New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Segmentation Fault #2163
Comments
Thanks for the fuzzing and the report, I've just pushed a change to fix this and will be making a new release today. |
ralight
added a commit
that referenced
this issue
Apr 3, 2021
CVE-xxxx-xxxx: If an authenticated client connected with MQTT v5 sent a malformed CONNACK message to the broker a NULL pointer dereference occurred, most likely resulting in a segfault. This will be updated with the CVE number when it is assigned. Affects versions 2.0.0 to 2.0.9 inclusive. Closes #2163. Thanks to Bryan Pearson.
ralight
added a commit
that referenced
this issue
Apr 3, 2021
CVE-xxxx-xxxx: If an authenticated client connected with MQTT v5 sent a malformed CONNACK message to the broker a NULL pointer dereference occurred, most likely resulting in a segfault. This will be updated with the CVE number when it is assigned. Affects versions 2.0.0 to 2.0.9 inclusive. Closes #2163. Thanks to Bryan Pearson.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I was doing some fuzz testing and came across this bug that crashes Mosquitto (confirmed in 2.0.9 and 2.0.7). When a client sends a valid CONNECT packet followed by a malformed CONNACK packet, sometimes it crashes the broker due to a segmentation fault.
The payload: 101000044d5154540502003c03210014000029020001e000
How to replicate:
echo 101000044d5154540502003c03210014000029020001e000 | xxd -p -r | nc <host> <port>
Proof:
Segfault:
GDB info:
I can generate other payloads which trigger the same crash, in case they are needed. Let me know.
The text was updated successfully, but these errors were encountered: