yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(emqx): validate mqtt malformed variable byte integer

This commit is contained in:
Shawn 2021-03-10 16:49:58 +08:00
parent af73516c59
commit 9e5a868bf1
3 changed files with 23 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/emqx.appup.src
View File

@ -8,16 +8,22 @@
end, end,
{VSN, {VSN,
[ [
{<<"4.2.[34567]">>, [
{load_module, emqx_frame, brutal_purge, soft_purge, []}
]},
{"4.2.2", [ {"4.2.2", [
{load_module, emqx_frame, brutal_purge, soft_purge, []},
{load_module, emqx_metrics, brutal_purge, soft_purge, []} {load_module, emqx_metrics, brutal_purge, soft_purge, []}
]}, ]},
{"4.2.1", [ {"4.2.1", [
{load_module, emqx_frame, brutal_purge, soft_purge, []},
{load_module, emqx_metrics, brutal_purge, soft_purge, []}, {load_module, emqx_metrics, brutal_purge, soft_purge, []},
{load_module, emqx_channel, brutal_purge, soft_purge, []}, {load_module, emqx_channel, brutal_purge, soft_purge, []},
{load_module, emqx_mod_topic_metrics, brutal_purge, soft_purge, []}, {load_module, emqx_mod_topic_metrics, brutal_purge, soft_purge, []},
{load_module, emqx_json, brutal_purge, soft_purge, []} {load_module, emqx_json, brutal_purge, soft_purge, []}
]}, ]},
{"4.2.0", [ {"4.2.0", [
{load_module, emqx_frame, brutal_purge, soft_purge, []},
{load_module, emqx_metrics, brutal_purge, soft_purge, []}, {load_module, emqx_metrics, brutal_purge, soft_purge, []},
{load_module, emqx_channel, brutal_purge, soft_purge, []}, {load_module, emqx_channel, brutal_purge, soft_purge, []},
{load_module, emqx_mod_topic_metrics, brutal_purge, soft_purge, []}, {load_module, emqx_mod_topic_metrics, brutal_purge, soft_purge, []},
@ -30,16 +36,22 @@
{<<".*">>, []} {<<".*">>, []}
], ],
[ [
{<<"4.2.[34567]">>, [
{load_module, emqx_frame, brutal_purge, soft_purge, []}
]},
{"4.2.2", [ {"4.2.2", [
{load_module, emqx_frame, brutal_purge, soft_purge, []},
{load_module, emqx_metrics, brutal_purge, soft_purge, []} {load_module, emqx_metrics, brutal_purge, soft_purge, []}
]}, ]},
{"4.2.1", [ {"4.2.1", [
{load_module, emqx_frame, brutal_purge, soft_purge, []},
{load_module, emqx_metrics, brutal_purge, soft_purge, []}, {load_module, emqx_metrics, brutal_purge, soft_purge, []},
{load_module, emqx_channel, brutal_purge, soft_purge, []}, {load_module, emqx_channel, brutal_purge, soft_purge, []},
{load_module, emqx_mod_topic_metrics, brutal_purge, soft_purge, []}, {load_module, emqx_mod_topic_metrics, brutal_purge, soft_purge, []},
{load_module, emqx_json, brutal_purge, soft_purge, []} {load_module, emqx_json, brutal_purge, soft_purge, []}
]}, ]},
{"4.2.0", [ {"4.2.0", [
{load_module, emqx_frame, brutal_purge, soft_purge, []},
{load_module, emqx_metrics, brutal_purge, soft_purge, []}, {load_module, emqx_metrics, brutal_purge, soft_purge, []},
{load_module, emqx_channel, brutal_purge, soft_purge, []}, {load_module, emqx_channel, brutal_purge, soft_purge, []},
{load_module, emqx_mod_topic_metrics, brutal_purge, soft_purge, []}, {load_module, emqx_mod_topic_metrics, brutal_purge, soft_purge, []},

3
src/emqx_frame.erl
View File

@ -125,6 +125,9 @@ parse_remaining_len(<<0:8, Rest/binary>>, Header, 1, 0, Options) ->
%% Match PUBACK, PUBREC, PUBREL, PUBCOMP, UNSUBACK... %% Match PUBACK, PUBREC, PUBREL, PUBCOMP, UNSUBACK...
parse_remaining_len(<<0:1, 2:7, Rest/binary>>, Header, 1, 0, Options) -> parse_remaining_len(<<0:1, 2:7, Rest/binary>>, Header, 1, 0, Options) ->
parse_frame(Rest, Header, 2, Options); parse_frame(Rest, Header, 2, Options);
parse_remaining_len(<<1:1, _Len:7, _Rest/binary>>, _Header, Multiplier, _Value, _Options)
when Multiplier > 2097152 ->
error(malformed_variable_byte_integer);
parse_remaining_len(<<1:1, Len:7, Rest/binary>>, Header, Multiplier, Value, Options) -> parse_remaining_len(<<1:1, Len:7, Rest/binary>>, Header, Multiplier, Value, Options) ->
parse_remaining_len(Rest, Header, Multiplier * ?HIGHBIT, Value + Len * Multiplier, Options); parse_remaining_len(Rest, Header, Multiplier * ?HIGHBIT, Value + Len * Multiplier, Options);
parse_remaining_len(<<0:1, Len:7, Rest/binary>>, Header, Multiplier, Value, parse_remaining_len(<<0:1, Len:7, Rest/binary>>, Header, Multiplier, Value,

9
test/emqx_frame_SUITE.erl
View File

@ -42,7 +42,8 @@ all() ->
groups() -> groups() ->
[{parse, [parallel], [{parse, [parallel],
[t_parse_cont, [t_parse_cont,
t_parse_frame_too_large t_parse_frame_too_large,
t_parse_frame_malformed_variable_byte_integer
]}, ]},
{connect, [parallel], {connect, [parallel],
[t_serialize_parse_v3_connect, [t_serialize_parse_v3_connect,
@ -129,6 +130,12 @@ t_parse_frame_too_large(_) ->
?catch_error(frame_too_large, parse_serialize(Packet, #{max_size => 512})), ?catch_error(frame_too_large, parse_serialize(Packet, #{max_size => 512})),
?assertEqual(Packet, parse_serialize(Packet, #{max_size => 2048, version => ?MQTT_PROTO_V4})). ?assertEqual(Packet, parse_serialize(Packet, #{max_size => 2048, version => ?MQTT_PROTO_V4})).
t_parse_frame_malformed_variable_byte_integer(_) ->
MalformedPayload = << <<16#80>> || _ <- lists:seq(1, 4) >>,
ParseState = emqx_frame:initial_parse_state(#{}),
?catch_error(malformed_variable_byte_integer,
emqx_frame:parse(MalformedPayload, ParseState)).
t_serialize_parse_v3_connect(_) -> t_serialize_parse_v3_connect(_) ->
Bin = <<16,37,0,6,77,81,73,115,100,112,3,2,0,60,0,23,109,111,115, Bin = <<16,37,0,6,77,81,73,115,100,112,3,2,0,60,0,23,109,111,115,
113,112,117, 98,47,49,48,52,53,49,45,105,77,97,99,46,108, 113,112,117, 98,47,49,48,52,53,49,45,105,77,97,99,46,108,