asymcute: Fix null pointer dereference #12293
Merged
+14
−1
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Contribution description
This PR fixes various null pointer dereferences in
asymcute. All ofthese are due to the assumption that
req->argis always non-NULL.Since an attacker can spoof mqtt replies this is not neccessarly the
case.
This assumption is made at various places in the code. I only tested
this with
MQTTSN_SUBACKmessages (_on_subackfunction) but the sameissue should apply to any function accessing
req->argwithout checkingfor
NULL.Testing procedure
My tap setup is as follows:
On
native:Before the connect request timesout spoof a reply using:
49152should be the default ephemeral port. The packet must have theserver address as source address and the server port as source port.
Expected result: The packet should be rejected.
Actual result: Segmentation fault + invalid read of size 4.
Impact
The null pointer dereference should result in a crash on most
platforms. Thereby allowing a denial of service. The attacker must be
able to spoof a MQTT response which is easy as the ephemeral port is not
picked at random. Additionally, the attacker needs to know a pending
MQTT MsgId, however, those aren't picked at random either and there are
only
2^8possible values.