You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
In MQTTDeserialize_subscribe(), the index is not checked when writing into the array topicFilters and requestedQoSs: the maximum length (stored in maxcount) of these two buffers is not even checked by the function, which may lead to OOB writes of any length when processing a malformed packet.
Raised first here: https://bugs.eclipse.org/bugs/show_bug.cgi?id=577965
Created attachment 287734 [details]
poc.c
Project and Version:
eclipse/paho.mqtt.embedded-c, latest master branch (commit 29ab2aa)
Location:
MQTTPacket/src/MQTTSubscribeServer.c:MQTTDeserialize_subscribe()
Description:
In MQTTDeserialize_subscribe(), the index is not checked when writing into the array
topicFilters
andrequestedQoSs
: the maximum length (stored inmaxcount
) of these two buffers is not even checked by the function, which may lead to OOB writes of any length when processing a malformed packet.Steps to Reproduce:
poc.c
Environment:
Linux 5.11.0-40-generic #44
20.04.2-Ubuntu SMP Tue Oct 26 18:07:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux20.04) 9.3.0gcc: gcc (Ubuntu 9.3.0-17ubuntu1
The text was updated successfully, but these errors were encountered: