Community
Participate
Working Groups
We have found a DOS attack which can be triggered by CONNECT packets which contain lots of "user properties". Then broker will parse all of them and store in a linked list. When checking for the uniqueness of “properties” in CONNECT packet, the linked list will traverse with O(n^2) complexity, In our tests, it takes only 64KB per package to have an impact in our cloud server with 1 core(20 processes sending packages simultaneously). So it's only limited by max packet size. # lib\property_mosq.c:186(property__read_all) In this function, broker parse and store the properties include "user properties". # lib\property_mosq.c:963(mosquitto_property_check_all) int mosquitto_property_check_all(int command, const mosquitto_property *properties) { ... ... while(p){ ... ... tail = p->next; while(tail){ if(p->identifier == tail->identifier && p->identifier != MQTT_PROP_USER_PROPERTY){ return MOSQ_ERR_DUPLICATE_PROPERTY; } tail = tail->next; } p = p->next; } return MOSQ_ERR_SUCCESS; }
/cc project lead. What versions does this impact?
We tested in version 2.0.11, and I think it effect any version before because there is no commit about this.
We tested in version 2.0.11, and I think it affects any version before because there is no commit about this. In addition. (In reply to Wayne Beaton from comment #1) > /cc project lead. > > What versions does this impact?
Created attachment 286914 [details] Proposed fix
Thanks for the report. Could you check whether the patch I just submitted works for you?
(In reply to Roger Light from comment #5) > Thanks for the report. Could you check whether the patch I just submitted > works for you? Yeah, it works well. Thanks.
Wayne, could you assign a CVE for this please? Versions 1.6 to 2.0.11 CWE-1050 An MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service.
(In reply to Roger Light from comment #7) > Wayne, could you assign a CVE for this please? > > Versions 1.6 to 2.0.11 > CWE-1050 > An MQTT v5 client connecting with a large number of user-property properties > could cause excessive CPU usage, leading to a loss of performance and > possible denial of service. Thank you for your response. Is it possible to register the requested CVE with our name and organization name (Zhanxiang Song, Bin Yuan, DeQing Zou, Hai Jin, Huazhong Univ. of Sci. & Tech.; Luyi Xing, IU; Yan Jia, Nankai University )?
I've assigned CVE-2021-41039 and have pushed the report to the central authority. > Is it possible to register the requested CVE with our name and organization > name (Zhanxiang Song, Bin Yuan, DeQing Zou, Hai Jin, Huazhong Univ. of Sci. > & Tech.; Luyi Xing, IU; Yan Jia, Nankai University )? I've added you all as a "credit" entry in the submission.
This issue has been migrated to https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/637.