Skip to content

[Bug 575314] Possible DoS Attack caused by unlimited number of "user properties" in Mosquitto Broker
Bugzilla Link 575314
Status ASSIGNED
Importance P3 normal
Reported Aug 09, 2021 09:47 EDT
Modified Dec 01, 2021 14:34 EDT
Reporter syncxxx Song

Description

We have found a DOS attack which can be triggered by CONNECT packets which contain lots of "user properties". Then broker will parse all of them and store in a linked list. When checking for the uniqueness of “properties” in CONNECT packet, the linked list will traverse with O(n^2) complexity,

In our tests, it takes only 64KB per package to have an impact in our cloud server with 1 core(20 processes sending packages simultaneously). So it's only limited by max packet size.

lib\property_mosq.c:186(property__read_all)

In this function, broker parse and store the properties include "user properties".

lib\property_mosq.c:963(mosquitto_property_check_all)

int mosquitto_property_check_all(int command, const mosquitto_property *properties)
{

  ...\
  ...

while(p){

	...\
            ...

	tail = p->next;\
	while(tail){\
		if(p->identifier == tail->identifier\
				&& p->identifier != MQTT_PROP_USER_PROPERTY){

			return MOSQ_ERR_DUPLICATE_PROPERTY;\
		}\
		tail = tail->next;\
	}

	p = p->next;\
}

return MOSQ_ERR_SUCCESS;\

}

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent