nanomq
nanomq copied to clipboard
Published
20 hours ago •
nanomq
nanomq
Heap use after free in nanomq_cli tls sub
Describe the bug
./nanomq_cli/nanomq_cli sub -h 127.0.0.1 -p 8883 -t "topic3" --cafile ../etc/certs/cacert.pem -s
connect_cb: tls+mqtt-tcp://127.0.0.1:8883 connect result: 0
=================================================================
==2413209==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000017a8c at pc 0x000000481e84 bp 0x7f952a15b130 sp 0x7f952a15b128
disconnected reason : 139
WRITE of size 4 at 0x60f000017a8c thread T20
#0 0x481e83 in nni_atomic_dec_nv /home/wangha/Documents/nanomq/nng/src/platform/posix/posix_atomic.c:120
#1 0x46c519 in nni_msg_free /home/wangha/Documents/nanomq/nng/src/core/message.c:457
#2 0x45a5d2 in nng_msg_free /home/wangha/Documents/nanomq/nng/src/nng.c:1522
#3 0x4b1f79 in nng_mqtt_subscribe /home/wangha/Documents/nanomq/nng/src/supplemental/mqtt/mqtt_public.c:986
#4 0x428af0 in connect_cb /home/wangha/Documents/nanomq/nanomq_cli/client.c:1433
#5 0x47921d in nni_pipe_run_cb /home/wangha/Documents/nanomq/nng/src/core/socket.c:1790
#6 0x478624 in nni_dialer_add_pipe /home/wangha/Documents/nanomq/nng/src/core/socket.c:1589
#7 0x463d77 in dialer_connect_cb /home/wangha/Documents/nanomq/nng/src/core/dialer.c:383
#8 0x47bf6e in nni_taskq_thread /home/wangha/Documents/nanomq/nng/src/core/taskq.c:50
#9 0x47d19f in nni_thr_wrap /home/wangha/Documents/nanomq/nng/src/core/thread.c:94
#10 0x485314 in nni_plat_thr_main /home/wangha/Documents/nanomq/nng/src/platform/posix/posix_thread.c:266
#11 0x7f95419cd946 in start_thread (/lib64/libc.so.6+0x8c946) (BuildId: f888be5f5e7d58e04cabb8c675c7ab94e77dd68c)
#12 0x7f9541a5385f in __clone3 (/lib64/libc.so.6+0x11285f) (BuildId: f888be5f5e7d58e04cabb8c675c7ab94e77dd68c)
0x60f000017a8c is located 124 bytes inside of 168-byte region [0x60f000017a10,0x60f000017ab8)
freed by thread T6 here:
#0 0x7f9542ad7fb8 (/lib64/libasan.so.8+0xd7fb8) (BuildId: 542ad02088f38edfdba9d4bfa465b2299f512d3e)
#1 0x481079 in nni_free /home/wangha/Documents/nanomq/nng/src/platform/posix/posix_alloc.c:33
#2 0x46c605 in nni_msg_free /home/wangha/Documents/nanomq/nng/src/core/message.c:465
#3 0x5a0de0 in mqtts_tcptran_pipe_send_cb /home/wangha/Documents/nanomq/nng/src/mqtt/transport/tls/mqtt_tls.c:515
#4 0x47bf6e in nni_taskq_thread /home/wangha/Documents/nanomq/nng/src/core/taskq.c:50
#5 0x47d19f in nni_thr_wrap /home/wangha/Documents/nanomq/nng/src/core/thread.c:94
#6 0x485314 in nni_plat_thr_main /home/wangha/Documents/nanomq/nng/src/platform/posix/posix_thread.c:266
#7 0x7f95419cd946 in start_thread (/lib64/libc.so.6+0x8c946) (BuildId: f888be5f5e7d58e04cabb8c675c7ab94e77dd68c)
previously allocated by thread T20 here:
#0 0x7f9542ad8cc7 in calloc (/lib64/libasan.so.8+0xd8cc7) (BuildId: 542ad02088f38edfdba9d4bfa465b2299f512d3e)
#1 0x481054 in nni_zalloc /home/wangha/Documents/nanomq/nng/src/platform/posix/posix_alloc.c:26
#2 0x46c0dd in nni_msg_alloc /home/wangha/Documents/nanomq/nng/src/core/message.c:387
#3 0x4c8088 in nni_mqtt_msg_alloc /home/wangha/Documents/nanomq/nng/src/supplemental/mqtt/mqtt_msg.c:60
#4 0x4afdfc in nng_mqtt_msg_alloc /home/wangha/Documents/nanomq/nng/src/supplemental/mqtt/mqtt_public.c:20
#5 0x4b1d60 in nng_mqtt_subscribe /home/wangha/Documents/nanomq/nng/src/supplemental/mqtt/mqtt_public.c:966
#6 0x428af0 in connect_cb /home/wangha/Documents/nanomq/nanomq_cli/client.c:1433
#7 0x47921d in nni_pipe_run_cb /home/wangha/Documents/nanomq/nng/src/core/socket.c:1790
#8 0x478624 in nni_dialer_add_pipe /home/wangha/Documents/nanomq/nng/src/core/socket.c:1589
#9 0x463d77 in dialer_connect_cb /home/wangha/Documents/nanomq/nng/src/core/dialer.c:383
#10 0x47bf6e in nni_taskq_thread /home/wangha/Documents/nanomq/nng/src/core/taskq.c:50
#11 0x47d19f in nni_thr_wrap /home/wangha/Documents/nanomq/nng/src/core/thread.c:94
#12 0x485314 in nni_plat_thr_main /home/wangha/Documents/nanomq/nng/src/platform/posix/posix_thread.c:266
#13 0x7f95419cd946 in start_thread (/lib64/libc.so.6+0x8c946) (BuildId: f888be5f5e7d58e04cabb8c675c7ab94e77dd68c)
Thread T20 created by T0 here:
#0 0x7f9542a48956 in pthread_create (/lib64/libasan.so.8+0x48956) (BuildId: 542ad02088f38edfdba9d4bfa465b2299f512d3e)
#1 0x48540d in nni_plat_thr_init /home/wangha/Documents/nanomq/nng/src/platform/posix/posix_thread.c:279
#2 0x47d442 in nni_thr_init /home/wangha/Documents/nanomq/nng/src/core/thread.c:121
#3 0x47c289 in nni_taskq_init /home/wangha/Documents/nanomq/nng/src/core/taskq.c:95
#4 0x47ceab in nni_taskq_sys_init /home/wangha/Documents/nanomq/nng/src/core/taskq.c:276
#5 0x46751f in nni_init_helper /home/wangha/Documents/nanomq/nng/src/core/init.c:35
#6 0x485714 in nni_plat_init /home/wangha/Documents/nanomq/nng/src/platform/posix/posix_thread.c:422
#7 0x467589 in nni_init /home/wangha/Documents/nanomq/nng/src/core/init.c:57
#8 0x47429b in nni_sock_open /home/wangha/Documents/nanomq/nng/src/core/socket.c:638
#9 0x494023 in nni_proto_open /home/wangha/Documents/nanomq/nng/src/sp/protocol.c:21
#10 0x4f7a35 in nng_mqtt_client_open /home/wangha/Documents/nanomq/nng/src/mqtt/protocol/mqtt/mqtt_client.c:1342
#11 0x4293c9 in create_client /home/wangha/Documents/nanomq/nanomq_cli/client.c:1520
#12 0x42a163 in client /home/wangha/Documents/nanomq/nanomq_cli/client.c:1634
#13 0x42a233 in subscribe_start /home/wangha/Documents/nanomq/nanomq_cli/client.c:1677
#14 0x43ab71 in main /home/wangha/Documents/nanomq/nanomq_cli/main.c:120
#15 0x7f9541968b89 in __libc_start_call_main (/lib64/libc.so.6+0x27b89) (BuildId: f888be5f5e7d58e04cabb8c675c7ab94e77dd68c)
#16 0x7f9541968c4a in __libc_start_main_alias_2 (/lib64/libc.so.6+0x27c4a) (BuildId: f888be5f5e7d58e04cabb8c675c7ab94e77dd68c)
#17 0x41f044 in _start (/home/wangha/Documents/nanomq/build/nanomq_cli/nanomq_cli+0x41f044) (BuildId: a6d43106a8a7c42b83809c7af724cd710c11469e)
Thread T6 created by T0 here:
#0 0x7f9542a48956 in pthread_create (/lib64/libasan.so.8+0x48956) (BuildId: 542ad02088f38edfdba9d4bfa465b2299f512d3e)
#1 0x48540d in nni_plat_thr_init /home/wangha/Documents/nanomq/nng/src/platform/posix/posix_thread.c:279
#2 0x47d442 in nni_thr_init /home/wangha/Documents/nanomq/nng/src/core/thread.c:121
#3 0x47c289 in nni_taskq_init /home/wangha/Documents/nanomq/nng/src/core/taskq.c:95
#4 0x47ceab in nni_taskq_sys_init /home/wangha/Documents/nanomq/nng/src/core/taskq.c:276
#5 0x46751f in nni_init_helper /home/wangha/Documents/nanomq/nng/src/core/init.c:35
#6 0x485714 in nni_plat_init /home/wangha/Documents/nanomq/nng/src/platform/posix/posix_thread.c:422
#7 0x467589 in nni_init /home/wangha/Documents/nanomq/nng/src/core/init.c:57
#8 0x47429b in nni_sock_open /home/wangha/Documents/nanomq/nng/src/core/socket.c:638
#9 0x494023 in nni_proto_open /home/wangha/Documents/nanomq/nng/src/sp/protocol.c:21
#10 0x4f7a35 in nng_mqtt_client_open /home/wangha/Documents/nanomq/nng/src/mqtt/protocol/mqtt/mqtt_client.c:1342
#11 0x4293c9 in create_client /home/wangha/Documents/nanomq/nanomq_cli/client.c:1520
#12 0x42a163 in client /home/wangha/Documents/nanomq/nanomq_cli/client.c:1634
#13 0x42a233 in subscribe_start /home/wangha/Documents/nanomq/nanomq_cli/client.c:1677
#14 0x43ab71 in main /home/wangha/Documents/nanomq/nanomq_cli/main.c:120
#15 0x7f9541968b89 in __libc_start_call_main (/lib64/libc.so.6+0x27b89) (BuildId: f888be5f5e7d58e04cabb8c675c7ab94e77dd68c)
#16 0x7f9541968c4a in __libc_start_main_alias_2 (/lib64/libc.so.6+0x27c4a) (BuildId: f888be5f5e7d58e04cabb8c675c7ab94e77dd68c)
#17 0x41f044 in _start (/home/wangha/Documents/nanomq/build/nanomq_cli/nanomq_cli+0x41f044) (BuildId: a6d43106a8a7c42b83809c7af724cd710c11469e)
SUMMARY: AddressSanitizer: heap-use-after-free /home/wangha/Documents/nanomq/nng/src/platform/posix/posix_atomic.c:120 in nni_atomic_dec_nv
Shadow bytes around the buggy address:
0x60f000017800: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
0x60f000017880: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x60f000017900: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x60f000017980: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
0x60f000017a00: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x60f000017a80: fd[fd]fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x60f000017b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x60f000017b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x60f000017c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x60f000017c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x60f000017d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2413209==ABORTING
Expected behavior No heap use after free.
To Reproduce
Start nanomq.
then ./nanomq_cli/nanomq_cli sub -h 127.0.0.1 -p 8883 -t "topic3" --cafile ../etc/certs/cacert.pem -s
Environment Details
- NanoMQ version. latest
- Operating system and version
- Compiler and language used
- testing scenario
This only can be reproduced in a special case. add following code :
+++ b/src/sp/transport/mqtts/broker_tls.c
@@ -642,6 +642,9 @@ tlstran_pipe_recv_cb(void *arg)
}
goto recv_error;
}
+ rv = NNG_EPROTO;
+ log_error("Time to goto error");
+ goto recv_error;
