Suscribe Long Topic Will Cause Broker Deny of Service (from 1.6.0 to 1.6.5)

[RyanShaw-3083]

In code lib/util_topic.c.

int mosquitto_pub_topic_check(const char *str)
{
	int len = 0;
	while(str && str[0]){
		if(str[0] == '+' || str[0] == '#'){
			return MOSQ_ERR_INVAL;
		}
		len++;
		str = &str[1];
	}
	if(len > 65535) return MOSQ_ERR_INVAL;

	return MOSQ_ERR_SUCCESS;
}

int mosquitto_pub_topic_check2(const char *str, size_t len)
{
	size_t i;

	if(len > 65535) return MOSQ_ERR_INVAL;

	for(i=0; i<len; i++){
		if(str[i] == '+' || str[i] == '#'){
			return MOSQ_ERR_INVAL;
		}
	}

	return MOSQ_ERR_SUCCESS;
}

The first function is used to implement topic string filtering, causing problems with filtering long strings.

• Testing:
  Ubuntu 16.04 x86_64 / mosquitto 1.6.4 (apt-get.).

• PoC:
  By sending 65535 bytes of the same acceptable topic character (/), forcing the program to get stuck in the loop, causing SEGV.

Broker will not work properly when subscribers continue to subscribe the malicious topic.
There are still many broker servers around the world that do not have authentication enabled or under best practices, and this DoS will have a potential (or direct) impact on MQTT services.

[RyanShaw-3083]

When testing test.mosquitto.org did not trigger the exception, sorry to bother. I will continue to check the cause of the exception on my server.

[RyanShaw-3083]

Still happened! It's actually a horrible bug. Maybe related about user configuration.
My broker: mosquitto -d
My suscriber: os.system("mosquitto_sub -h LOCALHOST -t "+'/'*65535+" -v")

[ralight]

Fixed in the commit, I'll have to deal with this properly tomorrow. Thanks for the report.

[carnil]

This should be CVE-2019-11779 comparing with https://mosquitto.org/files/cve/2019-11779/

[robertobarreda]

When will these new packages be published in the repo http:https://repo.mosquitto.org/debian?

[karlp]

@robertobarreda 1.6.7 includes this fix, 1.5.x you can patch yourself.