From d004a4a5e49b6914dc4bdade188611a61dbeb8b6 Mon Sep 17 00:00:00 2001
From: Eduardo Ponz Segrelles <eduardoponz@eprosima.com>
Date: Sat, 16 Dec 2023 17:36:10 +0100
Subject: [PATCH] Fix bad-free when receiving malformed DATA_FRAG submessage
 (#4145)

* Refs #20140: Add regression test

Signed-off-by: EduPonz <eduardoponz@eprosima.com>

* Refs #20140: Fix bad free

Signed-off-by: EduPonz <eduardoponz@eprosima.com>

---------

Signed-off-by: EduPonz <eduardoponz@eprosima.com>
(cherry picked from commit 7157a192951432ca277c53bbe9ab5fcd2dccd461)
---
 src/cpp/rtps/messages/MessageReceiver.cpp          |   2 ++
 test/blackbox/common/BlackboxTestsTransportUDP.cpp |   1 +
 test/blackbox/datagrams/20140.bin                  | Bin 0 -> 92 bytes
 3 files changed, 3 insertions(+)
 create mode 100644 test/blackbox/datagrams/20140.bin

diff --git a/src/cpp/rtps/messages/MessageReceiver.cpp b/src/cpp/rtps/messages/MessageReceiver.cpp
index 005ad6e899f..bb1df567a9c 100644
--- a/src/cpp/rtps/messages/MessageReceiver.cpp
+++ b/src/cpp/rtps/messages/MessageReceiver.cpp
@@ -1009,6 +1009,8 @@ bool MessageReceiver::proc_Submsg_DataFrag(
         {
             logWarning(RTPS_MSG_IN, IDSTRING "Serialized Payload value invalid or larger than maximum allowed size "
                     "(" << payload_size << "/" << (msg->length - msg->pos) << ")");
+            ch.serializedPayload.data = nullptr;
+            ch.inline_qos.data = nullptr;
             return false;
         }
     }
diff --git a/test/blackbox/common/BlackboxTestsTransportUDP.cpp b/test/blackbox/common/BlackboxTestsTransportUDP.cpp
index 1ce54611af4..fc35098b0b6 100644
--- a/test/blackbox/common/BlackboxTestsTransportUDP.cpp
+++ b/test/blackbox/common/BlackboxTestsTransportUDP.cpp
@@ -548,6 +548,7 @@ TEST(TransportUDP, DatagramInjection)
     ASSERT_FALSE(receivers.empty());
 
     deliver_datagram_from_file(receivers, "datagrams/16784.bin");
+    deliver_datagram_from_file(receivers, "datagrams/20140.bin");
 }
 
 // Test for ==operator UDPTransportDescriptor is not required as it is an abstract class and in UDPv4 is same method
diff --git a/test/blackbox/datagrams/20140.bin b/test/blackbox/datagrams/20140.bin
new file mode 100644
index 0000000000000000000000000000000000000000..7844c82403742e50e2f42de619df41b3f5c01524
GIT binary patch
literal 92
zcmWFv2?%ClJjL+-`4Ne$@2*|j$;iMU#>BvIq@4i_f`Iaj40o^X1oAj6A!0BRsFZ;L
ZL;wwV!1Mf+0K>ZiF&-d4C<G+K003^<6Yc;2

literal 0
HcmV?d00001