Double free vulnerability in Mosquitto, affecting almost all version

Basic information

Project name: Mosquitto https://github.com/eclipse/mosquitto

Project id: (I do not know how to find it)

What are the affected versions?

I tested Mosquitto versions 2.0.9 and 2.0.15 in live environments. Following this, I scrutinized the affected code and discovered that seemingly all versions are subject to the vulnerability.

Details of the issue

The vuln is found by songxiangpu (SCHOOL OF CYBER SCIENCE AND TECHNOLOGY of SHANDONG UNIVERSITY).

The vulnerability occurs in the mosquitto running under bridge mode. When mosquitto actively establishes a bridge with any remote MQTT broker, due to varying levels of implementation compliance of other MQTT brokers, messages published on topics starting with a wildcard may be forwarded to mosquitto. Subsequently, mosquitto triggers a double-free vulnerability, causing the program to crash.

The reason for this problem is that the validation of the bridge Broker send message is bypassed.

Steps to reproduce

test_br.conf

listener 1883
allow_anonymous true
connection bridge1
address 127.0.0.1:1884
keepalive_interval 60
topic room1/# both 2 sensor/ myhouse/
topic tst/ba both 2
topic # both 2
keepalive_interval 600
remote_clientid mosquitto
bridge_protocol_version mqttv50
notifications false

I provided a Python script to help replay such vuln

server.py

server.py

Steps:

Run the script: python3 server.py
Run mosquitto: ./mosquitto -c ./test_br.conf -v
The vuln occured

Do you know any mitigations of the issue?

(Like disabling a configuration option, for example)

Edited May 01, 2024 by song xiangpu

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information