From f09ea91e11f243abdad343da9eedb614d53ac5a1 Mon Sep 17 00:00:00 2001
From: "Roger A. Light" <roger@atchoo.org>
Date: Tue, 12 Sep 2023 23:09:24 +0100
Subject: [PATCH] Fix crash on subscribe under certain unlikely conditions.

Closes #2885.
Closes #2881.

Thanks to everybody on those issues.
---
 ChangeLog.txt                    |  8 ++++++++
 config.mk                        |  9 +++++++++
 src/subs.c                       |  2 --
 test/broker/data/REGRESSION.json | 18 ++++++++++++++++++
 4 files changed, 35 insertions(+), 2 deletions(-)
 create mode 100644 test/broker/data/REGRESSION.json

diff --git a/ChangeLog.txt b/ChangeLog.txt
index 7976dbd30e..67679137f9 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -1,3 +1,11 @@
+2.0.18 - 2023-09-12
+===================
+
+Broker:
+- Fix crash on subscribe under certain unlikely conditions. Closes #2885.
+  Closes #2881.
+
+
 2.0.17 - 2023-08-22
 ===================
 
diff --git a/config.mk b/config.mk
index b8bcf86d3b..aebb6010e0 100644
--- a/config.mk
+++ b/config.mk
@@ -120,6 +120,9 @@ WITH_JEMALLOC:=no
 # probably of no particular interest to end users.
 WITH_XTREPORT=no
 
+# Build using clang and with address sanitiser enabled
+WITH_ASAN=no
+
 # =============================================================================
 # End of user configuration
 # =============================================================================
@@ -152,6 +155,12 @@ else
 	CFLAGS?=-Wall -ggdb -O2 -Wconversion -Wextra
 endif
 
+ifeq ($(WITH_ASAN),yes)
+	CC:=clang
+	CFLAGS+=-fsanitize=address
+	LDFLAGS+=-fsanitize=address
+endif
+
 STATIC_LIB_DEPS:=
 
 APP_CPPFLAGS=$(CPPFLAGS) -I. -I../../ -I../../include -I../../src -I../../lib
diff --git a/src/subs.c b/src/subs.c
index c5c6b5a34c..687537d9b0 100644
--- a/src/subs.c
+++ b/src/subs.c
@@ -389,7 +389,6 @@ static int sub__remove_normal(struct mosquitto *context, struct mosquitto__subhi
 				if(context->subs[i] && context->subs[i]->hier == subhier){
 					mosquitto__free(context->subs[i]);
 					context->subs[i] = NULL;
-					context->sub_count--;
 					break;
 				}
 			}
@@ -430,7 +429,6 @@ static int sub__remove_shared(struct mosquitto *context, struct mosquitto__subhi
 
 						mosquitto__free(context->subs[i]);
 						context->subs[i] = NULL;
-						context->sub_count--;
 						break;
 					}
 				}
diff --git a/test/broker/data/REGRESSION.json b/test/broker/data/REGRESSION.json
new file mode 100644
index 0000000000..4f21fa687a
--- /dev/null
+++ b/test/broker/data/REGRESSION.json
@@ -0,0 +1,18 @@
+[
+	{
+		"group": "REGRESSIONS",
+		"tests": [
+			{ "name": "subscribe-unsubscribe-crash part 1", "ver":4, "expect_disconnect":false, "msgs": [
+				{"type":"send", "payload":"82 26 1234 0009 64 72 61 73 68 2F 31 2F 23 00 0009 65 72 61 73 68 2F 32 2F 23 00 0009 63 72 61 73 68 2F 33 2F 23 00"},
+				{"type":"recv", "payload":"90 05 1234 00 00 00"},
+				{"type":"send", "payload":"A2 0D 1234 0009 64 72 61 73 68 2F 31 2F 23"},
+				{"type":"recv", "payload":"B0 02 1234"}
+			], "comment": "Must be used with part 2 immediately after",
+			"comment2": "Requires WITH_ASAN=yes"},
+			{ "name": "subscribe-unsubscribe-crash part 2", "ver":4, "expect_disconnect":false, "msgs": [
+				{"type":"send", "payload":"82 0E 1234 0009 63 72 61 73 68 2F 33 2F 23 00"},
+				{"type":"recv", "payload":"90 03 1234 00"}
+			], "comment": "https://github.com/eclipse/mosquitto/issues/2885"}
+		]
+	}
+]