Headline
CVE-2023-34488: [Security]: Vulnerability identified · Issue #1181 · emqx/nanomq
NanoMQ 0.17.5 is vulnerable to heap-buffer-overflow in the conn_handler function of mqtt_parser.c when it processes malformed messages.
Describe the bug
We found a heap-buffer-overflow in conn_handler function of mqtt_parser.c when it processes malformed messages.
Expected behavior
A clear and concise description of what you expected to happen.
Actual Behavior
Heap-buffer-overflow
To Reproduce
start nanomq with ./nanomq start
Send the packet:nc 127.0.0.1 1883 < ./1181-poc.raw
1181-poc.raw.zip
conn_handler function of mqtt_parser.c:602:20
Asan Log
=================================================================
==3700126==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000bb3c at pc 0x0000005f287d bp 0x7f8477d97950 sp 0x7f8477d97948
READ of size 1 at 0x60200000bb3c thread T7 (nng:task)
#0 0x5f287c in conn_handler /home/user/nanomq/nng/src/sp/protocol/mqtt/mqtt_parser.c:602:20
#1 0x816b7d in tcptran_pipe_nego_cb /home/user/nanomq/nng/src/sp/transport/mqtt/broker_tcp.c:363:13
#2 0x5b467b in nni_taskq_thread /home/user/nanomq/nng/src/core/taskq.c:50:4
#3 0x5b7d4c in nni_thr_wrap /home/user/nanomq/nng/src/core/thread.c:94:3
#4 0x5c78e0 in nni_plat_thr_main /home/user/nanomq/nng/src/platform/posix/posix_thread.c:266:2
#5 0x7f847ddb4608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
#6 0x7f847db40132 in clone /build/glibc-SzIz7B/glibc-2.31/misc/…/sysdeps/unix/sysv/linux/x86_64/clone.S:950x60200000bb3c is located 0 bytes to the right of 12-byte region [0x60200000bb30,0x60200000bb3c)
allocated by thread T7 (nng:task) here:
#0 0x4adf1d in malloc (/home/user/nanomq/build/nanomq/nanomq+0x4adf1d)
#1 0x81686e in tcptran_pipe_nego_cb /home/user/nanomq/nng/src/sp/transport/mqtt/broker_tcp.c:345:18
#2 0x5b467b in nni_taskq_thread /home/user/nanomq/nng/src/core/taskq.c:50:4
#3 0x5b7d4c in nni_thr_wrap /home/user/nanomq/nng/src/core/thread.c:94:3
#4 0x5c78e0 in nni_plat_thr_main /home/user/nanomq/nng/src/platform/posix/posix_thread.c:266:2
#5 0x7f847ddb4608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8Thread T7 (nng:task) created by T0 here:
#0 0x498cca in pthread_create (/home/user/nanomq/build/nanomq/nanomq+0x498cca)
#1 0x5c766e in nni_plat_thr_init /home/user/nanomq/nng/src/platform/posix/posix_thread.c:279:7
#2 0x5b74de in nni_thr_init /home/user/nanomq/nng/src/core/thread.c:121:12
#3 0x5b3c6f in nni_taskq_init /home/user/nanomq/nng/src/core/taskq.c:95:8
#4 0x57bb04 in nni_init_helper /home/user/nanomq/nng/src/core/init.c:35:13
#5 0x5c7ef2 in nni_plat_init /home/user/nanomq/nng/src/platform/posix/posix_thread.c:422:12
#6 0x61b6bd in nni_proto_mqtt_open /home/user/nanomq/nng/src/sp/protocol.c:37:12
#7 0x544f4b in broker /home/user/nanomq/nanomq/apps/broker.c:871:25
#8 0x54ea34 in broker_start /home/user/nanomq/nanomq/apps/broker.c:1602:7
#9 0x7f847da45082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/…/csu/libc-start.c:308:16SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/nanomq/nng/src/sp/protocol/mqtt/mqtt_parser.c:602:20 in conn_handler
Shadow bytes around the buggy address:
0x0c047fff9710: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9720: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9730: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
0x0c047fff9740: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9750: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fff9760: fa fa fd fd fa fa 00[04]fa fa 00 01 fa fa fa fa
0x0c047fff9770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff97a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3700126==ABORTING
** Environment Details **
- NanoMQ version: 0.17.5 (da4d3c8)
- Operating system and version: Ubuntu 20.04
- Compiler and language used: gcc 9.4.0 clang 10.0.0
- testing scenario: Run the broker(build with ASAN and TSAN) with the ./nanomq start command