[Bug 573191] Possible DoS through Memory Leak in Mosquitto Broker
Bugzilla Link | 573191 |
Status | NEW |
Importance | P3 normal |
Reported | Apr 27, 2021 08:06 EDT |
Modified | Jul 22, 2021 12:44 EDT |
Reporter | Kathrin Kleinhammer |
Description
I've found a memory leak in Mosquitto Broker which can possibly result in a Denial of Service.
The problem occurs when sending a CONNECT packet with will flag and a will property(will delay interval), but without will topic and will message.
ASan output:
1619523388: mosquitto version 2.0.10 running
1619523398: New connection from 192.168.178.22:52740 on port 1883.
1619523398: Client disconnected due to protocol error.
^C1619523551: mosquitto version 2.0.10 terminating
=================================================================
==23864==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 504 byte(s) in 1 object(s) allocated from:
#0 0x7fe8aa071037 in calloc (/lib/x86_64-linux-gnu/libasan.so.6+0xaa037)
#1 0x55be2d9c615e in mosquitto__calloc ../lib/memory_mosq.c:58
#2 0x55be2d99d3a3 in context__init /home/kali/git/mosquitto/src/context.c:40
#3 0x55be2d9c8b5a in net__socket_accept /home/kali/git/mosquitto/src/net.c:185
#4 0x55be2d9c815e in mux_epoll__handle /home/kali/git/mosquitto/src/mux_epoll.c:210
#5 0x55be2d9c6a76 in mux__handle /home/kali/git/mosquitto/src/mux.c:76
#6 0x55be2d9c56cc in mosquitto_main_loop /home/kali/git/mosquitto/src/loop.c:208
#7 0x55be2d97e955 in main /home/kali/git/mosquitto/src/mosquitto.c:559
#8 0x7fe8a9cded09 in __libc_start_main ../csu/libc-start.c:308
Indirect leak of 15 byte(s) in 1 object(s) allocated from:
#0 0x7fe8aa01e817 in __interceptor_strdup (/lib/x86_64-linux-gnu/libasan.so.6+0x57817)
#1 0x55be2d9c63b5 in mosquitto__strdup ../lib/memory_mosq.c:152
#2 0x55be2d99d8ff in context__init /home/kali/git/mosquitto/src/context.c:76
#3 0x55be2d9c8b5a in net__socket_accept /home/kali/git/mosquitto/src/net.c:185
#4 0x55be2d9c815e in mux_epoll__handle /home/kali/git/mosquitto/src/mux_epoll.c:210
#5 0x55be2d9c6a76 in mux__handle /home/kali/git/mosquitto/src/mux.c:76
#6 0x55be2d9c56cc in mosquitto_main_loop /home/kali/git/mosquitto/src/loop.c:208
#7 0x55be2d97e955 in main /home/kali/git/mosquitto/src/mosquitto.c:559
#8 0x7fe8a9cded09 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: 519 byte(s) leaked in 2 allocation(s).
The memory leak is the context, which gets allocated in context__init (context.c:40), but is never freed by calling context__cleanup.
Please let me know if you need further information(e.g. sample packet) to reproduce the bug.