Memory corruption in MQTT input plugin leading to crash of the server while processing crafted MQTT message

[cve-reporting]

Fluent Bit MQTT input plugin acting as MQTT broker (server) incorrectly handles incoming network messages.
After processing crafted packet, plugin executes memmove() function with negative size param.
That leads to crash of the whole Fluent Bit server via SIGSEGV signal.

Proposed CVSS 3.0 score: 7.5 (High)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Error message WITHOUT Address Sanitizer:

./build/bin/fluent-bit -i mqtt -t data -o stdout -m '*' --config=conf/in_mqtt.conf
Fluent Bit v1.0.4
Copyright (C) Treasure Data

[2019/02/25 16:06:27] [ info] [storage] initializing...
[2019/02/25 16:06:27] [ info] [storage] in-memory
[2019/02/25 16:06:27] [ info] [storage] normal synchronization mode, checksum disabled
[2019/02/25 16:06:27] [ info] [engine] started (pid=16525)
[engine] caught signal (SIGSEGV)
#0 0x7f287ab70e2c in ???() at ???:0
#1 0x470dee in ???() at ???:0
#2 0x471755 in ???() at ???:0
#3 0x470397 in ???() at ???:0
#4 0x4371e7 in ???() at ???:0
#5 0x421e90 in ???() at ???:0
#6 0x7f287aa4382f in ???() at ???:0
#7 0x420088 in ???() at ???:0
#8 0xffffffffffffffff in ???() at ???:0
Aborted

Error message WITH Address Sanitizer:

./build_asan/bin/fluent-bit -i mqtt -t data -o stdout -m '*' --config=conf/in_mqtt.conf
Fluent Bit v1.0.4
Copyright (C) Treasure Data

[2019/02/25 15:52:55] [ info] [storage] initializing...
[2019/02/25 15:52:55] [ info] [storage] in-memory
[2019/02/25 15:52:55] [ info] [storage] normal synchronization mode, checksum disabled
[2019/02/25 15:52:55] [ info] [engine] started (pid=16457)

==16457==ERROR: AddressSanitizer: negative-size-param: (size=-1)
#0 0x7f7c9283c05d in __asan_memmove (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8d05d)
#1 0x4caaa0 in mqtt_packet_drop /fluent-bit-1.0.4/plugins/in_mqtt/mqtt_prot.c:72
#2 0x4cc51e in mqtt_prot_parser /fluent-bit-1.0.4/plugins/in_mqtt/mqtt_prot.c:385
#3 0x4c8efa in mqtt_conn_event /fluent-bit-1.0.4/plugins/in_mqtt/mqtt_conn.c:47
#4 0x447535 in flb_engine_start /fluent-bit-1.0.4/src/flb_engine.c:484
#5 0x423da0 in main /fluent-bit-1.0.4/src/fluent-bit.c:842
#6 0x7f7c918ab82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x420a08 in _start (/fluent-bit-1.0.4/build_asan/bin/fluent-bit+0x420a08)

0x6190000032d6 is located 86 bytes inside of 1112-byte region [0x619000003280,0x6190000036d8)
allocated by thread T0 here:
#0 0x7f7c92847602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4c88bd in flb_malloc /fluent-bit-1.0.4/include/fluent-bit/flb_mem.h:57
#2 0x4c8f77 in mqtt_conn_add /fluent-bit-1.0.4/plugins/in_mqtt/mqtt_conn.c:72
#3 0x4c87d2 in in_mqtt_collect /fluent-bit-1.0.4/plugins/in_mqtt/mqtt.c:94
#4 0x43602f in flb_input_collector_fd /fluent-bit-1.0.4/src/flb_input.c:815
#5 0x44714b in flb_engine_handle_event /fluent-bit-1.0.4/src/flb_engine.c:251
#6 0x44714b in flb_engine_start /fluent-bit-1.0.4/src/flb_engine.c:457
#7 0x423da0 in main /fluent-bit-1.0.4/src/fluent-bit.c:842
#8 0x7f7c918ab82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memmove
==16457==ABORTING

Reproduction:

1. Compile Fluent Bit with Address Sanitizer by enabling compilation flag: -fsanitize=address

2. Run Fluent Bit with enabled MQTT plugin:
   fluent-bit -i mqtt -t data -o stdout -m '*' --config=conf/in_mqtt.conf

3. Send attached crafted message e.g. using netcat:
   netcat (IP_addr) 1883 < fluent-bit_mqtt_crash_000.raw
   where IP_addr is IP of test server
   fluent-bit_mqtt_crash_000.raw.zip

[cve-reporting]

@edsiper Could you confirm and provide any estimations on fixing time?
Do you have any questions regarding this issue?

[edsiper]

@cve-reporting thanks for reporting the issue.

I pushed a fix for the problem described here: d978659

Today I am releasing v1.0.6 with this fix included. If you find any other problem please don't hesitate to let us know.

[edsiper]

https://fluentbit.io/announcements/v1.0.6/