Fix access after free when v5 client with Will message disconnects.

The Will message has as its first property one of content-type, correlation-data, payload-format-indicator, or response-topic. Closes #1244. Thanks to Christoph Krey.
7 years ago · f41cca8152
parent 4e72cae004
commit f41cca8152
5 changed files with 18 additions and 14 deletions
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@ -2,6 +2,10 @@
 ================

 Broker:
+- Fix memory access after free, leading to possible crash, when v5 client with
+  Will message disconnects, where the Will message has as its first property
+  one of `content-type`, `correlation-data`, `payload-format-indicator`, or
+  `response-topic`.  Closes #1244.
 - Fix build for WITH_TLS=no. Closes #1250.


--- a/src/handle_connect.c
+++ b/src/handle_connect.c
@ -292,7 +292,7 @@ static int will__read(struct mosquitto *context, struct mosquitto_message_all **
 		rc = property__read_all(CMD_WILL, &context->in_packet, &properties);
 		if(rc) goto error_cleanup;

-		rc = property__process_will(context, will_struct, properties);
+		rc = property__process_will(context, will_struct, &properties);
 		mosquitto_property_free_all(&properties);
 		if(rc) goto error_cleanup;
 	}
@ -502,7 +502,7 @@ int handle__connect(struct mosquitto_db *db, struct mosquitto *context)
 		rc = property__read_all(CMD_CONNECT, &context->in_packet, &properties);
 		if(rc) goto handle_connect_error;
 	}
-	property__process_connect(context, properties);
+	property__process_connect(context, &properties);

 	if(mosquitto_property_read_string(properties, MQTT_PROP_AUTHENTICATION_METHOD, &context->auth_method, false)){
 		mosquitto_property_read_binary(properties, MQTT_PROP_AUTHENTICATION_DATA, &auth_data, &auth_data_len, false);
--- a/src/handle_disconnect.c
+++ b/src/handle_disconnect.c
@ -43,7 +43,7 @@ int handle__disconnect(struct mosquitto_db *db, struct mosquitto *context)
 			if(rc) return rc;
 		}
 	}
-	rc = property__process_disconnect(context, properties);
+	rc = property__process_disconnect(context, &properties);
 	if(rc){
 		if(rc == MOSQ_ERR_PROTOCOL){
 			send__disconnect(context, MQTT_RC_PROTOCOL_ERROR, NULL);
--- a/src/mosquitto_broker_internal.h
+++ b/src/mosquitto_broker_internal.h
@ -667,9 +667,9 @@ void bridge__packet_cleanup(struct mosquitto *context);
 /* ============================================================
 * Property related functions
 * ============================================================ */
-int property__process_connect(struct mosquitto *context, mosquitto_property *props);
-int property__process_will(struct mosquitto *context, struct mosquitto_message_all *msg, mosquitto_property *props);
-int property__process_disconnect(struct mosquitto *context, mosquitto_property *props);
+int property__process_connect(struct mosquitto *context, mosquitto_property **props);
+int property__process_will(struct mosquitto *context, struct mosquitto_message_all *msg, mosquitto_property **props);
+int property__process_disconnect(struct mosquitto *context, mosquitto_property **props);

 /* ============================================================
 * Security related functions
--- a/src/property_broker.c
+++ b/src/property_broker.c
@ -26,11 +26,11 @@ Contributors:

 /* Process the incoming properties, we should be able to assume that only valid
 * properties for CONNECT are present here. */
-int property__process_connect(struct mosquitto *context, mosquitto_property *props)
+int property__process_connect(struct mosquitto *context, mosquitto_property **props)
 {
 	mosquitto_property *p;

-	p = props;
+	p = *props;

 	while(p){
 		if(p->identifier == MQTT_PROP_SESSION_EXPIRY_INTERVAL){
@ -55,12 +55,12 @@ int property__process_connect(struct mosquitto *context, mosquitto_property *pro
 }


-int property__process_will(struct mosquitto *context, struct mosquitto_message_all *msg, mosquitto_property *props)
+int property__process_will(struct mosquitto *context, struct mosquitto_message_all *msg, mosquitto_property **props)
 {
 	mosquitto_property *p, *p_prev;
 	mosquitto_property *msg_properties, *msg_properties_last;

-	p = props;
+	p = *props;
 	p_prev = NULL;
 	msg_properties = NULL;
 	msg_properties_last = NULL;
@ -81,8 +81,8 @@ int property__process_will(struct mosquitto *context, struct mosquitto_message_a
 					p_prev->next = p->next;
 					p = p_prev->next;
 				}else{
-					props = p->next;
-					p = props;
+					*props = p->next;
+					p = *props;
 				}
 				msg_properties_last->next = NULL;
 				break;
@ -112,11 +112,11 @@ int property__process_will(struct mosquitto *context, struct mosquitto_message_a

 /* Process the incoming properties, we should be able to assume that only valid
 * properties for DISCONNECT are present here. */
-int property__process_disconnect(struct mosquitto *context, mosquitto_property *props)
+int property__process_disconnect(struct mosquitto *context, mosquitto_property **props)
 {
 	mosquitto_property *p;

-	p = props;
+	p = *props;

 	while(p){
 		if(p->identifier == MQTT_PROP_SESSION_EXPIRY_INTERVAL){