[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #61479] MQTT: DoS caused by unsigned integer overflow

From: Hyeonsu Kim
Subject: [lwip-devel] [bug #61479] MQTT: DoS caused by unsigned integer overflow
Date: Sun, 14 Nov 2021 01:31:20 -0500 (EST)
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.44


                 Summary: MQTT: DoS caused by unsigned integer overflow
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: icekrim
            Submitted on: Sun 14 Nov 2021 06:31:19 AM UTC
                Category: Security-related
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head



Integer overflow in mqtt_parse_incoming of src/apps/mqtt/mqtt.c allows
attackers to perform a Denial of Service via MQTT packet with fixed header
length of 256 bytes or more


mqtt.c 866

while (p->tot_len > in_offset) {
if ((fixed_hdr_len < 2) || ((b & 0x80) != 0)) {
  if (fixed_hdr_len < client->msg_idx) {
    b = client->rx_buffer[fixed_hdr_len];
  } else {
    b = pbuf_get_at(p, in_offset++);
    client->rx_buffer[client->msg_idx++] = b;
  if (fixed_hdr_len >= 2) {
    msg_rem_len |= (u32_t)(b & 0x7f) << ((fixed_hdr_len - 2) * 7);
    if ((b & 0x80) == 0) {


If it receives a packet of 256 bytes with b & 80 == 1, it goes into an
infinite loop and the device stops. (like [0x80]*256)

This is because fixed_hdr_len, which is a u8 type, can never be larger than
client->msg_idx (in this case 256), so in_offset cannot be increased.

I have completed the POC on the stm32 board I have personally, and I will
prepare linux porting if necessary. Thank you.


Reply to this item at:


  Message sent via Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]