Headline
CVE-2023-33656: GitHub - emqx/nanomq: An ultra-lightweight and blazing-fast MQTT broker for IoT edge
A memory leak vulnerability exists in NanoMQ 0.17.2. The vulnerability is located in the file message.c. An attacker could exploit this vulnerability to cause a denial of service attack by causing the program to consume all available memory resources.
NanoMQ
NanoMQ MQTT Broker (NanoMQ) is a lightweight and blazing-fast MQTT Broker for the IoT Edge platform.
NanoMQ bases on NNG’s asynchronous I/O threading model, with an extension of MQTT support in the protocol layer and reworked transport layer, plus an enhanced asynchronous IO mechanism maximizing the overall capacity.
NanoMQ fully supports MQTT V3.1.1 and MQTT V5.0.
For more information, please visit NanoMQ homepage.
Features
- Cost-effective on an embedded platform;
- Fully base on native POSIX. High Compatibility;
- Pure C implementation. High portability;
- Fully asynchronous I/O and multi-threading;
- Good support for SMP;
- Low latency & High handling capacity;
Get Started****Run NanoMQ using Docker
docker run -d --name nanomq -p 1883:1883 -p 8083:8083 -p 8883:8883 emqx/nanomq:latest
More installation options
If you prefer to install and manage NanoMQ yourself, you can download the lastest version from nanomq.io/downloads.
Run NanoMQ:
nanomq start ## or run nanomq with a specified configuration file nanomq start --conf <config_file>
Build From Source
NanoMQ dedicates to delivering a simple but powerful Messaging Hub on various edge platforms.
With this being said, NanoMQ can run on different architectures such like x86_64 and ARM with minor migration efforts.
To build NanoMQ, requires a C99 compatible compiler and CMake (version 3.13 or newer).
It is recommended to compile with Ninja:
git clone https://github.com/emqx/nanomq.git cd nanomq git submodule update --init --recursive mkdir build && cd build cmake -G Ninja … ninja
Or compile with make:
git clone https://github.com/emqx/nanomq.git cd nanomq git submodule update --init --recursive mkdir build && cd build cmake … make
Build option
There are some configuration options specified using CMake defines in addition to the standard options like CMAKE_BUILD_TYPE:
- -DNNG_ENABLE_QUIC=ON: to build NanoMQ with QUIC bridging feature
- -DNNG_ENABLE_TLS=ON: to build with TLS support. (Need to install mbedTLS in advance)
- -DBUILD_CLIENT=OFF: to disable nanomq tools client suite (including pub / sub / conn )
- -DBUILD_ZMQ_GATEWAY=ON: to build nanomq_cli with zeromq gateway tool
- -DBUILD_DDS_PROXY=ON: to build nanomq_cli with dds client ( proxy / sub / pub )
- -DBUILD_BENCH=ON: to build nanomq_cli mqtt bench
- -DENABLE_JWT=ON: to build JWT dependency for http server
- -DNNG_ENABLE_SQLITE=ON: to build nanomq with sqlite support
- -DBUILD_STATIC_LIB=ON: to build nanomq as a static library
- -DBUILD_SHARED_LIBS=ON: to build nanomq as a shared library
- -DDEBUG=ON: to enable debug flag
- -DASAN=ON: to enable sanitizer
- -DDEBUG_TRACE=ON: to enable ptrace (ptrace is a mechanism that allows one process to “trace” the execution of another process. The tracer is able to pause execution, and inspect and modify memory and registers in the tracee process)
Resources
NanoMQ
Blog
Official website
MQTT Specifications
- MQTT Version 3.1.1
- MQTT Version 5.0
- MQTT SN
- Unsupport features of MQTT 5.0
- Auth https://docs.oasis-open.org/mqtt/mqtt/v5.0/os/mqtt-v5.0-os.html#_Toc3901217
- Server Redirection https://docs.oasis-open.org/mqtt/mqtt/v5.0/os/mqtt-v5.0-os.html#_Toc3901255
MQTT Client Examples
- MQTT-Client-Examples
MQTT Client SDK
- NanoSDK
Internet of Vehicles
- Internet of Vehicles. Build a reliable, efficient, and industry-specific IoV platform based on EMQ’s practical experience, from theoretical knowledge such as protocol selection to practical operations like platform architecture design.
DDS
- CycloneDDS
- DDS proxy on NanoMQ_CLI
Get Involved****Our Website
Visit our official website to have a good grasp on NanoMQ MQTT broker and see how it can be applied in current industries.
Test Report
This test report shows how extraordinary and competitive the NanoMQ is in Edge Computing.
Currently the benchmark is for 0.2.5, the updated one with ver 0.3.5 is coming soon
Questions
The Github Discussions provides a place for you to ask questions and share your ideas with users around the world.
Slack
You could join us on Slack. We now share a workspace with the entire EMQ X team. After joining, find your channel!
- #nanomq: is a channel for general usage, where for asking question or sharing using experience;
- #nanomq-dev: is a channel for MQTT lover and developer, your great thoughts are what we love to hear;
- #nanomq-nng: is a channel for guys who are interested in NNG, one of our fabulous dependencies.
Community
Some quotes from NNG’s maintainer — Garrett: I’m very excited about the synergy between the NanoMQ and NNG projects, and grateful for sponsorship that NNG has received from the NanoMQ team. The NanoMQ team has been able to push NNG’s envelope, and the collaboration has already yielded substantial improvements for both projects. Further, the cooperation between these two project will make MQTT and SP (nanomsg) protocols easy to use within a single project as well as other capabilities (such as websockets, HTTPS clients and servers), greatly expanding the toolset within easy reach of the IoT developer. Further this comes without the usual licensing or portability/embeddability challenges that face other projects. Additional planned collaborative work will further expand on these capabilities to the benefit of our shared communities.
Open Source
NanoMQ is fully open-sourced!
License
MIT License
Authors
The EMQ Edge Computing team.