RIOT icon indicating copy to clipboard operation
RIOT copied to clipboard
verified publisher icon RIOT-OS

asymcute: Compare request message type when matching acknowledgement

Open nmeum opened this issue 3 years ago • 1 comments

Contribution description

Currently, asymcute matches an MQTT-SN request to its acknowledgement using only the MsgId header. However, I strongly believe this to be insufficient as asymcute would thus also match a SUBACK to a prior PUBLISH request (for example) as long as the message ID matches. If this happens (e.g. because of a malicious MQTT-SN broker) then this can trigger various bugs in asymcute, e.g. due to incorrect casts of the req->arg void* pointer. To address this issue, this commit modifies _req_preprocess to also compare the request message type in addition to the message id.

Testing procedure

I haven't tested my fix extensively yet but existing tests should continue to work. Unfortunately, it also a bit difficult to provide a simple test setup for triggering this edge case.

Issues/PRs references

None.

nmeum avatar Aug 10 '22 15:08 nmeum

ACK. Code change looks good, reasoning makes sense, and I trust your testing.

FYI: I found this with SymEx-VP so I haven't done any tests with a particular MQTT-SN broker implementation (yet).

nmeum avatar Aug 10 '22 15:08 nmeum

OK, I guess I should test it prior hitting the merge button just to be sure, then. :)

maribu avatar Aug 10 '22 16:08 maribu

:exclamation: This may cause a semantic merge conflict with https://github.com/RIOT-OS/RIOT/pull/18433, once that is merged: _get_len() gains another parameter, so only trust Murdock if it has successfully build both with either of one in master (and check if the master Murdock used includes the other PR).

miri64 avatar Aug 10 '22 16:08 miri64

@nmeum can you please provide a backport to the 2022.07 branch, e.g. by using the dist/tools/backport_pr/backport_pr.py script

miri64 avatar Aug 12 '22 09:08 miri64