Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential OOB Writes in eclipse/paho.mqtt.embedded-c #242

Open
icraggs opened this issue Jun 6, 2023 · 0 comments
Open

Potential OOB Writes in eclipse/paho.mqtt.embedded-c #242

icraggs opened this issue Jun 6, 2023 · 0 comments
Milestone
2.0

Comments

@icraggs
Copy link
Contributor

icraggs commented Jun 6, 2023

Raised first here: https://bugs.eclipse.org/bugs/show_bug.cgi?id=577965

Created attachment 287734 [details]
poc.c

Project and Version:
eclipse/paho.mqtt.embedded-c, latest master branch (commit 29ab2aa)

Location:
MQTTPacket/src/MQTTSubscribeServer.c:MQTTDeserialize_subscribe()

Description:
In MQTTDeserialize_subscribe(), the index is not checked when writing into the array topicFilters and requestedQoSs: the maximum length (stored in maxcount) of these two buffers is not even checked by the function, which may lead to OOB writes of any length when processing a malformed packet.

Steps to Reproduce:

  1. Download attached poc.c
  2. Place it under MQTTPacket/test/
  3. Compile with: gcc -fsanitize=address -Wall poc.c -o poc -I../src ../src/MQTTConnectClient.c ../src/MQTTConnectServer.c ../src/MQTTPacket.c ../src/MQTTSerializePublish.c ../src/MQTTDeserializePublish.c ../src/MQTTSubscribeServer.c ../src/MQTTSubscribeClient.c ../src/MQTTUnsubscribeServer.c ../src/MQTTUnsubscribeClient.c
  4. Then execute it, you should be able see the output from AddressSanitizer indicating that there is a buffer overflow.

Environment:
Linux 5.11.0-40-generic #4420.04.2-Ubuntu SMP Tue Oct 26 18:07:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
gcc: gcc (Ubuntu 9.3.0-17ubuntu120.04) 9.3.0
icraggs added a commit that referenced this issue Jun 6, 2023
@icraggs
Fix potential overwrites #242
dc8d837
icraggs added a commit that referenced this issue Jun 6, 2023
@icraggs
Fix potential overwrites #242
399b0fd
@icraggs icraggs added this to the 1.2 milestone Jul 26, 2023
pat1 added a commit to r-map/rmap that referenced this issue Feb 24, 2024
@pat1
aligned with main stream solve eclipse/paho.mqtt.embedded-c#242
33ae17a
Ryan-CW-Code added a commit to Ryan-CW-Code/RyanMqtt that referenced this issue Jun 4, 2024
@Ryan-CW-Code
fix(合并mqtt序列化库): Fix potential overwrites eclipse/paho.mqtt.embedded-…
5a7b046 
…c#242
Ryan-CW-Code added a commit to Ryan-CW-Code/RyanMqtt that referenced this issue Jun 4, 2024
@Ryan-CW-Code
fix(合并mqtt序列化库): Fix potential overwrites eclipse/paho.mqtt.embedded-…
db4ae9b 
…c#242
Ryan-CW-Code added a commit to Ryan-CW-Code/RyanMqtt that referenced this issue Jun 4, 2024
@Ryan-CW-Code
Revert "fix(合并mqtt序列化库): Fix potential overwrites eclipse/paho.mqtt.e…
1edcf1b 
…mbedded-c#242"

This reverts commit 5a7b046.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.0
Development

No branches or pull requests
1 participant
@icraggs