Segmentation Fault in EVS module

[mirkobitetto]

Checklist (Please check before submitting)

• [ x] I reviewed the Contributing Guide.
• [ x] I performed a cursory search to see if the bug report is relevant, not redundant, nor in conflict with other tickets.

Describe the bug
While fuzzing the cFS framework, I encountered a crash that appears to originate in the EVS_SendViaPorts function.

The issue arises when a specific sequence of packets is processed by the CI_LAB application, leading to a SIGSEGV in the EVS module.

To Reproduce
Steps to reproduce the behavior:

1. Compile and run cFS using the instructions provided below.
2. Send the two specific malformed packets in sequence to the CI_LAB UDP port.
3. Observe a segmentation fault occurring in the EVS_SendViaPorts function.

For security reasons, the exact packet contents are not included here. I’ve opted to share the packet contents privately with the core maintainers.

However, I’ve attached a short demonstration video to show the crash happening in real time.

recording_2025-04-30_22.36.44.mp4

Expected behavior

• The application crashes with a SIGSEGV in EVS_SendViaPorts.

Build & Run Steps (Unmodified cFS)

make distclean                 # Optional: clean build
make SIMULATION=native prep
make
make install
cd build/exe/cpu1/
./core-cpu1

System observed on:

• cFS version: equuleus-rc1, commit 0ba1faa
• Modules involved: CI_LAB, EVS, SB
• Platform: Native Linux (x86_64)
• Build options: Default; no patches applied

Reporter Info
Mirko Bitetto, MSc Student @ Politecnico di Milano

[thesamprice]

@mirkobitetto During fuzzy testing you may want to enable the address sanitizer to create more crashes.
See
#849

[suryasekhar06jemsbond-lab]

Proposed Fix

To mitigate the risk of DoS attacks due to malformed UDP packets, we can implement robust validation and error handling mechanisms in the UDP packet processing code.

1. Modify UDP Packet Handling to Include Validation

In the UDP packet processing module, introduce checks to validate the integrity and structure of incoming packets before processing them.

// In UDP packet processing module

#include <stdint.h>
#include <stdbool.h>

#define MAX_PACKET_SIZE 1024

// Structure representing a UDP packet
typedef struct {
uint16_t header;
uint16_t length;
uint8_t data[MAX_PACKET_SIZE];
} UdpPacket;

// Function to validate the integrity of a UDP packet
bool validate_udp_packet(const UdpPacket *packet) {
// Check for null pointer
if (packet == NULL) {
return false;
}

// Validate header and length fields
if (packet->length > MAX_PACKET_SIZE || packet->length < sizeof(UdpPacket)) {
    return false;
}

// Additional validation checks can be added here

return true;

}

// Function to process a UDP packet
void process_udp_packet(const UdpPacket *packet) {
if (!validate_udp_packet(packet)) {
// Log error and discard invalid packet
printf("Invalid UDP packet received. Discarding.\n");
return;
}

// Proceed with processing the valid packet
// ...

}

2. Explanation

What this does: The validate_udp_packet function checks the integrity of incoming UDP packets by verifying their header and length fields. If a packet fails validation, it's discarded, preventing potential DoS attacks.

Why this fixes it: By ensuring that only well-formed packets are processed, we prevent malformed packets from causing crashes or unresponsiveness in the system.