[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #65920] mqtt_parse_incoming may cause dead loop when M
|
From: |
xiaoyanhao |
|
Subject: |
[lwip-devel] [bug #65920] mqtt_parse_incoming may cause dead loop when MQTT client parses invalid remaining length in fixed header |
|
Date: |
Tue, 25 Jun 2024 12:01:27 -0400 (EDT) |
URL:
<https://savannah.nongnu.org/bugs/?65920>
Summary: mqtt_parse_incoming may cause dead loop when MQTT
client parses invalid remaining length in fixed header
Group: lwIP - A Lightweight TCP/IP stack
Submitter: xiaoyanhao
Submitted: Tue 25 Jun 2024 04:01:26 PM UTC
Category: apps
Severity: 3 - Normal
Item Group: Faulty Behaviour
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
lwIP version: 2.2.0
_______________________________________________________
Follow-up Comments:
-------------------------------------------------------
Date: Tue 25 Jun 2024 04:01:26 PM UTC By: xiaoyanhao <xiaoyanhao>
Fixed header format of an MQTT Control Packet:
Bit | 7 | 6 | 5 | 4 | 3 | 2 | 1
| 0 |
byte1 | MQTT Control Packet type | Flags |
byte2... | Remaining Length
|
> The Remaining Length is the number of bytes remaining within the current
packet, including data in the variable header and the payload. The Remaining
Length does not include the bytes used to encode the Remaining Length.
> The Remaining Length is encoded using a variable length encoding scheme
which uses a single byte for values up to 127. Larger values are handled as
follows. The least significant seven bits of each byte encode the data, and
the most significant bit is used to indicate that there are following bytes in
the representation. Thus each byte encodes 128 values and a "continuation
bit". The maximum number of bytes in the Remaining Length field is four.
When the most significant bit(continuation bit) is always set in The Remaining
Length such as 0xFF 0xFF 0xFF 0xFF, it would cause a dead loop.
_while (p->tot_len > in_offset) {_
_if ((fixed_hdr_len < 2) || ((b & 0x80) != 0)) { // b & 0x80 is always
true_
_fixed_hdr_len++;_
_if (fixed_hdr_len >= 2) { // always true_
The _fixed_hdr_len_ should be equal or less than 5 bytes.
_______________________________________________________
File Attachments:
-------------------------------------------------------
Name: mqtt.c Size: 48KiB
<https://file.savannah.nongnu.org/file/mqtt.c?file_id=56205>
AGPL NOTICE
These attachments are served by Savane. You can download the corresponding
source code of Savane at
https://git.savannah.nongnu.org/cgit/administration/savane.git/snapshot/savane-ec27f3493c09272c22cbb64708b72ba1f9486d78.tar.gz
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/bugs/?65920>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
signature.asc
Description: PGP signature
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [lwip-devel] [bug #65920] mqtt_parse_incoming may cause dead loop when MQTT client parses invalid remaining length in fixed header,
xiaoyanhao <=