Fix CVE-2026-22591

This commit fixes CVE-2026-22591 by limiting the number of subexpressions in a filter expression.

This is a squashed commit of a privately reviewed branch.

Signed-off-by: Miguel Company <miguelcompany@eprosima.com>
Reviewed-by: Ricardo González Moreno <ricardo@richiware.dev>

Author: MiguelCompany

src/cpp/fastdds/domain/DomainParticipantImpl.cpp

@@ -51,11 +51,11 @@
 #include <fastdds/rtps/writer/WriterDiscoveryStatus.hpp>
 
 #include <fastdds/builtin/type_lookup_service/TypeLookupManager.hpp>
-#include <fastdds/core/policy/QosPolicyUtils.hpp>
 #include <fastdds/publisher/DataWriterImpl.hpp>
 #include <fastdds/publisher/PublisherImpl.hpp>
 #include <fastdds/subscriber/SubscriberImpl.hpp>
 #include <fastdds/topic/ContentFilteredTopicImpl.hpp>
+#include <fastdds/topic/DDSSQLFilter/DDSFilterFactory.hpp>
 #include <fastdds/topic/TopicImpl.hpp>
 #include <fastdds/topic/TopicProxy.hpp>
 #include <fastdds/topic/TopicProxyFactory.hpp>
@@ -90,6 +90,54 @@ using rtps::ReaderDiscoveryStatus;
 using rtps::ResourceEvent;
 using rtps::WriterDiscoveryStatus;
 
+static size_t get_filter_max_subexpressions(
+        const DomainParticipantQos& qos)
+{
+    constexpr const char parameter_name[] = "dds.sql.expression.max_subexpressions";
+    const std::string* property = fastdds::rtps::PropertyPolicyHelper::find_property(
+        qos.properties(), parameter_name);
+    if (nullptr != property)
+    {
+        try
+        {
+            return std::stoul(*property);
+        }
+        catch (...)
+        {
+            EPROSIMA_LOG_WARNING(DOMAIN_PARTICIPANT,
+                    "Invalid value for dds.sql.expression.max_subexpressions property: "
+                    << *property << ". Will use default value of "
+                    << DDSSQLFilter::DDSFilterFactory::DEFAULT_MAX_SUBEXPRESSIONS);
+        }
+    }
+
+    return DDSSQLFilter::DDSFilterFactory::DEFAULT_MAX_SUBEXPRESSIONS;
+}
+
+static size_t get_filter_max_expression_length(
+        const DomainParticipantQos& qos)
+{
+    constexpr const char parameter_name[] = "dds.sql.expression.max_expression_length";
+    const std::string* property = fastdds::rtps::PropertyPolicyHelper::find_property(
+        qos.properties(), parameter_name);
+    if (nullptr != property)
+    {
+        try
+        {
+            return std::stoul(*property);
+        }
+        catch (...)
+        {
+            EPROSIMA_LOG_WARNING(DOMAIN_PARTICIPANT,
+                    "Invalid value for dds.sql.expression.max_expression_length property: "
+                    << *property << ". Will use default value of "
+                    << DDSSQLFilter::DDSFilterFactory::DEFAULT_MAX_EXPRESSION_LENGTH);
+        }
+    }
+
+    return DDSSQLFilter::DDSFilterFactory::DEFAULT_MAX_EXPRESSION_LENGTH;
+}
+
 DomainParticipantImpl::DomainParticipantImpl(
         DomainParticipant* dp,
         DomainId_t did,
@@ -103,6 +151,7 @@ DomainParticipantImpl::DomainParticipantImpl(
     , listener_(listen)
     , default_pub_qos_(PUBLISHER_QOS_DEFAULT)
     , default_sub_qos_(SUBSCRIBER_QOS_DEFAULT)
+    , dds_sql_filter_factory_(get_filter_max_subexpressions(qos), get_filter_max_expression_length(qos))
     , default_topic_qos_(TOPIC_QOS_DEFAULT)
     , id_counter_(0)
 #pragma warning (disable : 4355 )

src/cpp/fastdds/topic/DDSSQLFilter/DDSFilterFactory.cpp

@@ -541,59 +541,69 @@ ReturnCode_t DDSFilterFactory::create_content_filter(
             }
         }
     }
-    else if (std::strlen(filter_expression) == 0)
-    {
-        delete_content_filter(filter_class_name, filter_instance);
-        filter_instance = &empty_expression_;
-        ret = RETCODE_OK;
-    }
     else
     {
-        std::shared_ptr<xtypes::TypeObject> type_object = get_complete_type_object(type_name, data_type);
+        size_t expression_len = std::strlen(filter_expression);
 
-        if (!type_object)
+        if (0 == expression_len)
         {
-            EPROSIMA_LOG_ERROR(DDSSQLFILTER, "No TypeObject found for type " << type_name);
+            delete_content_filter(filter_class_name, filter_instance);
+            filter_instance = &empty_expression_;
+            ret = RETCODE_OK;
         }
-        else
+        else if (validate_filter_expression(filter_expression, expression_len))
         {
-            auto node = parser::parse_filter_expression(filter_expression, type_object);
-            if (node)
+            std::shared_ptr<xtypes::TypeObject> type_object = get_complete_type_object(type_name, data_type);
+
+            if (!type_object)
             {
-                DynamicType::_ref_type dyn_type = DynamicTypeBuilderFactory::get_instance()->create_type_w_type_object(
-                    *type_object)->build();
-                if (dyn_type)
+                EPROSIMA_LOG_ERROR(DDSSQLFILTER, "No TypeObject found for type " << type_name);
+                ret = RETCODE_PRECONDITION_NOT_MET;
+            }
+            else
+            {
+                auto node = parser::parse_filter_expression(filter_expression, type_object);
+                if (node)
                 {
-                    DDSFilterExpression* expr = get_expression();
-                    expr->set_type(dyn_type);
-                    size_t n_params = filter_parameters.length();
-                    expr->parameters.reserve(n_params);
-                    while (expr->parameters.size() < n_params)
+                    DynamicTypeBuilderFactory::_ref_type factory = DynamicTypeBuilderFactory::get_instance();
+                    DynamicType::_ref_type dyn_type = factory->create_type_w_type_object(*type_object)->build();
+                    if (dyn_type)
                     {
-                        expr->parameters.emplace_back();
-                    }
-                    ExpressionParsingState state{ std::make_shared<xtypes::TypeObject>(*type_object),
-                                                  filter_parameters, expr };
-                    ret = convert_tree<DDSFilterCondition>(state, expr->root, *(node->children[0]));
-                    if (RETCODE_OK == ret)
-                    {
-                        delete_content_filter(filter_class_name, filter_instance);
-                        filter_instance = expr;
+                        DDSFilterExpression* expr = get_expression();
+                        expr->set_type(dyn_type);
+                        size_t n_params = filter_parameters.length();
+                        expr->parameters.reserve(n_params);
+                        while (expr->parameters.size() < n_params)
+                        {
+                            expr->parameters.emplace_back();
+                        }
+                        ExpressionParsingState state{ std::make_shared<xtypes::TypeObject>(*type_object),
+                                                      filter_parameters, expr };
+                        ret = convert_tree<DDSFilterCondition>(state, expr->root, *(node->children[0]));
+                        if (RETCODE_OK == ret)
+                        {
+                            delete_content_filter(filter_class_name, filter_instance);
+                            filter_instance = expr;
+                        }
+                        else
+                        {
+                            delete_content_filter(filter_class_name, expr);
+                        }
                     }
                     else
                     {
-                        delete_content_filter(filter_class_name, expr);
+                        ret = RETCODE_BAD_PARAMETER;
                     }
                 }
                 else
                 {
                     ret = RETCODE_BAD_PARAMETER;
                 }
             }
-            else
-            {
-                ret = RETCODE_BAD_PARAMETER;
-            }
+        }
+        else
+        {
+            ret = RETCODE_BAD_PARAMETER;
         }
     }
 
@@ -620,6 +630,50 @@ ReturnCode_t DDSFilterFactory::delete_content_filter(
     return RETCODE_OK;
 }
 
+bool DDSFilterFactory::validate_filter_expression(
+        const char* expression,
+        const size_t expression_len) const
+{
+    if (expression_len > max_expression_length_)
+    {
+        // Expression too long
+        return false;
+    }
+
+    // Check parentheses balance and count
+    size_t num_parentheses = 0;
+    size_t pending_size = expression_len;
+    for (const char* ptr = expression; (pending_size > 0) && (*ptr != '\0'); ++ptr, --pending_size)
+    {
+        if (*ptr == '(')
+        {
+            ++num_parentheses;
+
+            if (num_parentheses > max_subexpressions_)
+            {
+                // Too many nested parentheses
+                return false;
+            }
+        }
+        else if (*ptr == ')')
+        {
+            if (num_parentheses == 0)
+            {
+                // Unmatched closing parenthesis
+                return false;
+            }
+            --num_parentheses;
+        }
+    }
+    if (num_parentheses != 0)
+    {
+        // Unmatched opening parenthesis
+        return false;
+    }
+
+    return true;
+}
+
 }  // namespace DDSSQLFilter
 }  // namespace dds
 }  // namespace fastdds

src/cpp/fastdds/topic/DDSSQLFilter/DDSFilterFactory.hpp

@@ -40,6 +40,17 @@ class DDSFilterFactory final : public IContentFilterFactory
 
 public:
 
+    static constexpr size_t DEFAULT_MAX_SUBEXPRESSIONS = 256;
+    static constexpr size_t DEFAULT_MAX_EXPRESSION_LENGTH = 16 * 1024;
+
+    explicit DDSFilterFactory(
+            size_t max_subexpressions,
+            size_t max_expression_length)
+        : max_subexpressions_(max_subexpressions)
+        , max_expression_length_(max_expression_length)
+    {
+    }
+
     ~DDSFilterFactory();
 
     ReturnCode_t create_content_filter(
@@ -56,6 +67,20 @@ class DDSFilterFactory final : public IContentFilterFactory
 
 private:
 
+    /**
+     * @brief Validate a DDS-SQL filter expression.
+     *
+     * Performs basic validation checks on the expression before passing it to the PEGTL parser.
+     *
+     * @param[in] expression The filter expression to validate.
+     * @param[in] expression_len The length of the filter expression.
+     *
+     * @return true if the expression is valid, false otherwise.
+     */
+    bool validate_filter_expression(
+            const char* expression,
+            const size_t expression_len) const;
+
     /**
      * Retrieve a DDSFilterExpression from the pool.
      *
@@ -86,6 +111,10 @@ class DDSFilterFactory final : public IContentFilterFactory
     DDSFilterEmptyExpression empty_expression_;
     /// Pool of DDSFilterExpression objects
     ObjectPool<DDSFilterExpression*> expression_pool_;
+    /// Maximum number of sub-expressions allowed in a filter expression
+    const size_t max_subexpressions_ = DEFAULT_MAX_SUBEXPRESSIONS;
+    /// Maximum length of a filter expression
+    const size_t max_expression_length_ = DEFAULT_MAX_EXPRESSION_LENGTH;
 
 };