Headline
CVE-2023-28366: Fix for CVE-2023-28366 · eclipse/mosquitto@6113eac
The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.
Expand Up @@ -42,6 +42,7 @@ int handle__publish(struct mosquitto *context) uint8_t header = context->in_packet.command; int res = 0; struct mosquitto_msg_store *msg, *stored = NULL; struct mosquitto_client_msg *cmsg_stored = NULL; size_t len; uint16_t slen; char *topic_mount; Expand Down Expand Up @@ -287,24 +288,24 @@ int handle__publish(struct mosquitto *context) }
if(msg->qos > 0){ db__message_store_find(context, msg->source_mid, &stored); db__message_store_find(context, msg->source_mid, &cmsg_stored); }
if(stored && msg->source_mid != 0 && (stored->qos != msg->qos || stored->payloadlen != msg->payloadlen || strcmp(stored->topic, msg->topic) || memcmp(stored->payload, msg->payload, msg->payloadlen) )){ if(cmsg_stored && cmsg_stored->store && msg->source_mid != 0 && (cmsg_stored->store->qos != msg->qos || cmsg_stored->store->payloadlen != msg->payloadlen || strcmp(cmsg_stored->store->topic, msg->topic) || memcmp(cmsg_stored->store->payload, msg->payload, msg->payloadlen) )){
log__printf(NULL, MOSQ_LOG_WARNING, "Reused message ID %u from %s detected. Clearing from storage.", msg->source_mid, context->id); db__message_remove_incoming(context, msg->source_mid); stored = NULL; cmsg_stored = NULL; }
if(!stored){ if(!cmsg_stored){ if(msg->qos == 0 || db__ready_for_flight(context, mosq_md_in, msg->qos) || db__ready_for_queue(context, msg->qos, &context->msgs_in)){ ){
dup = 0; rc = db__message_store(context, msg, message_expiry_interval, 0, mosq_mo_client); Expand All @@ -316,10 +317,13 @@ int handle__publish(struct mosquitto *context) } stored = msg; msg = NULL; dup = 0; }else{ db__msg_store_free(msg); msg = NULL; dup = 1; stored = cmsg_stored->store; cmsg_stored->dup++; dup = cmsg_stored->dup; }
switch(stored->qos){ Expand All @@ -345,11 +349,17 @@ int handle__publish(struct mosquitto *context) }else{ res = 0; }
/* db__message_insert() returns 2 to indicate dropped message * due to queue. This isn’t an error so don’t disconnect them. */ /* FIXME - this is no longer necessary due to failing early above */ if(!res){ if(send__pubrec(context, stored->source_mid, 0, NULL)) rc = 1; if(dup == 0 || dup == 1){ rc2 = send__pubrec(context, stored->source_mid, 0, NULL); if(rc2) rc = rc2; }else{ return MOSQ_ERR_PROTOCOL; } }else if(res == 1){ rc = 1; } Expand All @@ -374,6 +384,9 @@ int handle__publish(struct mosquitto *context) } db__msg_store_free(msg); } if(context->out_packet_count >= db.config->max_queued_messages){ rc = MQTT_RC_QUOTA_EXCEEDED; } return rc; }
Related news
Red Hat Security Advisory 2024-1061-03 - An update is now available for Red Hat Satellite 6.13 for RHEL 8. Issues addressed include memory leak and server-side request forgery vulnerabilities.
Red Hat Security Advisory 2024-0797-03 - Updated Satellite 6.14 packages that fixes Important security bugs and several regular bugs are now available for Red Hat Satellite. Issues addressed include HTTP request smuggling, buffer overflow, denial of service, and memory leak vulnerabilities.
Gentoo Linux Security Advisory 202401-9 - Multiple vulnerabilities have been found in Eclipse Mosquitto which could result in denial of service. Versions greater than or equal to 2.0.17 are affected.
Ubuntu Security Notice 6492-1 - Kathrin Kleinhammer discovered that Mosquitto incorrectly handled certain inputs. If a user or an automated system were provided with a specially crafted input, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS. Zhanxiang Song discovered that Mosquitto incorrectly handled certain inputs. If a user or an automated system were provided with a specially crafted input, a remote attacker could possibly use this issue to cause an authorisation bypass. This issue only affected Ubuntu 22.04 LTS and Ubuntu 23.04.
In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.
Debian Linux Security Advisory 5511-1 - Several security vulnerabilities have been discovered in mosquitto, a MQTT compatible message broker, which may be abused for a denial of service attack.