Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some protocol violations or bugs in Mosquitto #3052

Open
songxpu opened this issue May 16, 2024 · 3 comments
Open

Some protocol violations or bugs in Mosquitto #3052

songxpu opened this issue May 16, 2024 · 3 comments

Comments

@songxpu
Copy link

songxpu commented May 16, 2024

Hi, I have found some protocol specification violations in Mosquitto, attached below are the details.
The version of Mosquitto: version 2.0.18
The version of the Operating System: Ubuntu 24.04
@songxpu
Copy link
Author

songxpu commented May 16, 2024

According to the specification of MQTTv5.0:

[MQTT-3.10.3-2]
The Payload of an UNSUBSCRIBE packet MUST contain at least one Topic Filter.

But if we send such a packet that contains no topic filter to the broker:

echo 107e00064d514973647003cc8b8600145542463562636f6939375765546c694c37564c4600086748627239437a680018576c58416432686a6469616536334966415737594d586c72001a77654e4f376d3248774d6234566552526f586e6b47426e705871001a3858646b6d335a34634a486c594866347468676b6a63544c5a383224000e58564b6c7a7832493347677a7151b60131776e317a5947313132494355356e596468a2027890 | xxd -p -r | nc 172.17.0.7 1883

Mosquitto unexpectedly returned a response message instead of rejecting or breaking the connection.
image

@songxpu
Copy link
Author

songxpu commented May 16, 2024

According to the specification of MQTTv5.0:

[MQTT-3.8.3-2]
The Payload MUST contain at least one Topic Filter and Subscription Options pair

Similarly, we send a Subscribe message that does not contain any topic filters

echo 103c00064d514973647003c21226001455794367394a7632646146646941386f4e70553300016f0015326b364f5478555630374f44655547387a5a37666aa25f68ac001c644862384e33363353484870594e70546572364d4957397144555079000f7172794d62366d32707063794d774b00116c6d3455366f746e72716a466343416254001954684d4c506c30413942696135336645384a3635536f42705782024000 | xxd -p -r | nc 172.17.0.7 1883

image

@songxpu
Copy link
Author

songxpu commented May 16, 2024

According to the specification of MQTTv5.0:

[MQTT-3.3.4-6]
A PUBLISH packet sent from a Client to a Server MUST NOT contain a Subscription Identifier.

Send such a packet:

echo 106100044d5154540540b3b037119afb60e317001901215c5326000f766e72366d4541644d78553c44327800173049574d36324268715a6179524b5a62536749534a31360013317675535434755733374e64397846585a38570008676235716d5836363554000841684b3146454962f71a16010109000c79a506aff5eef39ed5210cd60bba849b523155596942337761334c376e765936573739413862666a46414e4e3172647544345773415778724a6667386d3258653363 | xxd -p -r | nc 172.17.0.7 1883

Mosquitto expected that such a request should be denied, but received it.
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@songxpu