Potential OOB Writes in eclipse/paho.mqtt.embedded-c

[icraggs]

Raised first here: https://bugs.eclipse.org/bugs/show_bug.cgi?id=577965

Created attachment 287734 [details] poc.c

Project and Version: eclipse/paho.mqtt.embedded-c, latest master branch (commit 29ab2aa29c5e47794284376d7f8386cfd54c3eed)

Location: MQTTPacket/src/MQTTSubscribeServer.c:MQTTDeserialize_subscribe()

Description: In MQTTDeserialize_subscribe(), the index is not checked when writing into the array topicFilters and requestedQoSs: the maximum length (stored in maxcount) of these two buffers is not even checked by the function, which may lead to OOB writes of any length when processing a malformed packet.

Steps to Reproduce:

1. Download attached poc.c
2. Place it under MQTTPacket/test/
3. Compile with: gcc -fsanitize=address -Wall poc.c -o poc -I../src ../src/MQTTConnectClient.c ../src/MQTTConnectServer.c ../src/MQTTPacket.c ../src/MQTTSerializePublish.c ../src/MQTTDeserializePublish.c ../src/MQTTSubscribeServer.c ../src/MQTTSubscribeClient.c ../src/MQTTUnsubscribeServer.c ../src/MQTTUnsubscribeClient.c
4. Then execute it, you should be able see the output from AddressSanitizer indicating that there is a buffer overflow.

Environment: Linux 5.11.0-40-generic #44~20.04.2-Ubuntu SMP Tue Oct 26 18:07:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux gcc: gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0