From 106675093177335b18521bc0e5ad1d95343ad652 Mon Sep 17 00:00:00 2001 From: "Roger A. Light" Date: Tue, 17 Sep 2019 14:56:08 +0100 Subject: Fix for CVE-xxxx-xxxx diff --git a/lib/util_topic.c b/lib/util_topic.c index 67b7878..673cc6c 100644 --- a/lib/util_topic.c +++ b/lib/util_topic.c @@ -49,14 +49,25 @@ Contributors: int mosquitto_pub_topic_check(const char *str) { int len = 0; +#ifdef WITH_BROKER + int hier_count = 0; +#endif while(str && str[0]){ if(str[0] == '+' || str[0] == '#'){ return MOSQ_ERR_INVAL; } +#ifdef WITH_BROKER + else if(str[0] == '/'){ + hier_count++; + } +#endif len++; str = &str[1]; } if(len > 65535) return MOSQ_ERR_INVAL; +#ifdef WITH_BROKER + if(hier_count > TOPIC_HIERARCHY_LIMIT) return MOSQ_ERR_INVAL; +#endif return MOSQ_ERR_SUCCESS; } @@ -64,6 +75,9 @@ int mosquitto_pub_topic_check(const char *str) int mosquitto_pub_topic_check2(const char *str, size_t len) { size_t i; +#ifdef WITH_BROKER + int hier_count = 0; +#endif if(len > 65535) return MOSQ_ERR_INVAL; @@ -71,7 +85,15 @@ int mosquitto_pub_topic_check2(const char *str, size_t len) if(str[i] == '+' || str[i] == '#'){ return MOSQ_ERR_INVAL; } +#ifdef WITH_BROKER + else if(str[i] == '/'){ + hier_count++; + } +#endif } +#ifdef WITH_BROKER + if(hier_count > TOPIC_HIERARCHY_LIMIT) return MOSQ_ERR_INVAL; +#endif return MOSQ_ERR_SUCCESS; } @@ -87,6 +109,10 @@ int mosquitto_sub_topic_check(const char *str) { char c = '\0'; int len = 0; +#ifdef WITH_BROKER + int hier_count = 0; +#endif + while(str && str[0]){ if(str[0] == '+'){ if((c != '\0' && c != '/') || (str[1] != '\0' && str[1] != '/')){ @@ -97,11 +123,19 @@ int mosquitto_sub_topic_check(const char *str) return MOSQ_ERR_INVAL; } } +#ifdef WITH_BROKER + else if(str[0] == '/'){ + hier_count++; + } +#endif len++; c = str[0]; str = &str[1]; } if(len > 65535) return MOSQ_ERR_INVAL; +#ifdef WITH_BROKER + if(hier_count > TOPIC_HIERARCHY_LIMIT) return MOSQ_ERR_INVAL; +#endif return MOSQ_ERR_SUCCESS; } @@ -110,6 +144,9 @@ int mosquitto_sub_topic_check2(const char *str, size_t len) { char c = '\0'; size_t i; +#ifdef WITH_BROKER + int hier_count = 0; +#endif if(len > 65535) return MOSQ_ERR_INVAL; @@ -123,8 +160,16 @@ int mosquitto_sub_topic_check2(const char *str, size_t len) return MOSQ_ERR_INVAL; } } +#ifdef WITH_BROKER + else if(str[i] == '/'){ + hier_count++; + } +#endif c = str[i]; } +#ifdef WITH_BROKER + if(hier_count > TOPIC_HIERARCHY_LIMIT) return MOSQ_ERR_INVAL; +#endif return MOSQ_ERR_SUCCESS; } diff --git a/src/mosquitto_broker_internal.h b/src/mosquitto_broker_internal.h index 25d4a5b..322c6a8 100644 --- a/src/mosquitto_broker_internal.h +++ b/src/mosquitto_broker_internal.h @@ -73,6 +73,9 @@ Contributors: #define WEBSOCKET_CLIENT -2 + +#define TOPIC_HIERARCHY_LIMIT 200 + /* ======================================== * UHPA data types * ======================================== */ diff --git a/src/subs.c b/src/subs.c index aae3266..c059874 100644 --- a/src/subs.c +++ b/src/subs.c @@ -220,6 +220,7 @@ static int sub__topic_tokenise(const char *subtopic, struct sub__token **topics) int start, stop, tlen; int i; char *topic; + int count = 0; assert(subtopic); assert(topics); @@ -242,6 +243,7 @@ static int sub__topic_tokenise(const char *subtopic, struct sub__token **topics) stop = 0; for(i=start; i TOPIC_HIERARCHY_LIMIT){ + /* Set limit on hierarchy levels, to restrict stack usage. */ + goto cleanup; + } + return MOSQ_ERR_SUCCESS; cleanup: -- 2.20.1