MQTT-C icon indicating copy to clipboard operation
MQTT-C copied to clipboard

Published 20 hours ago verified publisher icon LiamBindle

Insufficient validation of PUBLISH message

Open snej opened this issue 2 years ago • 2 comments

There's some missing packet-length validation in the PUBLISH packet handler, mqtt_unpack_publish_response. This makes the library vulnerable to a bad PUBLISH packet with an overly-long topic name. The library could definitely be made to read garbage past the end of a buffer, and possibly crash.

The bug is that the remaining packet length (mqtt_response->fixed_header.remaining_length) is only checked once, to ensure it's 4 bytes long. There is no check that the packet is large enough to hold the topic name and packet ID.

snej avatar Oct 06 '21 22:10 snej

@snej Thanks for point this out. Would you be able to submit a PR?

LiamBindle avatar Oct 06 '21 22:10 LiamBindle

Sorry, I'm not actually using the library, I was reading through the code to see how it worked.

snej avatar Oct 08 '21 18:10 snej