[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #61480] MQTT: RCE caused by buffer overflow
|
From: |
Wouter van Gulik |
|
Subject: |
[lwip-devel] [bug #61480] MQTT: RCE caused by buffer overflow |
|
Date: |
Sun, 2 Jan 2022 17:55:09 -0500 (EST) |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0 |
Follow-up Comment #5, bug #61480 (project lwip):
One of the thins I do not get my head around is the use of pbuf_get_contiguous
combined with the handling of a publish message. The publish message stills
checks for sizeof(rx_buffer). Which is totally bogus if we receive a message
via the zero-copy mechanism.
This means any publish message large than MQTT_VAR_HEADER_BUFFER_LEN will be
dropped, while, if in one pbuf, could be parsed by mqtt_message_received.
However if the topic would be split in multiple pbufs the
mqtt_message_received function would still fail; the function can only
properly handle a topic if received all at once.
This all-at-once behaviour is 'documented' by the comments on
MQTT_VAR_HEADER_BUFFER_LEN. It states the buffer should be large enough to
handle the maximum topic length.
So I my current guess is: removing the checks against
MQTT_VAR_HEADER_BUFFER_LEN (via var_hdr_payload_bufsize) in the publish
handling is a sensible thing todo; topic should be in a contigious buffer.
Either the rx buffer or a single pbuf.
The checks seem to be a 'left over' from before the pbuf_get_contiguous
addition.
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/bugs/?61480>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [lwip-devel] [bug #61480] MQTT: RCE caused by buffer overflow,
Wouter van Gulik <=