Fix possible out of bounds memory reads when reading configuration.

This would happen with a corrupt/crafted configuration file. Unless your
configuration file is writable by untrusted users this is not a risk.

Closes #567213. Thanks to Roland Sako.

ChangeLog.txt

@@ -1,6 +1,11 @@
 2.0.12 - 2021-07-xx
 ===================
 
+Broker:
+- Fix possible out of bounds memory reads when reading a corrupt/crafted
+ configuration file. Unless your configuration file is writable by untrusted
+ users this is not a risk. Closes #567213.
+
 Clients:
 - mosquitto_sub and mosquitto_rr now open stdout in binary mode on Windows
  so binary payloads are not modified when printing.

lib/misc_mosq.c

@@ -156,6 +156,7 @@ char *fgets_extending(char **buf, int *buflen, FILE *stream)
  char endchar;
  int offset = 0;
  char *newbuf;
+ size_t len;
 
  if(stream == NULL || buf == NULL || buflen == NULL || *buflen < 1){
  return NULL;
@@ -167,7 +168,11 @@ char *fgets_extending(char **buf, int *buflen, FILE *stream)
  return rc;
  }
 
- endchar = (*buf)[strlen(*buf)-1];
+ len = strlen(*buf);
+ if(len == 0){
+ return rc;
+ }
+ endchar = (*buf)[len-1];
  if(endchar == '\n'){
  return rc;
  }

src/conf.c

@@ -741,6 +741,7 @@ static int config__read_file_core(struct mosquitto__config *config, bool reload,
  size_t prefix_len;
  char **files;
  int file_count;
+ size_t slen;
 #ifdef WITH_TLS
  char *kpass_sha = NULL, *kpass_sha_bin = NULL;
  char *keyform ;
@@ -751,8 +752,12 @@ static int config__read_file_core(struct mosquitto__config *config, bool reload,
  while(fgets_extending(buf, buflen, fptr)){
  (*lineno)++;
  if((*buf)[0] != '#' && (*buf)[0] != 10 && (*buf)[0] != 13){
- while((*buf)[strlen((*buf))-1] == 10 || (*buf)[strlen((*buf))-1] == 13){
- (*buf)[strlen((*buf))-1] = 0;
+ slen = strlen(*buf);
+ if(slen == 0){
+ continue;
+ }
+ while((*buf)[slen-1] == 10 || (*buf)[slen-1] == 13){
+ (*buf)[slen-1] = 0;
  }
  token = strtok_r((*buf), " ", &saveptr);
  if(token){