search

eclipse / mosquitto

Eclipse Mosquitto - An open source MQTT broker
https://mosquitto.org
Other
8.61k stars 2.33k forks source link

Some protocol violations or bugs in Mosquitto #3052

Open songxpu opened 1 month ago

songxpu commented 1 month ago

Hi, I have found some protocol specification violations in Mosquitto, attached below are the details. The version of Mosquitto: version 2.0.18 The version of the Operating System: Ubuntu 24.04

songxpu commented 1 month ago

According to the specification of MQTTv5.0:

[MQTT-3.10.3-2]
The Payload of an UNSUBSCRIBE packet MUST contain at least one Topic Filter.

But if we send such a packet that contains no topic filter to the broker:

echo 107e00064d514973647003cc8b8600145542463562636f6939375765546c694c37564c4600086748627239437a680018576c58416432686a6469616536334966415737594d586c72001a77654e4f376d3248774d6234566552526f586e6b47426e705871001a3858646b6d335a34634a486c594866347468676b6a63544c5a383224000e58564b6c7a7832493347677a7151b60131776e317a5947313132494355356e596468a2027890 | xxd -p -r | nc 172.17.0.7 1883

Mosquitto unexpectedly returned a response message instead of rejecting or breaking the connection. image

songxpu commented 1 month ago

According to the specification of MQTTv5.0:

[MQTT-3.8.3-2]
The Payload MUST contain at least one Topic Filter and Subscription Options pair

Similarly, we send a Subscribe message that does not contain any topic filters

echo 103c00064d514973647003c21226001455794367394a7632646146646941386f4e70553300016f0015326b364f5478555630374f44655547387a5a37666aa25f68ac001c644862384e33363353484870594e70546572364d4957397144555079000f7172794d62366d32707063794d774b00116c6d3455366f746e72716a466343416254001954684d4c506c30413942696135336645384a3635536f42705782024000 | xxd -p -r | nc 172.17.0.7 1883

image

songxpu commented 1 month ago

According to the specification of MQTTv5.0:

[MQTT-3.3.4-6]
A PUBLISH packet sent from a Client to a Server MUST NOT contain a Subscription Identifier.

Send such a packet:

echo 106100044d5154540540b3b037119afb60e317001901215c5326000f766e72366d4541644d78553c44327800173049574d36324268715a6179524b5a62536749534a31360013317675535434755733374e64397846585a38570008676235716d5836363554000841684b3146454962f71a16010109000c79a506aff5eef39ed5210cd60bba849b523155596942337761334c376e765936573739413862666a46414e4e3172647544345773415778724a6667386d3258653363 | xxd -p -r | nc 172.17.0.7 1883

Mosquitto expected that such a request should be denied, but received it. image