potential out-of-bound array access in pub/sub example clients id generation
Bug #1083182 reported by
Greg Beresford
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| mosquitto |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
I think there's a problem at line 599 in client/pub_client.c and line 477 in client/sub_client where they both do the following:
len = strlen("mosqsub/-") + 6 + strlen(hostname);
id = malloc(len);
...
snprintf(id, len, "mosqsub/%d-%s", getpid(), hostname);
id[MOSQ_
The last line isn't needed as snprintf will always give you a null-terminated string, and there's no guarantee that the id string will be >= MOSQ_MQTT_
Revision history for this message
| Roger Light (roger.light) wrote | #1 |
| Changed in mosquitto: | |
| milestone: | none → 1.0.6 |
| status: | New → Fix Committed |
| Changed in mosquitto: | |
| milestone: | 1.0.6 → 1.1 |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
I think you're quite right. It's fine your hostname is >= 8 characters long and your pid is 5 digits, but there's no guarantee that either of those will be true.
I've pushed a commit that fixes this: https:/
1.0.6 is planned for the start of December, so you should see this fix in a released form soon.