Skip to content

Mosquitto: Use after free on sub__add_leaf

Basic information

Project name: Eclipse Mosquitto

Project id: iot.mosquitto

What are the affected versions?

2.0.18

We have not checked previous versions.

Details of the issue

We have found a heap-use-after-free vulnerability on Mosquitto 2.0.18 which occurs on src/subs.c:165:38 (at function 'sub__add_leaf').

This vulnerability can be triggered by sending a specific sequence of the following packets:

CONNECT
SUBSCRIBE
UNSUBSCRIBE
DISCONNECT
CONNECT
SUBSCRIBE

We attach the ASan stack trace of the vulnerability as well as the hex-encoded bytes of the packets ("%x" is used as a hex prefix).

Steps to reproduce

Run the attached replay_mqtt_finding.py script against a Mosquitto 2.0.18 broker which has been instrumented with ASan (AddressSanitizer).

Do you know any mitigations of the issue?

No.

Credit request

If you assign a CVE, is it possible to register the requested CVE with our names and organization name? We are Roman Kraus, Steffen Lüdtke, Martin Schneider and Ramon Barakat of Fraunhofer FOKUS.

Best regards,
Roman Kraus

shared_sub_uaf.zip

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent