New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security]: data contention in pipe reaper #1180
Comments
Thanks for reporting issues Plz provide us your testimony raw data So that we can reproduce and fix |
Thanks for your reply. The current POC is not too stable to reproduce.I will provide you testimony raw data soon. |
nano_ctx_send
function of nmq_mqtt.c
nmq_mqtt.c
it doesn't matter. This could be a data racing problem, and we can dig into it with your raw data. |
This bug has been identified! A pretty hidden one! |
nmq_mqtt.c
Describe the bug
We found a heap-use-after-free in
nano_ctx_send
function ofnmq_mqtt.c
when it processes malformed messages.Actual Behavior
Heap-use-after-free
To Reproduce
Read the
pipe
innano_ctx_send
(nmq_mqtt.c)Free the
pipe
inreap_worker
(reap.c) ->pipe_destroy
(pipe.c)pipe_destroy
(pipe.c)ASAN Log
** Environment Details **
The text was updated successfully, but these errors were encountered: