potential out-of-bound array access in pub/sub example clients id generation
Bug #1083182 reported by
Greg Beresford
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mosquitto |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
I think there's a problem at line 599 in client/pub_client.c and line 477 in client/sub_client where they both do the following:
len = strlen("mosqsub/-") + 6 + strlen(hostname);
id = malloc(len);
...
snprintf(id, len, "mosqsub/%d-%s", getpid(), hostname);
id[MOSQ_
The last line isn't needed as snprintf will always give you a null-terminated string, and there's no guarantee that the id string will be >= MOSQ_MQTT_
Changed in mosquitto: | |
milestone: | 1.0.6 → 1.1 |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
I think you're quite right. It's fine your hostname is >= 8 characters long and your pid is 5 digits, but there's no guarantee that either of those will be true.
I've pushed a commit that fixes this: https:/ /bitbucket. org/oojah/ mosquitto/ changeset/ 85fce9c26c2a270 1f6b9ff91b4ced6 6bd572b06a
1.0.6 is planned for the start of December, so you should see this fix in a released form soon.