From 84681d9728ceb7f6ea2b6751b4d87200d8a62f14 Mon Sep 17 00:00:00 2001 From: "Roger A. Light" Date: Tue, 17 Sep 2019 14:56:08 +0100 Subject: Fix for CVE-xxxx-xxxx diff --git a/lib/util_mosq.c b/lib/util_mosq.c index 25bd61d..cfc3ce8 100644 --- a/lib/util_mosq.c +++ b/lib/util_mosq.c @@ -143,14 +143,25 @@ uint16_t mosquitto__mid_generate(struct mosquitto *mosq) int mosquitto_pub_topic_check(const char *str) { int len = 0; +#ifdef WITH_BROKER + int hier_count = 0; +#endif while(str && str[0]){ if(str[0] == '+' || str[0] == '#'){ return MOSQ_ERR_INVAL; } +#ifdef WITH_BROKER + else if(str[0] == '/'){ + hier_count++; + } +#endif len++; str = &str[1]; } if(len > 65535) return MOSQ_ERR_INVAL; +#ifdef WITH_BROKER + if(hier_count > TOPIC_HIERARCHY_LIMIT) return MOSQ_ERR_INVAL; +#endif return MOSQ_ERR_SUCCESS; } @@ -158,6 +169,9 @@ int mosquitto_pub_topic_check(const char *str) int mosquitto_pub_topic_check2(const char *str, size_t len) { int i; +#ifdef WITH_BROKER + int hier_count = 0; +#endif if(len > 65535) return MOSQ_ERR_INVAL; @@ -165,7 +179,15 @@ int mosquitto_pub_topic_check2(const char *str, size_t len) if(str[i] == '+' || str[i] == '#'){ return MOSQ_ERR_INVAL; } +#ifdef WITH_BROKER + else if(str[i] == '/'){ + hier_count++; + } +#endif } +#ifdef WITH_BROKER + if(hier_count > TOPIC_HIERARCHY_LIMIT) return MOSQ_ERR_INVAL; +#endif return MOSQ_ERR_SUCCESS; } @@ -181,6 +203,10 @@ int mosquitto_sub_topic_check(const char *str) { char c = '\0'; int len = 0; +#ifdef WITH_BROKER + int hier_count = 0; +#endif + while(str && str[0]){ if(str[0] == '+'){ if((c != '\0' && c != '/') || (str[1] != '\0' && str[1] != '/')){ @@ -191,11 +217,19 @@ int mosquitto_sub_topic_check(const char *str) return MOSQ_ERR_INVAL; } } +#ifdef WITH_BROKER + else if(str[0] == '/'){ + hier_count++; + } +#endif len++; c = str[0]; str = &str[1]; } if(len > 65535) return MOSQ_ERR_INVAL; +#ifdef WITH_BROKER + if(hier_count > TOPIC_HIERARCHY_LIMIT) return MOSQ_ERR_INVAL; +#endif return MOSQ_ERR_SUCCESS; } @@ -204,6 +238,9 @@ int mosquitto_sub_topic_check2(const char *str, size_t len) { char c = '\0'; int i; +#ifdef WITH_BROKER + int hier_count = 0; +#endif if(len > 65535) return MOSQ_ERR_INVAL; @@ -217,8 +254,16 @@ int mosquitto_sub_topic_check2(const char *str, size_t len) return MOSQ_ERR_INVAL; } } +#ifdef WITH_BROKER + else if(str[i] == '/'){ + hier_count++; + } +#endif c = str[i]; } +#ifdef WITH_BROKER + if(hier_count > TOPIC_HIERARCHY_LIMIT) return MOSQ_ERR_INVAL; +#endif return MOSQ_ERR_SUCCESS; } diff --git a/src/mosquitto_broker_internal.h b/src/mosquitto_broker_internal.h index 512937a..5c077cb 100644 --- a/src/mosquitto_broker_internal.h +++ b/src/mosquitto_broker_internal.h @@ -70,6 +70,9 @@ Contributors: #define WEBSOCKET_CLIENT -2 + +#define TOPIC_HIERARCHY_LIMIT 200 + /* ======================================== * UHPA data types * ======================================== */ diff --git a/src/subs.c b/src/subs.c index 6b53aa6..a03c7bd 100644 --- a/src/subs.c +++ b/src/subs.c @@ -178,6 +178,7 @@ static int sub__topic_tokenise(const char *subtopic, struct sub__token **topics) int start, stop, tlen; int i; mosquitto__topic_element_uhpa topic; + int count = 0; assert(subtopic); assert(topics); @@ -200,6 +201,7 @@ static int sub__topic_tokenise(const char *subtopic, struct sub__token **topics) stop = 0; for(i=start; i TOPIC_HIERARCHY_LIMIT){ + /* Set limit on hierarchy levels, to restrict stack usage. */ + goto cleanup; + } + return MOSQ_ERR_SUCCESS; cleanup: -- 2.20.1