[Bug 575314] Possible DoS Attack caused by unlimited number of "user properties" in Mosquitto Broker
Bugzilla Link | 575314 |
Status | ASSIGNED |
Importance | P3 normal |
Reported | Aug 09, 2021 09:47 EDT |
Modified | Dec 01, 2021 14:34 EDT |
Reporter | syncxxx Song |
Description
We have found a DOS attack which can be triggered by CONNECT packets which contain lots of "user properties". Then broker will parse all of them and store in a linked list. When checking for the uniqueness of “properties” in CONNECT packet, the linked list will traverse with O(n^2) complexity,
In our tests, it takes only 64KB per package to have an impact in our cloud server with 1 core(20 processes sending packages simultaneously). So it's only limited by max packet size.
lib\property_mosq.c:186(property__read_all)
In this function, broker parse and store the properties include "user properties".
lib\property_mosq.c:963(mosquitto_property_check_all)
int mosquitto_property_check_all(int command, const mosquitto_property *properties)
{
...\
...
while(p){
...\
...
tail = p->next;\
while(tail){\
if(p->identifier == tail->identifier\
&& p->identifier != MQTT_PROP_USER_PROPERTY){
return MOSQ_ERR_DUPLICATE_PROPERTY;\
}\
tail = tail->next;\
}
p = p->next;\
}
return MOSQ_ERR_SUCCESS;\
}