Headline
CVE-2023-5632: 100% CPU usage in case the client doesn't send data - bug fix by przemyslawzygmunt · Pull Request #2053 · eclipse/mosquitto
In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixed in 2.0.6
Hi.
It is very easy to make Mosquitto use 100% of the CPU. Just run the command:
openssl s_client -connect mosquitt-server: 8883
I ran a look at the server code today and found the cause of the problem.
Until a timeout occurs, the server will continue to execute the main loop without pausing. This is because epoll_wait gets the EPOLLOUT event all the time. Below are two diagrams showing the CPU consumption with and without the fix.
Unfixed (100% CPU):
mosquitto-cpuprof-TooHigh.pdf
with the fix (0.7% CPU):
mosquitto-cpuprof-Normal.pdf
@ralight should check if my patch does not restore the problem that his commit solved
fabdfcc