github
/
mosquitto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix access after free when v5 client with Will message disconnects.

Browse Source 
The Will message has as its first property one of content-type,
correlation-data, payload-format-indicator, or response-topic.

Closes #1244. Thanks to Christoph Krey.
pull/1600/head
Roger A. Light 7 years ago
parent 4e72cae004
commit f41cca8152
5 changed files with 18 additions and 14 deletions
Show Stats Download Patch File Download Diff File

4
ChangeLog.txt
Unescape Escape View File

@ -2,6 +2,10 @@
================ ================
Broker: Broker:
- Fix memory access after free, leading to possible crash, when v5 client with
Will message disconnects, where the Will message has as its first property
one of `content-type`, `correlation-data`, `payload-format-indicator`, or
`response-topic`. Closes #1244.
- Fix build for WITH_TLS=no. Closes #1250. - Fix build for WITH_TLS=no. Closes #1250.

4
src/handle_connect.c
Unescape Escape View File

@ -292,7 +292,7 @@ static int will__read(struct mosquitto *context, struct mosquitto_message_all **
rc = property__read_all(CMD_WILL, &context->in_packet, &properties); rc = property__read_all(CMD_WILL, &context->in_packet, &properties);
if(rc) goto error_cleanup; if(rc) goto error_cleanup;
rc = property__process_will(context, will_struct, properties); rc = property__process_will(context, will_struct, &properties);
mosquitto_property_free_all(&properties); mosquitto_property_free_all(&properties);
if(rc) goto error_cleanup; if(rc) goto error_cleanup;
} }
@ -502,7 +502,7 @@ int handle__connect(struct mosquitto_db *db, struct mosquitto *context)
rc = property__read_all(CMD_CONNECT, &context->in_packet, &properties); rc = property__read_all(CMD_CONNECT, &context->in_packet, &properties);
if(rc) goto handle_connect_error; if(rc) goto handle_connect_error;
} }
property__process_connect(context, properties); property__process_connect(context, &properties);
if(mosquitto_property_read_string(properties, MQTT_PROP_AUTHENTICATION_METHOD, &context->auth_method, false)){ if(mosquitto_property_read_string(properties, MQTT_PROP_AUTHENTICATION_METHOD, &context->auth_method, false)){
mosquitto_property_read_binary(properties, MQTT_PROP_AUTHENTICATION_DATA, &auth_data, &auth_data_len, false); mosquitto_property_read_binary(properties, MQTT_PROP_AUTHENTICATION_DATA, &auth_data, &auth_data_len, false);

2
src/handle_disconnect.c
Unescape Escape View File

@ -43,7 +43,7 @@ int handle__disconnect(struct mosquitto_db *db, struct mosquitto *context)
if(rc) return rc; if(rc) return rc;
} }
} }
rc = property__process_disconnect(context, properties); rc = property__process_disconnect(context, &properties);
if(rc){ if(rc){
if(rc == MOSQ_ERR_PROTOCOL){ if(rc == MOSQ_ERR_PROTOCOL){
send__disconnect(context, MQTT_RC_PROTOCOL_ERROR, NULL); send__disconnect(context, MQTT_RC_PROTOCOL_ERROR, NULL);

6
src/mosquitto_broker_internal.h
Unescape Escape View File

@ -667,9 +667,9 @@ void bridge__packet_cleanup(struct mosquitto *context);
/* ============================================================ /* ============================================================
* Property related functions * Property related functions
* ============================================================ */ * ============================================================ */
int property__process_connect(struct mosquitto *context, mosquitto_property *props); int property__process_connect(struct mosquitto *context, mosquitto_property **props);
int property__process_will(struct mosquitto *context, struct mosquitto_message_all *msg, mosquitto_property *props); int property__process_will(struct mosquitto *context, struct mosquitto_message_all *msg, mosquitto_property **props);
int property__process_disconnect(struct mosquitto *context, mosquitto_property *props); int property__process_disconnect(struct mosquitto *context, mosquitto_property **props);
/* ============================================================ /* ============================================================
* Security related functions * Security related functions

16
src/property_broker.c
Unescape Escape View File

@ -26,11 +26,11 @@ Contributors:
/* Process the incoming properties, we should be able to assume that only valid /* Process the incoming properties, we should be able to assume that only valid
* properties for CONNECT are present here. */ * properties for CONNECT are present here. */
int property__process_connect(struct mosquitto *context, mosquitto_property *props) int property__process_connect(struct mosquitto *context, mosquitto_property **props)
{ {
mosquitto_property *p; mosquitto_property *p;
p = props; p = *props;
while(p){ while(p){
if(p->identifier == MQTT_PROP_SESSION_EXPIRY_INTERVAL){ if(p->identifier == MQTT_PROP_SESSION_EXPIRY_INTERVAL){
@ -55,12 +55,12 @@ int property__process_connect(struct mosquitto *context, mosquitto_property *pro
} }
int property__process_will(struct mosquitto *context, struct mosquitto_message_all *msg, mosquitto_property *props) int property__process_will(struct mosquitto *context, struct mosquitto_message_all *msg, mosquitto_property **props)
{ {
mosquitto_property *p, *p_prev; mosquitto_property *p, *p_prev;
mosquitto_property *msg_properties, *msg_properties_last; mosquitto_property *msg_properties, *msg_properties_last;
p = props; p = *props;
p_prev = NULL; p_prev = NULL;
msg_properties = NULL; msg_properties = NULL;
msg_properties_last = NULL; msg_properties_last = NULL;
@ -81,8 +81,8 @@ int property__process_will(struct mosquitto *context, struct mosquitto_message_a
p_prev->next = p->next; p_prev->next = p->next;
p = p_prev->next; p = p_prev->next;
}else{ }else{
props = p->next; *props = p->next;
p = props; p = *props;
} }
msg_properties_last->next = NULL; msg_properties_last->next = NULL;
break; break;
@ -112,11 +112,11 @@ int property__process_will(struct mosquitto *context, struct mosquitto_message_a
/* Process the incoming properties, we should be able to assume that only valid /* Process the incoming properties, we should be able to assume that only valid
* properties for DISCONNECT are present here. */ * properties for DISCONNECT are present here. */
int property__process_disconnect(struct mosquitto *context, mosquitto_property *props) int property__process_disconnect(struct mosquitto *context, mosquitto_property **props)
{ {
mosquitto_property *p; mosquitto_property *p;
p = props; p = *props;
while(p){ while(p){
if(p->identifier == MQTT_PROP_SESSION_EXPIRY_INTERVAL){ if(p->identifier == MQTT_PROP_SESSION_EXPIRY_INTERVAL){

Write Preview
Loading…
Cancel
Save