[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #52345] MQTT buffer length check seems wrong
From: |
David Bourgeois |
Subject: |
[lwip-devel] [bug #52345] MQTT buffer length check seems wrong |
Date: |
Thu, 8 Feb 2018 21:34:26 -0500 (EST) |
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 |
Follow-up Comment #7, bug #52345 (project lwip):
Here's how to trigger the issue and the wireshark capture (file
mqtt_bug_52345_capture.pcapng attached)
Below is the code of the client:
extern mqtt_client_t *mqtt_client;
int ip[4] = {10,192,55,55};
mqtt_connect(ip, "client_test");
mqtt_subscribe(mqtt_client, "topic_qos1", MQTT_QOS_1, NULL, NULL);
osDelay(100);
mqtt_subscribe(mqtt_client, "topic_qos0", MQTT_QOS_0, NULL, NULL);
while(1){
osDelay(1000);
}
The following commands where issued during the capture:
$ mosquitto_pub -t topic_qos1 -m "test1" -q 1
$ mosquitto_pub -t topic_qos1 -m "" -q 1
$ mosquitto_pub -t topic_qos0 -m "test0" -q 0
$ mosquitto_pub -t topic_qos0 -m "" -q 0
The last command triggers the bug: discard an otherwise valid packet (packet
22 of the capture) and closes the connection.
If I replace the following line in mqtt.c
if ((after_topic + (qos ? 2 : 1)) > length) {
by
if ((after_topic + (qos ? 2 : 0)) > length) {
the packet is accepted, but the code following the test will write one byte
past the end of the buffer so this isn't a possible solution.
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?52345>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
- [lwip-devel] [bug #52345] MQTT buffer length check seems wrong,
David Bourgeois <=