diff --git a/ChangeLog.txt b/ChangeLog.txt index acc82894..8d5a073e 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -2,6 +2,10 @@ ================ Broker: +- Fix memory access after free, leading to possible crash, when v5 client with + Will message disconnects, where the Will message has as its first property + one of `content-type`, `correlation-data`, `payload-format-indicator`, or + `response-topic`. Closes #1244. - Fix build for WITH_TLS=no. Closes #1250. diff --git a/src/handle_connect.c b/src/handle_connect.c index 5a276de3..0cedbc6b 100644 --- a/src/handle_connect.c +++ b/src/handle_connect.c @@ -292,7 +292,7 @@ static int will__read(struct mosquitto *context, struct mosquitto_message_all ** rc = property__read_all(CMD_WILL, &context->in_packet, &properties); if(rc) goto error_cleanup; - rc = property__process_will(context, will_struct, properties); + rc = property__process_will(context, will_struct, &properties); mosquitto_property_free_all(&properties); if(rc) goto error_cleanup; } @@ -502,7 +502,7 @@ int handle__connect(struct mosquitto_db *db, struct mosquitto *context) rc = property__read_all(CMD_CONNECT, &context->in_packet, &properties); if(rc) goto handle_connect_error; } - property__process_connect(context, properties); + property__process_connect(context, &properties); if(mosquitto_property_read_string(properties, MQTT_PROP_AUTHENTICATION_METHOD, &context->auth_method, false)){ mosquitto_property_read_binary(properties, MQTT_PROP_AUTHENTICATION_DATA, &auth_data, &auth_data_len, false); diff --git a/src/handle_disconnect.c b/src/handle_disconnect.c index 7eccfe8d..18b0ee80 100644 --- a/src/handle_disconnect.c +++ b/src/handle_disconnect.c @@ -43,7 +43,7 @@ int handle__disconnect(struct mosquitto_db *db, struct mosquitto *context) if(rc) return rc; } } - rc = property__process_disconnect(context, properties); + rc = property__process_disconnect(context, &properties); if(rc){ if(rc == MOSQ_ERR_PROTOCOL){ send__disconnect(context, MQTT_RC_PROTOCOL_ERROR, NULL); diff --git a/src/mosquitto_broker_internal.h b/src/mosquitto_broker_internal.h index 51560310..0654166f 100644 --- a/src/mosquitto_broker_internal.h +++ b/src/mosquitto_broker_internal.h @@ -667,9 +667,9 @@ void bridge__packet_cleanup(struct mosquitto *context); /* ============================================================ * Property related functions * ============================================================ */ -int property__process_connect(struct mosquitto *context, mosquitto_property *props); -int property__process_will(struct mosquitto *context, struct mosquitto_message_all *msg, mosquitto_property *props); -int property__process_disconnect(struct mosquitto *context, mosquitto_property *props); +int property__process_connect(struct mosquitto *context, mosquitto_property **props); +int property__process_will(struct mosquitto *context, struct mosquitto_message_all *msg, mosquitto_property **props); +int property__process_disconnect(struct mosquitto *context, mosquitto_property **props); /* ============================================================ * Security related functions diff --git a/src/property_broker.c b/src/property_broker.c index 39f8a430..659357a0 100644 --- a/src/property_broker.c +++ b/src/property_broker.c @@ -26,11 +26,11 @@ Contributors: /* Process the incoming properties, we should be able to assume that only valid * properties for CONNECT are present here. */ -int property__process_connect(struct mosquitto *context, mosquitto_property *props) +int property__process_connect(struct mosquitto *context, mosquitto_property **props) { mosquitto_property *p; - p = props; + p = *props; while(p){ if(p->identifier == MQTT_PROP_SESSION_EXPIRY_INTERVAL){ @@ -55,12 +55,12 @@ int property__process_connect(struct mosquitto *context, mosquitto_property *pro } -int property__process_will(struct mosquitto *context, struct mosquitto_message_all *msg, mosquitto_property *props) +int property__process_will(struct mosquitto *context, struct mosquitto_message_all *msg, mosquitto_property **props) { mosquitto_property *p, *p_prev; mosquitto_property *msg_properties, *msg_properties_last; - p = props; + p = *props; p_prev = NULL; msg_properties = NULL; msg_properties_last = NULL; @@ -81,8 +81,8 @@ int property__process_will(struct mosquitto *context, struct mosquitto_message_a p_prev->next = p->next; p = p_prev->next; }else{ - props = p->next; - p = props; + *props = p->next; + p = *props; } msg_properties_last->next = NULL; break; @@ -112,11 +112,11 @@ int property__process_will(struct mosquitto *context, struct mosquitto_message_a /* Process the incoming properties, we should be able to assume that only valid * properties for DISCONNECT are present here. */ -int property__process_disconnect(struct mosquitto *context, mosquitto_property *props) +int property__process_disconnect(struct mosquitto *context, mosquitto_property **props) { mosquitto_property *p; - p = props; + p = *props; while(p){ if(p->identifier == MQTT_PROP_SESSION_EXPIRY_INTERVAL){