Skip to content

Behavior with malformed packets #2325

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
scompo opened this issue Sep 24, 2021 · 5 comments
Closed

Behavior with malformed packets #2325

scompo opened this issue Sep 24, 2021 · 5 comments
Labels
Component: mosquitto-broker Status: Completed Nothing further to be done with this issue, it can be closed by the requestor or committer. Type: Bug
Milestone
2.0.21

Comments

@scompo
Copy link

scompo commented Sep 24, 2021
edited
Loading

Hello, I was facing reconnection issues with some clients.

After analyzing the TCP traffic with tcpdump I've noticed that a client sent/or I received a malformed PINGREQ packet, it was supposed to be 0xc0 followed by 0x00 instead I'm getting 0x0a followed by 0xc0.

Right now the client doesn't get a response from it's (broken) PINGREQ and resets itself as per specification.

Is this the expected broker behavior in this case?

I think the packet it's ignored (no log mentions), should the client be disconnected or notified?

EDIT:

I'm using version 2.0.12 from snap

I looked a bit at the code and in src/read_handle.c this case should fall into the default case branch, being a 3.1.x spec client, no action is performed.

Is this correct? Should the client be disconnected?
@ralight
Copy link
Contributor

ralight commented Sep 24, 2021

I'm not quite clear what is happening from your description I'm afraid. If the client sends a malformed PINGREQ, I would expect it to be disconnected. If you can reproduce this or still have a pcap file, I'd suggest taking a look in wireshark - the MQTT dissectors are very good and will flag malformed packets so it is much easier to see what is going on.

@ralight ralight added Component: mosquitto-broker Status: Available No one has claimed responsibility for resolving this issue. Type: Question A query or clarification. labels Sep 24, 2021
@scompo
Copy link
Author

scompo commented Sep 25, 2021
edited
Loading

From the capture I'm receiving the malformed packet on the server and no activity from the broker, just an acknowledgement of the tcp packet sent.

The broker just does nothing and leaves the connection opened, then the client receives no response and closes the connection.

From what I can see in the code a disconnect is issued only if the protocol il version 5, is this the expect behavior from the broker as specified from the protocol?

@scompo scompo changed the title Beheaviour with malformed packets Behavior with malformed packets Sep 27, 2021
@ckrey
Copy link
Contributor

ckrey commented Oct 31, 2024

I successfully reproduced the problem:
Your are actually not sending a malformed PINGREQ packet (c000), but a reserved command (0A) with a remaining length of c0, which is an illegal length specification. The broker expects more bytes to read, but does not receive any. This is why it is waiting.

It is obviously a bug in the client to send a reserved command, but the reserved command should be rejected by the broker before waiting for a remaining length to be transmitted.

ralight added a commit that referenced this issue Oct 31, 2024
@ralight
Fix RESERVED packets not being quickly rejected.
0691935 
Closes #2325
@ralight ralight added Status: Completed Nothing further to be done with this issue, it can be closed by the requestor or committer. Type: Bug and removed Type: Question A query or clarification. Status: Available No one has claimed responsibility for resolving this issue. labels Oct 31, 2024
@ralight ralight added this to the 2.0.21 milestone Oct 31, 2024
@ralight
Copy link
Contributor

ralight commented Oct 31, 2024

Thank you, this is now fixed for 2.0.21.

ckrey added a commit to ckrey/mosquitto that referenced this issue Nov 1, 2024
@ckrey
Add tests for bad packets related to eclipse-mosquitto#2325
7875beb
ckrey added a commit to ckrey/mosquitto that referenced this issue Nov 1, 2024
@ckrey
Add tests for bad packets related to eclipse-mosquitto#2325
8be8bcc
ckrey added a commit to ckrey/mosquitto that referenced this issue Nov 1, 2024
@ckrey
Add tests for bad packets related to eclipse-mosquitto#2325
507b25b 
Signed-off-by: Christoph Krey <[email protected]>
@scompo
Copy link
Author

scompo commented Nov 2, 2024

Yeah, thank you, it was a 3rd party issue with their code and we ended up telling them to fix it. Thank you for fixing the potential problem on your part too!

ckrey added a commit to ckrey/mosquitto that referenced this issue Nov 3, 2024
@ckrey
Add test for early check of RESERVED command with illegal remaining l…
008f306 
…ength eclipse-mosquitto#2325

Signed-off-by: Christoph Krey <[email protected]>
@ckrey ckrey mentioned this issue Nov 3, 2024
Merged
6 tasks
@ralight ralight closed this as completed Feb 25, 2025
ralight pushed a commit that referenced this issue Feb 25, 2025
@ckrey @ralight
Add test for early check of RESERVED command with illegal remaining l…
b1f2b7b 
…ength #2325

Signed-off-by: Christoph Krey <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Component: mosquitto-broker Status: Completed Nothing further to be done with this issue, it can be closed by the requestor or committer. Type: Bug
Projects
None yet
Milestone
2.0.21
Development

No branches or pull requests
3 participants
@ralight @scompo @ckrey