Headline
CVE-2020-13410: fix: catch writeToStream errors by robertsLando · Pull Request #493 · moscajs/aedes
An issue was discovered in MoscaJS Aedes 0.42.0. lib/write.js does not properly consider exceptions during the writing of an invalid packet to a stream.
@mcollina I’m 👍 for the test but why this isn’t working?
// Catch invalid packet writeToStream errors test('reject client requested for unsupported protocol version’, function (t) { t.plan(3)
const broker = aedes() t.tearDown(broker.close.bind(broker))
const s = setup(broker)
var packet = [ 16, 22, 0, 4, 77, 81, 84, 84, 4, 2, 0, 0, 0, 10, 109, 121, 99, 108, 105, 101, 110, 116, 105, 100, 85, 0 ]
s.inStream.write(Buffer.from(packet))
s.outStream.on('data’, function (packet) { t.fail(‘no data sent’) }) broker.on('connectionError’, function (client, err) { t.equal(client.version, null) t.equal(err.message, ‘Unknown command’) t.equal(broker.connectedClients, 0) }) })
I mean, it works as test but it doesn’t make that function throw
P.S: I asked to the guy of the email to try this fix and he told me that this has fixed the bug 🎉