Fix heap overflow when reading corrupt config with "log_dest file".

ChangeLog.txt

@@ -31,6 +31,7 @@ Broker:
  not a string, when loading the dynsec config from file only.
 - Dynsec plugin will not allow duplicate clients/groups/roles when loading
  config from file, which matches the behaviour for when creating them.
+- Fix heap overflow when reading corrupt config with "log_dest file".
 
 Client library:
 - Use CLOCK_BOOTTIME when available, to keep track of time. This solves the

src/conf.c

@@ -1533,15 +1533,16 @@ static int config__read_file_core(struct mosquitto__config *config, bool reload,
  }else if(!strcmp(token, "dlt")){
  cr->log_dest |= MQTT3_LOG_DLT;
  }else if(!strcmp(token, "file")){
- cr->log_dest |= MQTT3_LOG_FILE;
  if(config->log_fptr || config->log_file){
  log__printf(NULL, MOSQ_LOG_ERR, "Error: Duplicate \"log_dest file\" value.");
  return MOSQ_ERR_INVAL;
  }
  /* Get remaining string. */
- token = &token[strlen(token)+1];
- while(token[0] == ' ' || token[0] == '\t'){
- token++;
+ token = saveptr;
+ if(token && token[0]){
+ while(token[0] == ' ' || token[0] == '\t'){
+ token++;
+ }
  }
  if(token[0]){
  config->log_file = mosquitto__strdup(token);
@@ -1553,6 +1554,7 @@ static int config__read_file_core(struct mosquitto__config *config, bool reload,
  log__printf(NULL, MOSQ_LOG_ERR, "Error: Empty \"log_dest file\" value in configuration.");
  return MOSQ_ERR_INVAL;
  }
+ cr->log_dest |= MQTT3_LOG_FILE;
  }else{
  log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid log_dest value (%s).", token);
  return MOSQ_ERR_INVAL;

src/handle_connect.c

@@ -951,6 +951,7 @@ int handle__connect(struct mosquitto *context)
 
 
 handle_connect_error:
+ mosquitto_property_free_all(&properties);
  mosquitto__free(auth_data);
  mosquitto__free(client_id);
  mosquitto__free(username);