-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integer overflow when decoding mqtt variable length #1055
Comments
@cpq, sorry for tagging you but I dont know who is the right person to review and I see you merge PR. Anyway, I think we can easily fix the bug by not using data type |
Thank you! I would like to integrate this change. Could you sign the CLA, please? The link is at the bottom of the project's README.md page. |
Sure, I have already signed and made a PR ( #1089 ) |
released https://github.com/cesanta/mongoose/releases/tag/6.17 |
The problem occurs in function
parse_mqtt
, when the broker proceeds a message , first it decodes a sequence bytes from the 2nd to get the length of data and then determine the end of data by sum upp
andlen
:However, if
len
is too large, the value ofend
become less than value ofp
. And the root cause here is this line:Using modern gcc compiler on linux, when the broker casts down to data type of
len
( which issize_t
), the value will be auto cast to 64 bit.and the result is:
Exploit concept of 2's complement, we can control the value of
end
fromp-122
top-1
.Impact:
end
equals toio->buf
, then the current message won't be removed from IO buffer, which leads to an infinite loop ( for example: the broker is always busy if we send this payload\x00\xfa\xff\xff\xff\x7f
, tested on the latest version of Mongoose on Ubuntu )end
may be less thanio->buf
, it can be exploited as out-of-bound read/write in further developmentsThe text was updated successfully, but these errors were encountered: