[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Mosquitto / CVE-2017-7654

Looking at the upstream bug report I see that there are two potential
patches given. For the purposes of LTS and KISS, I prefer the simpler
patch. The other patch completely removes the need for dynamic memory
allocation in the first place. It is probably more suitable for
upstream. However upstream has not used either patch either yet.


So my suggested fix for Jessie is the following one line patch.

--- mosquitto-1.3.4.orig/src/read_handle_server.c
+++ mosquitto-1.3.4/src/read_handle_server.c
@@ -89,6 +89,7 @@
        if(_mosquitto_read_byte(&context->in_packet, &protocol_version)){
                mqtt3_context_disconnect(db, context);
+               _mosquitto_free(protocol_name);
                return 1;
        if(!strcmp(protocol_name, PROTOCOL_NAME_v31)){

Brian May <brian@linuxpenguins.xyz>

Reply to: