tinyMQTT icon indicating copy to clipboard operation
tinyMQTT copied to clipboard
Published 1 year ago verified publisher icon JustDoIt0910

Two bugs in tinyMQTT

Open peter-pe opened this issue 6 months ago • 0 comments

Hi,JustDoIt0910!I found two bugs in tinyMQTT

Memory-Leak in tinymqtt

Describe the Bug

TinyMQTT’s parse_subscribe_packet does not validate that topic filters are well-formed UTF-8 strings per MQTT v3.1.1 [MQTT-3.8.3-1]. Instead, it reads and stores arbitrary bytes as topic filters, which can lead to unbounded memory growth if an attacker repeatedly sends malformed SUBSCRIBE packets.

Actual Behavior

Because there is no UTF-8 validation or rejection of invalid strings, an attacker can send arbitrarily large or malformed filter payloads in a tight loop. Over time, the broker will allocate memory for each new filter and never free it—resulting in a memory leak and potential crash under sustained load.

Environment Details

1.tinymqtt version: Commit # 6226ade15bd4f97be2d196352e64dd10937c1962

2.Operating system and version:Kali GNU/Linux Rolling 2023.4

Trigger and Crash

Running TinyMQTT with valgrind Run the poc and observe the server receiving status. Finally, a memory leak is found. Image

Memory-Leak_Poc.txt

Resource Exhaustion in tinymqtt

Describe the Bug

TinyMQTT fails to close client connections after sending a CONNACK with return code 0x02 (Identifier Rejected) when a zero‐length ClientId and CleanSession=0 are used, violating the MQTT v3.1.1 requirement to close the connection. This allows an attacker to open numerous “half‐open” sessions and exhaust server resources.

Actual Behavior

However, in tinyMQTT’s parse_connect_packet function, after detecting a zero-length ClientId with CleanSession=0, the broker sends a CONNACK(0x02) but does not explicitly close the TCP connection. The function then returns a protocol error code, but there is no guarantee that the connection teardown logic is invoked. As a result, each rejected CONNECT remains as an open socket on the server side, consuming file descriptors and memory. Under sustained attack, these “half-open” connections accumulate until the broker exhausts its available resources and becomes unresponsive or is killed by the operating system.

Environment Details

1.tinymqtt version: Commit # 6226ade15bd4f97be2d196352e64dd10937c1962

2.Operating system and version:Kali GNU/Linux Rolling 2023.4

Trigger and Crash

Run TinyMQTT: When running this script, the server can handle it at first, but as the number of illegal connections increases, the server resources are exhausted and no more connections can be made.

Resource_Exhaustion_Poc.txt

peter-pe avatar Jul 14 '25 02:07 peter-pe