Fix potential file persistence crash.

Identified by OS-TIF audit. TOB-MOSQ-CR-5
2025-05-09 01:01:11 +08:00 · 2023-06-09 23:56:55 +01:00 · 2023-06-09 23:56:55 +01:00 · b1c29e881e
commit b1c29e881e
parent a3c680fbb0
2 changed files with 11 additions and 10 deletions
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@ -2,6 +2,7 @@ Security:
 - Broker will now reject Will messages that attempt to publish to $CONTROL/.
 - Broker now validates usernames provided in a TLS certificate or TLS-PSK
  identity are valid UTF-8.
+- Fix potential crash when loading invalid persitence file.

 Broker:
 - Fix $SYS messages being expired after 60 seconds and hence unchanged values
--- a/src/persist_write.c
+++ b/src/persist_write.c
@ -47,8 +47,6 @@ static int persist__client_messages_save(FILE *db_fptr, struct mosquitto *contex
 	assert(db_fptr);
 	assert(context);

-	memset(&chunk, 0, sizeof(struct P_client_msg));
-
 	cmsg = queue;
 	while(cmsg){
 		if(!strncmp(cmsg->store->topic, "$SYS", 4)
@ -61,6 +59,8 @@ static int persist__client_messages_save(FILE *db_fptr, struct mosquitto *contex
 			continue;
 		}

+		memset(&chunk, 0, sizeof(struct P_client_msg));
+
 		chunk.F.store_id = cmsg->store->db_id;
 		chunk.F.mid = cmsg->mid;
 		chunk.F.id_len = (uint16_t)strlen(context->id);
@ -91,8 +91,6 @@ static int persist__message_store_save(FILE *db_fptr)

 	assert(db_fptr);

-	memset(&chunk, 0, sizeof(struct P_msg_store));
-
 	stored = db.msg_store;
 	while(stored){
 		if(stored->ref_count < 1 || stored->topic == NULL){
@ -100,6 +98,8 @@ static int persist__message_store_save(FILE *db_fptr)
 			continue;
 		}

+		memset(&chunk, 0, sizeof(struct P_msg_store));
+
 		if(!strncmp(stored->topic, "$SYS", 4)){
 			if(stored->ref_count <= 1 && stored->dest_id_count == 0){
 				/* $SYS messages that are only retained shouldn't be persisted. */
@ -164,9 +164,9 @@ static int persist__client_save(FILE *db_fptr)

 	assert(db_fptr);

-	memset(&chunk, 0, sizeof(struct P_client));
-
 	HASH_ITER(hh_id, db.contexts_by_id, context, ctxt_tmp){
+		memset(&chunk, 0, sizeof(struct P_client));
+
 		if(context &&
 #ifdef WITH_BRIDGE
 				((!context->bridge && context->clean_start == false)
@ -224,8 +224,6 @@ static int persist__subs_save(FILE *db_fptr, struct mosquitto__subhier *node, co
 	size_t slen;
 	int rc;

-	memset(&sub_chunk, 0, sizeof(struct P_sub));
-
 	slen = strlen(topic) + node->topic_len + 2;
 	thistopic = mosquitto__malloc(sizeof(char)*slen);
 	if(!thistopic) return MOSQ_ERR_NOMEM;
@ -238,6 +236,8 @@ static int persist__subs_save(FILE *db_fptr, struct mosquitto__subhier *node, co
 	sub = node->subs;
 	while(sub){
 		if(sub->context->clean_start == false && sub->context->id){
+			memset(&sub_chunk, 0, sizeof(struct P_sub));
+
 			sub_chunk.F.identifier = sub->identifier;
 			sub_chunk.F.id_len = (uint16_t)strlen(sub->context->id);
 			sub_chunk.F.topic_len = (uint16_t)strlen(thistopic);
@ -281,10 +281,10 @@ static int persist__retain_save(FILE *db_fptr, struct mosquitto__retainhier *nod
 	struct P_retain retain_chunk;
 	int rc;

-	memset(&retain_chunk, 0, sizeof(struct P_retain));
-
 	if(node->retained && strncmp(node->retained->topic, "$SYS", 4)){
 		/* Don't save $SYS messages. */
+		memset(&retain_chunk, 0, sizeof(struct P_retain));
+
 		retain_chunk.F.store_id = node->retained->db_id;
 		rc = persist__chunk_retain_write_v6(db_fptr, &retain_chunk);
 		if(rc){