NanoMQ Heap Use-After-Free Vulnerability in SUBSCRIBE Message Handling

A heap use-after-free vulnerability has been identified in NanoMQ version 0.17.9. This issue arises in the component sub_Ctx_handle, where improper memory management of retained messages during multi-topic subscriptions creates a use-after-free scenario. When a client subscribes to multiple topics, NanoMQ matches each topic with retained messages. If a match is found, the message is queued for delivery and then freed, but the pointer is not cleared. If a later topic in the same subscription matches the same freed message, the broker may attempt to reuse the dangling pointer, leading to potential memory corruption, crashes, or arbitrary code execution, depending on the heap layout and exploitation methods used.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by crashing the NanoMQ broker. However, the nature of the vulnerability also allows for the possibility of arbitrary code execution, depending on how it is exploited.

Reproduction

The vulnerability can be reproduced by starting the NanoMQ broker with the default configuration and then sending a crafted SUBSCRIBE message that triggers the use-after-free condition. This can be automated with a Python script, referred to as 'poc.py', which is mentioned in the issue discussion.

Remediation

Users can update to the latest version of NanoMQ, where this vulnerability has been fixed.