[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #61480] MQTT: RCE caused by buffer overflow

From: Hyeonsu Kim
Subject: [lwip-devel] [bug #61480] MQTT: RCE caused by buffer overflow
Date: Sun, 14 Nov 2021 02:22:58 -0500 (EST)
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.44


                 Summary: MQTT: RCE caused by buffer overflow
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: icekrim
            Submitted on: Sun 14 Nov 2021 07:22:57 AM UTC
                Category: Security-related
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head



Integer Overflow in mqtt_parse_incoming of src/apps/mqtt/mqtt.c allows
attackers to perform a Remote Code Execution via MQTT packet with fixed header
length of 129 bytes or more

When the length of fixed_header of mqtt packet is 128 or more, buffer overflow
of virtually infinite length is possible by appropriately setting the header

mqtt.c 893
cpy_len = (u16_t)LWIP_MIN((u16_t)(p->tot_len - in_offset), msg_rem_len);
/* Limit to available space in buffer */
buffer_space = MQTT_VAR_HEADER_BUFFER_LEN - fixed_hdr_len;
if (cpy_len > buffer_space) {
  cpy_len = buffer_space;
/* Adjust cpy_len to ensure zero-copy operation for remaining parts of current
message */
if (client->msg_idx >= MQTT_VAR_HEADER_BUFFER_LEN) {
  if (cpy_len > (p->len - in_offset))
    cpy_len = p->len - in_offset;
var_hdr_payload = (u8_t*)pbuf_get_contiguous(p, client->rx_buffer +
fixed_hdr_len, buffer_space, cpy_len, in_offset);

As described in bug #61479, attacker can make fixed_hdr_len higher than 129.
Because MQTT_VAR_HEADER_BUFFER_LEN is 128, a negative number (in this case -1)
is assigned to buffer_space, so buffer_space becomes a very large number.

cpy_len can be freely changed within the range of u16 type by a hacker by
modifying the remaining length of the MQTT packet. 
Therefore, an attacker can overwrite up to 65535 bytes from client->rx_buffer
+ fixed_hdr_len through pbuf_get_contiguous just by making fixed_hdr_len to
This allows remote code execution in embedded systems to which memory
protection is not applied.

I have completed the POC on the stm32 board I have personally, and I will
prepare linux porting if necessary. Thank you.


Reply to this item at:


  Message sent via Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]