Merge branch 'fixes'

CMakeLists.txt

@@ -11,7 +11,7 @@ project(mosquitto)
 cmake_minimum_required(VERSION 2.8)
 # Only for version 3 and up. cmake_policy(SET CMP0042 NEW)
 
-set (VERSION 1.4.11)
+set (VERSION 1.4.12)
 
 if (WIN32)
 	execute_process(COMMAND cmd /c echo %DATE% %TIME% OUTPUT_VARIABLE TIMESTAMP

ChangeLog.txt

@@ -1,3 +1,28 @@
+1.4.12 - 20170528
+=================
+
+Security:
+- Fix CVE-2017-7650, which allows clients with username or client id set to
+  '#' or '+' to bypass pattern based ACLs or third party plugins. The fix
+  denies message sending or receiving of messages for clients with a '#' or
+  '+' in their username or client id and if the message is subject to a
+  pattern ACL check or plugin check.
+  Patches for other versions are available at
+  https://mosquitto.org/files/cve/2017-7650/
+
+Broker:
+- Fix mosquitto.db from becoming corrupted due to client messages being
+  persisted with no stored message. Closes #424.
+- Fix bridge not restarting properly. Closes #428.
+- Fix unitialized memory in gets_quiet on Windows. Closes #426.
+- Fix building with WITH_ADNS=no for systems that don't use glibc. Closes
+  #415.
+- Fixes to readme.md.
+- Fix deprecation warning for OpenSSL 1.1. PR #416.
+- Don't segfault on duplicate bridge names. Closes #446.
+- Fix CVE-2017-7650.
+
+
 1.4.11 - 20170220
 =================
 

config.mk

@@ -86,7 +86,7 @@ WITH_SOCKS:=yes
 
 # Also bump lib/mosquitto.h, CMakeLists.txt,
 # installer/mosquitto.nsi, installer/mosquitto-cygwin.nsi
-VERSION=1.4.11
+VERSION=1.4.12
 TIMESTAMP:=$(shell date "+%F %T%z")
 
 # Client library SO version. Bump if incompatible API/ABI changes are made.
@@ -159,10 +159,6 @@ ifeq ($(UNAME),QNX)
 	LIB_LIBS:=$(LIB_LIBS) -lsocket
 endif
 
-ifeq ($(UNAME),Linux)
-	BROKER_LIBS:=$(BROKER_LIBS) -lanl
-endif
-
 ifeq ($(WITH_WRAP),yes)
 	BROKER_LIBS:=$(BROKER_LIBS) -lwrap
 	BROKER_CFLAGS:=$(BROKER_CFLAGS) -DWITH_WRAP

installer/mosquitto-cygwin.nsi

@@ -7,7 +7,7 @@
 !define env_hklm 'HKLM "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"'
 
 Name "mosquitto"
-!define VERSION 1.4.11
+!define VERSION 1.4.12
 OutFile "mosquitto-${VERSION}-install-cygwin.exe"
 
 InstallDir "$PROGRAMFILES\mosquitto"

installer/mosquitto.nsi

@@ -9,7 +9,7 @@
 !define env_hklm 'HKLM "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"'
 
 Name "mosquitto"
-!define VERSION 1.4.11
+!define VERSION 1.4.12
 OutFile "mosquitto-${VERSION}-install-win32.exe"
 
 InstallDir "$PROGRAMFILES\mosquitto"

lib/mosquitto.h

@@ -45,7 +45,7 @@ extern "C" {
 
 #define LIBMOSQUITTO_MAJOR 1
 #define LIBMOSQUITTO_MINOR 4
-#define LIBMOSQUITTO_REVISION 11
+#define LIBMOSQUITTO_REVISION 12
 /* LIBMOSQUITTO_VERSION_NUMBER looks like 1002001 for e.g. version 1.2.1. */
 #define LIBMOSQUITTO_VERSION_NUMBER (LIBMOSQUITTO_MAJOR*1000000+LIBMOSQUITTO_MINOR*1000+LIBMOSQUITTO_REVISION)
 

lib/net_mosq.c

@@ -114,7 +114,9 @@ void _mosquitto_net_init(void)
 void _mosquitto_net_cleanup(void)
 {
 #ifdef WITH_TLS
+	#if OPENSSL_VERSION_NUMBER < 0x10100000L
 		ERR_remove_state(0);
+	#endif
 	ENGINE_cleanup();
 	CONF_modules_unload(1);
 	ERR_free_strings();

readme.md

@@ -65,9 +65,9 @@ already be built. Use `make binary` to skip building the man pages, or install
 
 ### Build Dependencies
 
-* c-ares (libc-ares-dev on Debian based systems) - disable with `make WITH_DNS_SRV=no`
+* c-ares (libc-ares-dev on Debian based systems) - disable with `make WITH_SRV=no`
 * libuuid (uuid-dev) - disable with `make WITH_UUID=no`
-* libwebsockets (libwebsockets-dev) - enable with `make WITH_LIBWEBSOCKETS=yes`
+* libwebsockets (libwebsockets-dev) - enable with `make WITH_WEBSOCKETS=yes`
 * openssl (libssl-dev on Debian based systems) - disable with `make WITH_TLS=no`
 
 ## Credits

set-version.sh

@@ -2,7 +2,7 @@
 
 MAJOR=1
 MINOR=4
-REVISION=11
+REVISION=12
 
 sed -i "s/^VERSION=.*/VERSION=${MAJOR}.${MINOR}.${REVISION}/" config.mk
 

src/conf.c

@@ -916,6 +916,14 @@ int _config_read_file_core(struct mqtt3_config *config, bool reload, const char
 					if(reload) continue; // FIXME
 					token = strtok_r(NULL, " ", &saveptr);
 					if(token){
+						/* Check for existing bridge name. */
+						for(i=0; i<config->bridge_count; i++){
+							if(!strcmp(config->bridges[i].name, token)){
+								_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Duplicate bridge name \"%s\".", token);
+								return MOSQ_ERR_INVAL;
+							}
+						}
+
 						config->bridge_count++;
 						config->bridges = _mosquitto_realloc(config->bridges, config->bridge_count*sizeof(struct _mqtt3_bridge));
 						if(!config->bridges){

src/loop.c

@@ -246,7 +246,7 @@ int mosquitto_main_loop(struct mosquitto_db *db, mosq_sock_t *listensock, int li
 				}else{
 					if((context->bridge->start_type == bst_lazy && context->bridge->lazy_reconnect)
 							|| (context->bridge->start_type == bst_automatic && now > context->bridge->restart_t)){
-
+						context->bridge->restart_t = 0;
 #if defined(__GLIBC__) && defined(WITH_ADNS)
 						if(context->adns){
 							/* Waiting on DNS lookup */

src/mosquitto_passwd.c

@@ -230,6 +230,7 @@ int gets_quiet(char *s, int len)
 	memset(s, 0, len);
 	h  = GetStdHandle(STD_INPUT_HANDLE);
 	GetConsoleMode(h, &con_orig);
+	con_quiet = con_orig;
 	con_quiet &= ~ENABLE_ECHO_INPUT;
 	con_quiet |= ENABLE_LINE_INPUT;
 	SetConsoleMode(h, con_quiet);

src/persist.c

@@ -79,6 +79,16 @@ static int mqtt3_db_client_messages_write(struct mosquitto_db *db, FILE *db_fptr
 
 	cmsg = context->msgs;
 	while(cmsg){
+		if(!strncmp(cmsg->store->topic, "$SYS", 4)
+				&& cmsg->store->ref_count <= 1
+				&& cmsg->store->dest_id_count == 0){
+
+			/* This $SYS message won't have been persisted, so we can't persist
+			 * this client message. */
+			cmsg = cmsg->next;
+			continue;
+		}
+
 		slen = strlen(context->id);
 
 		length = htonl(sizeof(dbid_t) + sizeof(uint16_t) + sizeof(uint8_t) +

src/security.c

@@ -233,6 +233,21 @@ int mosquitto_acl_check(struct mosquitto_db *db, struct mosquitto *context, cons
 		{
 			username = context->username;
 		}
+
+		/* Check whether the client id or username contains a +, # or / and if
+		 * so deny access.
+		 *
+		 * Do this check for every message regardless, we have to protect the
+		 * plugins against possible pattern based attacks.
+		 */
+		if(username && strpbrk(username, "+#/")){
+			_mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous username \"%s\"", username);
+			return MOSQ_ERR_ACL_DENIED;
+		}
+		if(context->id && strpbrk(context->id, "+#/")){
+			_mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous client id \"%s\"", context->id);
+			return MOSQ_ERR_ACL_DENIED;
+		}
 		return db->auth_plugin.acl_check(db->auth_plugin.user_data, context->id, username, topic, access);
 	}
 }

src/security_default.c

@@ -261,6 +261,26 @@ int mosquitto_acl_check_default(struct mosquitto_db *db, struct mosquitto *conte
 	}
 
 	acl_root = db->acl_patterns;
+
+	if(acl_root){
+		/* We are using pattern based acls. Check whether the username or
+		 * client id contains a +, # or / and if so deny access.
+		 *
+		 * Without this, a malicious client may configure its username/client
+		 * id to bypass ACL checks (or have a username/client id that cannot
+		 * publish or receive messages to its own place in the hierarchy).
+		 */
+		if(context->username && strpbrk(context->username, "+#/")){
+			_mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous username \"%s\"", context->username);
+			return MOSQ_ERR_ACL_DENIED;
+		}
+
+		if(context->id && strpbrk(context->id, "+#/")){
+			_mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous client id \"%s\"", context->id);
+			return MOSQ_ERR_ACL_DENIED;
+		}
+	}
+
 	/* Loop through all pattern ACLs. */
 	clen = strlen(context->id);
 	while(acl_root){