mirror of
https://github.com/curl/curl.git
synced 2026-05-07 14:57:27 +03:00
2bb5c9b555
Per MQTT 3.1.1 sections 3.13.1 and 3.14.1, PINGRESP and DISCONNECT fixed headers must have remaining_length set to zero. The previous code dispatched to mqtt->nextstate based on the queued state alone without validating remaining_length for these no-payload packet types, allowing a malicious broker to send a PINGRESP with non-zero remaining_length whose trailing bytes would be interpreted as the payload of whatever message type was queued (CONNACK, SUBACK, etc.). The exploitation path turned out to be narrow — curl sends data to the server the user chose to talk to — but the spec violation and the resulting protocol-state error are real. Reject the malformed packets with CURLE_WEIRD_SERVER_REPLY before state dispatch. Reported-by: Raymond Steen <raymond@vortiqxconsilium.com> Found by VORTIQ-X VXF Framework Bug: https://hackerone.com/reports/3702718 Signed-off-by: Raymond Steen <raymond@vortiqxconsilium.com> Closes #21465 |
||
|---|---|---|
| .. | ||
| .checksrc | ||
| .gitignore | ||
| CMakeLists.txt | ||
| dnsd.c | ||
| first.c | ||
| first.h | ||
| getpart.c | ||
| Makefile.am | ||
| Makefile.inc | ||
| mqttd.c | ||
| resolve.c | ||
| rtspd.c | ||
| sockfilt.c | ||
| socksd.c | ||
| sws.c | ||
| tftpd.c | ||
| util.c | ||