cFS icon indicating copy to clipboard operation
cFS copied to clipboard
verified publisher icon nasa

Segmentation Fault in EVS module

Open mirkobitetto opened this issue 9 months ago • 2 comments

Checklist (Please check before submitting)

  • [ x] I reviewed the Contributing Guide.
  • [ x] I performed a cursory search to see if the bug report is relevant, not redundant, nor in conflict with other tickets.

Describe the bug While fuzzing the cFS framework, I encountered a crash that appears to originate in the EVS_SendViaPorts function.

The issue arises when a specific sequence of packets is processed by the CI_LAB application, leading to a SIGSEGV in the EVS module.

To Reproduce Steps to reproduce the behavior:

  1. Compile and run cFS using the instructions provided below.
  2. Send the two specific malformed packets in sequence to the CI_LAB UDP port.
  3. Observe a segmentation fault occurring in the EVS_SendViaPorts function.

For security reasons, the exact packet contents are not included here. I’ve opted to share the packet contents privately with the core maintainers.

However, I’ve attached a short demonstration video to show the crash happening in real time.

https://github.com/user-attachments/assets/66e85185-1900-44ff-917c-74a3e9e297cb

Expected behavior

  • The application crashes with a SIGSEGV in EVS_SendViaPorts.

Build & Run Steps (Unmodified cFS)

make distclean                 # Optional: clean build
make SIMULATION=native prep
make
make install
cd build/exe/cpu1/
./core-cpu1

System observed on:

  • cFS version: equuleus-rc1, commit 0ba1faa
  • Modules involved: CI_LAB, EVS, SB
  • Platform: Native Linux (x86_64)
  • Build options: Default; no patches applied

Reporter Info Mirko Bitetto, MSc Student @ Politecnico di Milano

mirkobitetto avatar Apr 30 '25 21:04 mirkobitetto

@mirkobitetto During fuzzy testing you may want to enable the address sanitizer to create more crashes. See https://github.com/nasa/cFS/issues/849

thesamprice avatar May 13 '25 15:05 thesamprice

Proposed Fix

To mitigate the risk of DoS attacks due to malformed UDP packets, we can implement robust validation and error handling mechanisms in the UDP packet processing code.

  1. Modify UDP Packet Handling to Include Validation

In the UDP packet processing module, introduce checks to validate the integrity and structure of incoming packets before processing them.

// In UDP packet processing module

#include <stdint.h> #include <stdbool.h>

#define MAX_PACKET_SIZE 1024

// Structure representing a UDP packet typedef struct { uint16_t header; uint16_t length; uint8_t data[MAX_PACKET_SIZE]; } UdpPacket;

// Function to validate the integrity of a UDP packet bool validate_udp_packet(const UdpPacket *packet) { // Check for null pointer if (packet == NULL) { return false; }

// Validate header and length fields
if (packet->length > MAX_PACKET_SIZE || packet->length < sizeof(UdpPacket)) {
    return false;
}

// Additional validation checks can be added here

return true;

}

// Function to process a UDP packet void process_udp_packet(const UdpPacket *packet) { if (!validate_udp_packet(packet)) { // Log error and discard invalid packet printf("Invalid UDP packet received. Discarding.\n"); return; }

// Proceed with processing the valid packet
// ...

}

  1. Explanation

What this does: The validate_udp_packet function checks the integrity of incoming UDP packets by verifying their header and length fields. If a packet fails validation, it's discarded, preventing potential DoS attacks.

Why this fixes it: By ensuring that only well-formed packets are processed, we prevent malformed packets from causing crashes or unresponsiveness in the system.

suryasekhar06jemsbond-lab avatar Oct 04 '25 03:10 suryasekhar06jemsbond-lab