Heap Use After Free bug in mqtt_packet_destroy function at src/mqtt.c:578:54

[Terminator111]

I triggered a stack-buffer-overflow(heap-use-after-free) bug reported by AddressSanitizer when fuzzing sol. It occurs when memory that has already been freed is accessed again. According to the AddressSanitizer output, the issue originates in the mqtt_packet_destroy function at line 578 in mqtt.c. The memory was originally allocated in process_message but was later freed in unsubscribe_handler in handlers.c. Despite being freed, this memory is accessed again, likely due to a stale pointer or lack of proper cleanup. This error can lead to undefined behavior and potential program crashes. To fix it, ensure that pointers to freed memory are nullified or properly checked before reuse.

Affected Code:

void mqtt_packet_destroy(struct mqtt_packet *pkt) {

    switch (pkt->header.bits.type) {
        case CONNECT:
            if (pkt->connect.bits.username == 1)
                free_memory(pkt->connect.payload.username);
            if (pkt->connect.bits.password == 1)
                free_memory(pkt->connect.payload.password);
            if (pkt->connect.bits.will == 1) {
                free_memory(pkt->connect.payload.will_message);
                free_memory(pkt->connect.payload.will_topic);
            }
            break;
        case SUBSCRIBE:
        case UNSUBSCRIBE:
            for (unsigned i = 0; i < pkt->subscribe.tuples_len; i++)
                free_memory(pkt->subscribe.tuples[i].topic);
            free_memory(pkt->subscribe.tuples);
            break;
        case SUBACK:
            free_memory(pkt->suback.rcs);
            break;
        case PUBLISH:
            free_memory(pkt->publish.topic);
            free_memory(pkt->publish.payload);
            break;
        default:
            break;
    }
}

Bug Info as following:

=================================================================
==1923354==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000003560 at pc 0x0000004e1162 bp 0x7fe21cffa9d0 sp 0x7fe21cffa9c8
READ of size 8 at 0x603000003560 thread T2
    #0 0x4e1161 in mqtt_packet_destroy /root/protocolFuzz/mqtt/sol/src/mqtt.c:578:54
    #1 0x4ebdee in process_message /root/protocolFuzz/mqtt/sol/src/server.c
    #2 0x4ebdee in read_callback /root/protocolFuzz/mqtt/sol/src/server.c:784:13
    #3 0x4cd841 in ev_process_event /root/protocolFuzz/mqtt/sol/src/ev.c:586:13
    #4 0x4cd841 in ev_run /root/protocolFuzz/mqtt/sol/src/ev.c:685:34
    #5 0x4eab8c in eventloop_start /root/protocolFuzz/mqtt/sol/src/server.c:925:5
    #6 0x7fe223d62608 in start_thread /build/glibc-LcI20x/glibc-2.31/nptl/pthread_create.c:477:8
    #7 0x7fe223766352 in clone /build/glibc-LcI20x/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x603000003560 is located 16 bytes inside of 24-byte region [0x603000003550,0x603000003568)
freed by thread T2 here:
    #0 0x496afd in free (/root/protocolFuzz/mqtt/sol/build/sol+0x496afd)
    #1 0x4dbda4 in unsubscribe_handler /root/protocolFuzz/mqtt/sol/src/handlers.c:671:5

previously allocated by thread T2 here:
    #0 0x496d7d in malloc (/root/protocolFuzz/mqtt/sol/build/sol+0x496d7d)
    #1 0x4df947 in try_alloc /root/protocolFuzz/mqtt/sol/src/memory.c:47:17
    #2 0x4df947 in try_realloc /root/protocolFuzz/mqtt/sol/src/memory.c:80:16
    #3 0x4ebb56 in process_message /root/protocolFuzz/mqtt/sol/src/server.c:853:5
    #4 0x4ebb56 in read_callback /root/protocolFuzz/mqtt/sol/src/server.c:784:13
    #5 0x4cd841 in ev_process_event /root/protocolFuzz/mqtt/sol/src/ev.c:586:13
    #6 0x4cd841 in ev_run /root/protocolFuzz/mqtt/sol/src/ev.c:685:34
    #7 0x4eab8c in eventloop_start /root/protocolFuzz/mqtt/sol/src/server.c:925:5
    #8 0x7fe223d62608 in start_thread /build/glibc-LcI20x/glibc-2.31/nptl/pthread_create.c:477:8

Thread T2 created by T0 here:
    #0 0x481b2a in pthread_create (/root/protocolFuzz/mqtt/sol/build/sol+0x481b2a)
    #1 0x4e9d4e in start_server /root/protocolFuzz/mqtt/sol/src/server.c:996:9
    #2 0x4ef5cd in main /root/protocolFuzz/mqtt/sol/src/sol.c:127:5

SUMMARY: AddressSanitizer: heap-use-after-free /root/protocolFuzz/mqtt/sol/src/mqtt.c:578:54 in mqtt_packet_destroy
Shadow bytes around the buggy address:
  0x0c067fff8650: 00 00 00 00 fa fa 00 00 02 fa fa fa 00 00 00 01
  0x0c067fff8660: fa fa fd fd fd fa fa fa 00 00 02 fa fa fa 00 00
  0x0c067fff8670: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c067fff8680: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fa
  0x0c067fff8690: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
=>0x0c067fff86a0: fd fa fa fa 00 00 00 fa fa fa fd fd[fd]fa fa fa
  0x0c067fff86b0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff86c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff86d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff86e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff86f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1923354==ABORTING