Heap use after free in nanomq_cli tls sub

[wanghaEMQ]

Describe the bug

./nanomq_cli/nanomq_cli sub -h 127.0.0.1 -p 8883 -t "topic3" --cafile ../etc/certs/cacert.pem -s
connect_cb: tls+mqtt-tcp://127.0.0.1:8883 connect result: 0
=================================================================
==2413209==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000017a8c at pc 0x000000481e84 bp 0x7f952a15b130 sp 0x7f952a15b128
disconnected reason : 139
WRITE of size 4 at 0x60f000017a8c thread T20
    #0 0x481e83 in nni_atomic_dec_nv /home/wangha/Documents/nanomq/nng/src/platform/posix/posix_atomic.c:120
    #1 0x46c519 in nni_msg_free /home/wangha/Documents/nanomq/nng/src/core/message.c:457
    #2 0x45a5d2 in nng_msg_free /home/wangha/Documents/nanomq/nng/src/nng.c:1522
    #3 0x4b1f79 in nng_mqtt_subscribe /home/wangha/Documents/nanomq/nng/src/supplemental/mqtt/mqtt_public.c:986
    #4 0x428af0 in connect_cb /home/wangha/Documents/nanomq/nanomq_cli/client.c:1433
    #5 0x47921d in nni_pipe_run_cb /home/wangha/Documents/nanomq/nng/src/core/socket.c:1790
    #6 0x478624 in nni_dialer_add_pipe /home/wangha/Documents/nanomq/nng/src/core/socket.c:1589
    #7 0x463d77 in dialer_connect_cb /home/wangha/Documents/nanomq/nng/src/core/dialer.c:383
    #8 0x47bf6e in nni_taskq_thread /home/wangha/Documents/nanomq/nng/src/core/taskq.c:50
    #9 0x47d19f in nni_thr_wrap /home/wangha/Documents/nanomq/nng/src/core/thread.c:94
    #10 0x485314 in nni_plat_thr_main /home/wangha/Documents/nanomq/nng/src/platform/posix/posix_thread.c:266
    #11 0x7f95419cd946 in start_thread (/lib64/libc.so.6+0x8c946) (BuildId: f888be5f5e7d58e04cabb8c675c7ab94e77dd68c)
    #12 0x7f9541a5385f in __clone3 (/lib64/libc.so.6+0x11285f) (BuildId: f888be5f5e7d58e04cabb8c675c7ab94e77dd68c)

0x60f000017a8c is located 124 bytes inside of 168-byte region [0x60f000017a10,0x60f000017ab8)
freed by thread T6 here:
    #0 0x7f9542ad7fb8  (/lib64/libasan.so.8+0xd7fb8) (BuildId: 542ad02088f38edfdba9d4bfa465b2299f512d3e)
    #1 0x481079 in nni_free /home/wangha/Documents/nanomq/nng/src/platform/posix/posix_alloc.c:33
    #2 0x46c605 in nni_msg_free /home/wangha/Documents/nanomq/nng/src/core/message.c:465
    #3 0x5a0de0 in mqtts_tcptran_pipe_send_cb /home/wangha/Documents/nanomq/nng/src/mqtt/transport/tls/mqtt_tls.c:515
    #4 0x47bf6e in nni_taskq_thread /home/wangha/Documents/nanomq/nng/src/core/taskq.c:50
    #5 0x47d19f in nni_thr_wrap /home/wangha/Documents/nanomq/nng/src/core/thread.c:94
    #6 0x485314 in nni_plat_thr_main /home/wangha/Documents/nanomq/nng/src/platform/posix/posix_thread.c:266
    #7 0x7f95419cd946 in start_thread (/lib64/libc.so.6+0x8c946) (BuildId: f888be5f5e7d58e04cabb8c675c7ab94e77dd68c)

previously allocated by thread T20 here:
    #0 0x7f9542ad8cc7 in calloc (/lib64/libasan.so.8+0xd8cc7) (BuildId: 542ad02088f38edfdba9d4bfa465b2299f512d3e)
    #1 0x481054 in nni_zalloc /home/wangha/Documents/nanomq/nng/src/platform/posix/posix_alloc.c:26
    #2 0x46c0dd in nni_msg_alloc /home/wangha/Documents/nanomq/nng/src/core/message.c:387
    #3 0x4c8088 in nni_mqtt_msg_alloc /home/wangha/Documents/nanomq/nng/src/supplemental/mqtt/mqtt_msg.c:60
    #4 0x4afdfc in nng_mqtt_msg_alloc /home/wangha/Documents/nanomq/nng/src/supplemental/mqtt/mqtt_public.c:20
    #5 0x4b1d60 in nng_mqtt_subscribe /home/wangha/Documents/nanomq/nng/src/supplemental/mqtt/mqtt_public.c:966
    #6 0x428af0 in connect_cb /home/wangha/Documents/nanomq/nanomq_cli/client.c:1433
    #7 0x47921d in nni_pipe_run_cb /home/wangha/Documents/nanomq/nng/src/core/socket.c:1790
    #8 0x478624 in nni_dialer_add_pipe /home/wangha/Documents/nanomq/nng/src/core/socket.c:1589
    #9 0x463d77 in dialer_connect_cb /home/wangha/Documents/nanomq/nng/src/core/dialer.c:383
    #10 0x47bf6e in nni_taskq_thread /home/wangha/Documents/nanomq/nng/src/core/taskq.c:50
    #11 0x47d19f in nni_thr_wrap /home/wangha/Documents/nanomq/nng/src/core/thread.c:94
    #12 0x485314 in nni_plat_thr_main /home/wangha/Documents/nanomq/nng/src/platform/posix/posix_thread.c:266
    #13 0x7f95419cd946 in start_thread (/lib64/libc.so.6+0x8c946) (BuildId: f888be5f5e7d58e04cabb8c675c7ab94e77dd68c)

Thread T20 created by T0 here:
    #0 0x7f9542a48956 in pthread_create (/lib64/libasan.so.8+0x48956) (BuildId: 542ad02088f38edfdba9d4bfa465b2299f512d3e)
    #1 0x48540d in nni_plat_thr_init /home/wangha/Documents/nanomq/nng/src/platform/posix/posix_thread.c:279
    #2 0x47d442 in nni_thr_init /home/wangha/Documents/nanomq/nng/src/core/thread.c:121
    #3 0x47c289 in nni_taskq_init /home/wangha/Documents/nanomq/nng/src/core/taskq.c:95
    #4 0x47ceab in nni_taskq_sys_init /home/wangha/Documents/nanomq/nng/src/core/taskq.c:276
    #5 0x46751f in nni_init_helper /home/wangha/Documents/nanomq/nng/src/core/init.c:35
    #6 0x485714 in nni_plat_init /home/wangha/Documents/nanomq/nng/src/platform/posix/posix_thread.c:422
    #7 0x467589 in nni_init /home/wangha/Documents/nanomq/nng/src/core/init.c:57
    #8 0x47429b in nni_sock_open /home/wangha/Documents/nanomq/nng/src/core/socket.c:638
    #9 0x494023 in nni_proto_open /home/wangha/Documents/nanomq/nng/src/sp/protocol.c:21
    #10 0x4f7a35 in nng_mqtt_client_open /home/wangha/Documents/nanomq/nng/src/mqtt/protocol/mqtt/mqtt_client.c:1342
    #11 0x4293c9 in create_client /home/wangha/Documents/nanomq/nanomq_cli/client.c:1520
    #12 0x42a163 in client /home/wangha/Documents/nanomq/nanomq_cli/client.c:1634
    #13 0x42a233 in subscribe_start /home/wangha/Documents/nanomq/nanomq_cli/client.c:1677
    #14 0x43ab71 in main /home/wangha/Documents/nanomq/nanomq_cli/main.c:120
    #15 0x7f9541968b89 in __libc_start_call_main (/lib64/libc.so.6+0x27b89) (BuildId: f888be5f5e7d58e04cabb8c675c7ab94e77dd68c)
    #16 0x7f9541968c4a in __libc_start_main_alias_2 (/lib64/libc.so.6+0x27c4a) (BuildId: f888be5f5e7d58e04cabb8c675c7ab94e77dd68c)
    #17 0x41f044 in _start (/home/wangha/Documents/nanomq/build/nanomq_cli/nanomq_cli+0x41f044) (BuildId: a6d43106a8a7c42b83809c7af724cd710c11469e)

Thread T6 created by T0 here:
    #0 0x7f9542a48956 in pthread_create (/lib64/libasan.so.8+0x48956) (BuildId: 542ad02088f38edfdba9d4bfa465b2299f512d3e)
    #1 0x48540d in nni_plat_thr_init /home/wangha/Documents/nanomq/nng/src/platform/posix/posix_thread.c:279
    #2 0x47d442 in nni_thr_init /home/wangha/Documents/nanomq/nng/src/core/thread.c:121
    #3 0x47c289 in nni_taskq_init /home/wangha/Documents/nanomq/nng/src/core/taskq.c:95
    #4 0x47ceab in nni_taskq_sys_init /home/wangha/Documents/nanomq/nng/src/core/taskq.c:276
    #5 0x46751f in nni_init_helper /home/wangha/Documents/nanomq/nng/src/core/init.c:35
    #6 0x485714 in nni_plat_init /home/wangha/Documents/nanomq/nng/src/platform/posix/posix_thread.c:422
    #7 0x467589 in nni_init /home/wangha/Documents/nanomq/nng/src/core/init.c:57
    #8 0x47429b in nni_sock_open /home/wangha/Documents/nanomq/nng/src/core/socket.c:638
    #9 0x494023 in nni_proto_open /home/wangha/Documents/nanomq/nng/src/sp/protocol.c:21
    #10 0x4f7a35 in nng_mqtt_client_open /home/wangha/Documents/nanomq/nng/src/mqtt/protocol/mqtt/mqtt_client.c:1342
    #11 0x4293c9 in create_client /home/wangha/Documents/nanomq/nanomq_cli/client.c:1520
    #12 0x42a163 in client /home/wangha/Documents/nanomq/nanomq_cli/client.c:1634
    #13 0x42a233 in subscribe_start /home/wangha/Documents/nanomq/nanomq_cli/client.c:1677
    #14 0x43ab71 in main /home/wangha/Documents/nanomq/nanomq_cli/main.c:120
    #15 0x7f9541968b89 in __libc_start_call_main (/lib64/libc.so.6+0x27b89) (BuildId: f888be5f5e7d58e04cabb8c675c7ab94e77dd68c)
    #16 0x7f9541968c4a in __libc_start_main_alias_2 (/lib64/libc.so.6+0x27c4a) (BuildId: f888be5f5e7d58e04cabb8c675c7ab94e77dd68c)
    #17 0x41f044 in _start (/home/wangha/Documents/nanomq/build/nanomq_cli/nanomq_cli+0x41f044) (BuildId: a6d43106a8a7c42b83809c7af724cd710c11469e)

SUMMARY: AddressSanitizer: heap-use-after-free /home/wangha/Documents/nanomq/nng/src/platform/posix/posix_atomic.c:120 in nni_atomic_dec_nv
Shadow bytes around the buggy address:
  0x60f000017800: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x60f000017880: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x60f000017900: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x60f000017980: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
  0x60f000017a00: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x60f000017a80: fd[fd]fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x60f000017b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60f000017b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60f000017c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60f000017c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60f000017d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2413209==ABORTING

Expected behavior
No heap use after free.

To Reproduce
Start nanomq.
then ./nanomq_cli/nanomq_cli sub -h 127.0.0.1 -p 8883 -t "topic3" --cafile ../etc/certs/cacert.pem -s

Environment Details

• NanoMQ version. latest
• Operating system and version
• Compiler and language used
• testing scenario

[wanghaEMQ]

This only can be reproduced in a special case. add following code :

+++ b/src/sp/transport/mqtts/broker_tls.c
@@ -642,6 +642,9 @@ tlstran_pipe_recv_cb(void *arg)
                }
                goto recv_error;
        }
+       rv = NNG_EPROTO;
+       log_error("Time to goto error");
+       goto recv_error;

[JaylinYu]

fine, whole life cycle of submsg shall be manged by SDK .