacker-capable participant).
  2. Complete discovery/authentication (dds.sec.auth) so the target processes secure volatile messages.
  3. Send a ParticipantGenericMessage to victim with:
  - message_class_id = "dds.sec.participant_crypto_tokens"
  - message_data containing one crypto token
  - token class_id = "DDS:Crypto:AES_GCM_GMAC"
  - token binary_properties[0].name = "dds.cryp.keymat"
  - token binary_properties[0].value crafted malformed bytes
  1. Use either payload shape:
  - OOB read trigger: value.size() < 4 (for example 3 bytes).
  - OOB write trigger: set kind != 0, then set key_len > 32 in parsed key material fields.
  1. Observe crash when victim parses token and enters KeyMaterialCDRDeserialize().

Fast DDS version/commit

  • Project version in tree: 3.5.0.0 from CMakeLists.txt:31
  • Tested repository commit: e8c9e8b
  • Short commit: e8c9e8b
  • Branch: master
  • git describe: v2.10.1-rc1-825-ge8c9e8bf4

Platform/Architecture

Other. Please specify in Additional context section.

Transport layer

Default configuration, UDPv4 & SHM

Additional context

Platform/architecture

  - OS: Linux 6.8.0-101-generic (Ubuntu 22.04 line)
  - Architecture: x86_64 (little-endian)

Affected component

  - DDS Security cryptography key exchange parser:
    src/cpp/security/cryptography/AESGCMGMAC_KeyExchange.cpp

Source locations (trigger path)

- Vulnerable function:
  src/cpp/security/cryptography/AESGCMGMAC_KeyExchange.cpp:460
- Unchecked fixed offset read:
  src/cpp/security/cryptography/AESGCMGMAC_KeyExchange.cpp:472
- Unbounded copies:
  src/cpp/security/cryptography/AESGCMGMAC_KeyExchange.cpp:495
  src/cpp/security/cryptography/AESGCMGMAC_KeyExchange.cpp:508
  src/cpp/security/cryptography/AESGCMGMAC_KeyExchange.cpp:527
- Destination buffers are fixed-size 32 bytes:
  src/cpp/security/cryptography/AESGCMGMAC_Types.h:80
- Remote entry point:
  src/cpp/rtps/security/SecurityManager.cpp:1682
- Message class dispatch:
  src/cpp/rtps/security/SecurityManager.cpp:1726
- Call into vulnerable parser path:
  src/cpp/rtps/security/SecurityManager.cpp:1783
  src/cpp/security/cryptography/AESGCMGMAC_KeyExchange.cpp:143
- Protocol deserialization allows arbitrary octet-vector lengths:
  src/cpp/rtps/messages/CDRMessage.cpp:416
  src/cpp/rtps/messages/CDRMessage.cpp:889
  src/cpp/rtps/messages/CDRMessage.cpp:1275

Concrete trigger flow (runtime interaction)

  1. Authentication message class dds.sec.auth is exchanged via stateless secure message path.
  2. Participant is authorized and crypto endpoint is matched.
  3. Participant crypto token messages (dds.sec.participant_crypto_tokens) are exchanged on volatile secure message path.
  4. Victim receives attacker token and calls set_remote_participant_crypto_tokens().
  5. Token binary_properties[0].value is passed to KeyMaterialCDRDeserialize() without semantic length validation.
  6. Parser performs unchecked read/copy and crashes.
    ``

Impact

  • Remote denial of service against security-enabled Fast DDS participants.
  • Crash can be triggered through protocol data in crypto-token processing path.
  • Memory corruption is present in parser logic; practical exploitability beyond DoS depends on build/runtime hardening.

XML configuration file



Relevant log output


## Related log output (observed)

  ASan run (short payload, OOB read):

  ERROR: AddressSanitizer: heap-buffer-overflow
  READ of size 1
  #0 KeyMaterialCDRDeserialize /tmp/fastdds_keymat_poc.cpp:24
  SUMMARY: AddressSanitizer: heap-buffer-overflow in KeyMaterialCDRDeserialize

  ASan run (oversized key_len, OOB write):

  ERROR: AddressSanitizer: stack-buffer-overflow
  WRITE of size 200
  #0 __interceptor_memcpy
  #2 KeyMaterialCDRDeserialize /tmp/fastdds_keymat_poc.cpp:38
  SUMMARY: AddressSanitizer: stack-buffer-overflow in __interceptor_memcpy

  Non-ASan optimized run:

  *** stack smashing detected ***: terminated


Network traffic capture


No response
Metadata
Metadata
Assignees
No one assigned
    Labels
    triageIssue pending classification
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions