search

eclipse-paho / paho.mqtt.c

An Eclipse Paho C client library for MQTT for Windows, Linux and MacOS. API documentation: https://eclipse.github.io/paho.mqtt.c/
https://eclipse.org/paho
Other
1.98k stars 1.1k forks source link

NULL pointer passed to memcpy in Socket.c #1356

Closed ddassie-texa closed 1 year ago

ddassie-texa commented 1 year ago

Describe the bug When a client is forcefully disconnected from the server (kicked) a NULL pointer is passed to a memcpy call:

./src/Socket.c:528:3: runtime error: null pointer passed as argument 2, which is declared to never be null
pc_0x7ffff6d5b387###func_Socket_getReadySocket###file_./src/Socket.c###line_528###obj_(libpaho-mqtt3as.so.1+0x15b387)
pc_0x7ffff6e022ae###func_MQTTAsync_cycle###file_./src/MQTTAsyncUtils.c###line_3052###obj_(libpaho-mqtt3as.so.1+0x2022ae)
pc_0x7ffff6dece73###func_MQTTAsync_receiveThread###file_./src/MQTTAsyncUtils.c###line_2020###obj_(libpaho-mqtt3as.so.1+0x1ece73)
pc_0x7ffff6490401###func_start_thread###file_nptl/pthread_create.c###line_442###obj_(libc.so.6+0x90401)
pc_0x7ffff651f58f###func_clone3###file_../sysdeps/unix/sysv/linux/x86_64/clone3.S###line_81###obj_(libc.so.6+0x11f58f)

./src/Socket.c:529:3: runtime error: null pointer passed as argument 2, which is declared to never be null
pc_0x7ffff6d5b3e2###func_Socket_getReadySocket###file_./src/Socket.c###line_529###obj_(libpaho-mqtt3as.so.1+0x15b3e2)
pc_0x7ffff6e022ae###func_MQTTAsync_cycle###file_./src/MQTTAsyncUtils.c###line_3052###obj_(libpaho-mqtt3as.so.1+0x2022ae)
pc_0x7ffff6dece73###func_MQTTAsync_receiveThread###file_./src/MQTTAsyncUtils.c###line_2020###obj_(libpaho-mqtt3as.so.1+0x1ece73)
pc_0x7ffff6490401###func_start_thread###file_nptl/pthread_create.c###line_442###obj_(libc.so.6+0x90401)
pc_0x7ffff651f58f###func_clone3###file_../sysdeps/unix/sysv/linux/x86_64/clone3.S###line_81###obj_(libc.so.6+0x11f58f)

To Reproduce Connect to an MQTT server via websockets then kick the client from it.

Log files Log.txt

Environment

icraggs commented 1 year ago

The log shows you using MQTT version 5 and sending a DISCONNECT packet with code 152. I did this with the paho_c_pub sample and it worked:

Trace : 4, 19700101 010000.000 Connecting to serverURI localhost:1883 with MQTT version 5
Trace : 4, 19700101 010000.000 WebSocket connection upgraded
Trace : 4, 19700101 010000.000 3 paho-c-pub -> CONNECT version 5 clean: 0 (0)
Trace : 4, 19700101 010000.000 3 paho-c-pub <- CONNACK rc: 0
adasd
Trace : 4, 19700101 010000.000 3 paho-c-pub -> PUBLISH qos: 0 retained: 0 rc: 0 payload len(6): adasd
Trace : 4, 19700101 010000.000 3 paho-c-pub <- DISCONNECT (152)
Trace : 4, 19700101 010000.000 Connecting to serverURI localhost:1883 with MQTT version 5
Trace : 4, 19700101 010000.000 WebSocket connection upgraded
Trace : 4, 19700101 010000.000 3 paho-c-pub -> CONNECT version 5 clean: 0 (0)
Trace : 3, =========================================================
Trace : 3,                    Trace Output
Trace : 3, Product name: Eclipse Paho Asynchronous MQTT C Client Library
Trace : 3, Version: 1.3.12
Trace : 3, Build level: 2023-05-12T16:14:29Z
Trace : 3, OpenSSL version: OpenSSL 3.0.2 15 Mar 2022
Trace : 3, OpenSSL flags: compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -ffile-prefix-map=/build/openssl-M0kolw/openssl-3.0.2=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
Trace : 3, OpenSSL build timestamp: built on: Mon Apr 17 18:12:58 2023 UTC
Trace : 3, OpenSSL platform: platform: debian-amd64
Trace : 3, OpenSSL directory: OPENSSLDIR: "/usr/lib/ssl"
Trace : 3, /proc/version: Linux version 5.19.0-41-generic (buildd@lcy02-amd64-045) (x86_64-linux-gnu-gcc (Ubuntu 11.3.0-1ubuntu1~22.04.1) 11.3.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2

Other factors at play? You used a proxy, so does it need to have that? What processor architecture? Linux version?

There are several fixes in the develop branch which could affect this, if you want to try that out and see if there is any difference.

ddassie-texa commented 1 year ago

Other factors at play? You used a proxy, so does it need to have that? What processor architecture? Linux version?

The proxy could have something to do with it, I will do a test on a different network to test without it; Paho Version: 1.3.12 OS Version: Ubuntu 22.10 OS Arch: x86_64 Compiler:

Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/12/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none:amdgcn-amdhsa
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu 12.2.0-3ubuntu1' --with-bugurl=file:///usr/share/doc/gcc-12/README.Bugs --enable-languages=c,ada,c++,go,d,fortran,objc,obj-c++,m2 --prefix=/usr --with-gcc-major-version-only --program-suffix=-12 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-plugin --enable-default-pie --with-system-zlib --enable-libphobos-checking=release --with-target-system-zlib=auto --enable-objc-gc=auto --enable-multiarch --disable-werror --enable-cet --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none=/build/gcc-12-U8K4Qv/gcc-12-12.2.0/debian/tmp-nvptx/usr,amdgcn-amdhsa=/build/gcc-12-U8K4Qv/gcc-12-12.2.0/debian/tmp-gcn/usr --enable-offload-defaulted --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 12.2.0 (Ubuntu 12.2.0-3ubuntu1)

Compilation flags:

CFLAGS="-fsanitize=address,leak,undefined"
LDFLAGS="-fsanitize=address,leak,undefined"

Update I can reproduce it by compiling with the above flags by just running:

$> ./paho_c_pub -t "Test" -c "localhost:1883"
paho.mqtt.c/src/Socket.c:528:3: runtime error: null pointer passed as argument 2, which is declared to never be null
paho.mqtt.c/src/Socket.c:529:3: runtime error: null pointer passed as argument 2, which is declared to never be null

Update 2 I tested with the develop branch and it gives the same results.

icraggs commented 1 year ago

Ah, I see. I've added a fix to develop and 1.4 branches. Thanks.