Open GANGE666 opened 2 years ago
Is this fixed in any forks? Its a little disturbing this has sat around since febuary not even acknowledged.
For all we know this could have been actively exploited for the last 8+ months without even a "We'll look into it".
Does anyone have any recommendations for an alternative library for embedded microcontrollers that is, in fact, maintained?
Happy to accept a PR fixing this. I maintain this repo casually and I'm not paid; MQTT-C in it's current form is stable and pretty widely used. It looks like the author described how to fix the problem---not sure why this wasn't submitted as a PR, but I'm happy to merge a fix.
Overview
An issue was discovered in MQTT-C through 1.1.5. The MQTT input data processing function
mqtt_unpack_publish_response
in mqtt.c does not validate the length of incomingtopic_name_size
, which leads to an out-of-bounds read when subsequent processing of the input data. And this could also lead to an integer overflow when calculating the remaining length of incoming response. Eventually causing Denial-of-Service or an information leak, even remote code execution.Description
In
mqtt_unpack_publish_response
,topic_name_size
is unpack from input data directly (Line 1352). And thenbuf
pointer addtopic_name_size
without checking if it exceeds the range ofbuf
, which leads to a buffer overflow. ([Line 1355])And if attacker provide a
topic_name_size
is bigger thanremaining_length
, which could leads to an integer overflow. ([Line 1365] and [Line 1367])https://github.com/LiamBindle/MQTT-C/blob/be12c343ac5b7125d5e15cb9ab2d743de7f4fab4/src/mqtt.c#L1332-L1373
Impact
Denial-of-Service or an information leak, even remote code execution.