heap-buffer-overflow in my_subscribe_callback function in sub_client.c

Basic information

Project name: Mosquitto

Project id: mosquitto.org

What are the affected versions?

v2.0.20

Details of the issue

During the execution of Mosquitto MQTT broker version v2.0.20, an issue was identified by the UndefinedBehaviorSanitizer (UBSan). UBSan reported a runtime error within the handle_publish.c file, specifically at line 297, where a null pointer was passed to the memcmp function which expects a non-null argument, as declared in the standard library header <string.h>.

Steps to reproduce

1. Configure the building environment with ASan and UBSan by setting the environment variables for the compiler and linker:

export CC=clang CXX=clang++
export WITH_ASAN=1 CFLAGS="-Wall -O0 -g -fsanitize=address,undefined -fno-omit-frame-pointer " CPPFLAGS="-Wall -O0 -g -fsanitize=address,undefined -fno-omit-frame-pointer" 
export LDFLAGS="-g -fsanitize=address,undefined"
make reallyclean
make -j

2. Start the Mosquitto client using the following command:

mosquitto/client/mosquitto_sub -t 'test/tp' -v -p 1884 -q 2

3. Send some packets. Then, the client would crash due to heap-buffer-overflow. The following is the full log:

=================================================================
==2909530==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000001b0 at pc 0x0000004caea8 bp 0x7fff91157c40 sp 0x7fff91157c38
READ of size 4 at 0x6020000001b0 thread T0
    #0 0x4caea7 in my_subscribe_callback /root/data-volume/projects/fuzzing/fuzz_subjtects/mosquitto/client/sub_client.c:149:27
    #1 0x7f907196ae69 in handle__suback /root/mqtt/mosquitto-2.0.4/lib/handle_suback.c:94:3
    #2 0x7f9071995433 in handle__packet /root/mqtt/mosquitto-2.0.4/lib/read_handle.c:59:11
    #3 0x7f9071988ffb in packet__read /root/mqtt/mosquitto-2.0.4/lib/packet_mosq.c:507:7
    #4 0x7f907196f054 in mosquitto_loop_read /root/mqtt/mosquitto-2.0.4/lib/loop.c:393:9
    #5 0x7f907196e454 in mosquitto_loop /root/mqtt/mosquitto-2.0.4/lib/loop.c:151:10
    #6 0x7f907196f82c in mosquitto_loop_forever /root/mqtt/mosquitto-2.0.4/lib/loop.c:262:9
    #7 0x4c9fec in main /root/data-volume/projects/fuzzing/fuzz_subjtects/mosquitto/client/sub_client.c:403:7
    #8 0x7f90715d4082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #9 0x41d76d in _start (/root/data-volume/projects/fuzzing/fuzz_subjtects/mosquitto/client/mosquitto_sub+0x41d76d)

0x6020000001b1 is located 0 bytes to the right of 1-byte region [0x6020000001b0,0x6020000001b1)
allocated by thread T0 here:
    #0 0x49878a in malloc /local/mnt/workspace/bcain_clang_vm-bcain-aus_3184/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/data-volume/projects/fuzzing/fuzz_subjtects/mosquitto/client/sub_client.c:149:27 in my_subscribe_callback
Shadow bytes around the buggy address:
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 07 fa fa 00 fa fa fa 00 fa fa fa 00 02
  0x0c047fff8010: fa fa 00 02 fa fa 00 00 fa fa fd fd fa fa fd fd
  0x0c047fff8020: fa fa 00 00 fa fa fd fd fa fa fd fa fa fa fd fd
=>0x0c047fff8030: fa fa 02 fa fa fa[01]fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2909530==ABORTING
Error: The connection was lost.
Error: The connection was lost.

Do you know any mitigations of the issue?

(Like disabling a configuration option, for example)

assigned to @rlight

made the issue confidential

Greetings @rlight can you please check this vulnerability report? Thank you!

This appears to be a duplicate of #190 (closed) which is already fixed. The introduction to the bug here is incorrect - it is the same as #246 despite the remainder of the bug report being completely different to the introduction.

I think this can be closed.

added vulnerabilityunconfirmed label

made the issue visible to everyone

closed