Add initial size limits for non-PUBLISH packets

ralight · ralight · commit e9e3e62a45af · 2025-08-09T20:33:38.000+01:00
diff --git a/fuzzing/broker/broker_fuzz_handle_auth.cpp b/fuzzing/broker/broker_fuzz_handle_auth.cpp
@@ -16,6 +16,7 @@ SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
    Roger Light - initial implementation and documentation.
 */
 
+#define kMaxInputLength 100000
 #include "fuzz_packet_read_base.h"
 
 extern "C" int fuzz_packet_read_init(struct mosquitto *context)
diff --git a/fuzzing/broker/broker_fuzz_handle_connect.cpp b/fuzzing/broker/broker_fuzz_handle_connect.cpp
@@ -16,6 +16,7 @@ SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
    Roger Light - initial implementation and documentation.
 */
 
+#define kMaxInputLength 100000
 #include "fuzz_packet_read_base.h"
 
 extern "C" int fuzz_basic_auth(int event, void *event_data, void *userdata)
diff --git a/fuzzing/broker/broker_fuzz_handle_subscribe.cpp b/fuzzing/broker/broker_fuzz_handle_subscribe.cpp
@@ -16,6 +16,7 @@ SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
    Roger Light - initial implementation and documentation.
 */
 
+#define kMaxInputLength 100000
 #include "fuzz_packet_read_base.h"
 
 extern "C" int fuzz_acl_check(int event, void *event_data, void *userdata)
diff --git a/fuzzing/broker/broker_fuzz_handle_unsubscribe.cpp b/fuzzing/broker/broker_fuzz_handle_unsubscribe.cpp
@@ -16,6 +16,7 @@ SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
    Roger Light - initial implementation and documentation.
 */
 
+#define kMaxInputLength 100000
 #include "fuzz_packet_read_base.h"
 
 extern "C" int fuzz_acl_check(int event, void *event_data, void *userdata)
diff --git a/fuzzing/broker/fuzz_packet_read_base.h b/fuzzing/broker/fuzz_packet_read_base.h
@@ -28,7 +28,9 @@ extern "C" {
 #include "read_handle.h"
 
 #define kMinInputLength 3
-#define kMaxInputLength 268435455U
+#ifndef kMaxInputLength
+#  define kMaxInputLength 268435455U
+#endif
 
 int fuzz_packet_read_base(const uint8_t *data, size_t size, int (*packet_func)(struct mosquitto *));
 int fuzz_packet_read_init(struct mosquitto *context);
diff --git a/lib/packet_mosq.c b/lib/packet_mosq.c
@@ -453,8 +453,8 @@ static int packet__read_single(struct mosquitto *mosq, enum mosquitto_client_sta
 #ifdef WITH_BROKER
 		switch(mosq->in_packet.command & 0xF0){
 			case CMD_CONNECT:
-				if(mosq->in_packet.remaining_length > 100000){ /* Arbitrary limit, make configurable */
-					return MOSQ_ERR_MALFORMED_PACKET;
+				if(mosq->in_packet.remaining_length > db.config->packet_max_connect){
+					return MOSQ_ERR_OVERSIZE_PACKET;
 				}
 				break;
 
@@ -463,8 +463,14 @@ static int packet__read_single(struct mosquitto *mosq, enum mosquitto_client_sta
 			case CMD_PUBREL:
 			case CMD_PUBCOMP:
 			case CMD_UNSUBACK:
-				if(mosq->protocol != mosq_p_mqtt5 && mosq->in_packet.remaining_length != 2){
-					return MOSQ_ERR_MALFORMED_PACKET;
+				if(mosq->protocol == mosq_p_mqtt5){
+					if(mosq->in_packet.remaining_length > db.config->packet_max_simple){
+						return MOSQ_ERR_OVERSIZE_PACKET;
+					}
+				}else{
+					if(mosq->in_packet.remaining_length != 2){
+						return MOSQ_ERR_MALFORMED_PACKET;
+					}
 				}
 				break;
 
@@ -476,10 +482,30 @@ static int packet__read_single(struct mosquitto *mosq, enum mosquitto_client_sta
 				break;
 
 			case CMD_DISCONNECT:
-				if(mosq->protocol != mosq_p_mqtt5 && mosq->in_packet.remaining_length != 0){
-					return MOSQ_ERR_MALFORMED_PACKET;
+				if(mosq->protocol == mosq_p_mqtt5){
+					if(mosq->in_packet.remaining_length > db.config->packet_max_simple){
+						return MOSQ_ERR_OVERSIZE_PACKET;
+					}
+				}else{
+					if(mosq->in_packet.remaining_length != 0){
+						return MOSQ_ERR_MALFORMED_PACKET;
+					}
+				}
+				break;
+
+			case CMD_SUBSCRIBE:
+			case CMD_UNSUBSCRIBE:
+				if(mosq->protocol == mosq_p_mqtt5 && mosq->in_packet.remaining_length > db.config->packet_max_sub){
+					return MOSQ_ERR_OVERSIZE_PACKET;
 				}
 				break;
+
+			case CMD_AUTH:
+				if(mosq->in_packet.remaining_length > db.config->packet_max_auth){
+					return MOSQ_ERR_OVERSIZE_PACKET;
+				}
+				break;
+
 		}
 
 		if(db.config->max_packet_size > 0 && mosq->in_packet.remaining_length+1 > db.config->max_packet_size){
diff --git a/src/conf.c b/src/conf.c
@@ -343,6 +343,11 @@ static void config__init_reload(struct mosquitto__config *config)
 	config->sys_interval = 10;
 	config->upgrade_outgoing_qos = false;
 	config->packet_buffer_size = 4096;
+
+	config->packet_max_auth = 100000;
+	config->packet_max_connect = 100000;
+	config->packet_max_sub = 100000;
+	config->packet_max_simple = 10000;
 }
 
 
diff --git a/src/mosquitto_broker_internal.h b/src/mosquitto_broker_internal.h
@@ -352,6 +352,10 @@ struct mosquitto__config {
 	uint16_t max_inflight_messages;
 	uint16_t max_keepalive;
 	uint8_t max_qos;
+	uint32_t packet_max_connect;
+	uint32_t packet_max_simple;
+	uint32_t packet_max_sub;
+	uint32_t packet_max_auth;
 	bool persistence;
 	char *persistence_location;
 	char *persistence_file;
