tinyMQTT Resource Exhaustion Vulnerability Due to Improper TCP Connection Handling

A resource exhaustion vulnerability has been identified in tinyMQTT version commit 6226ade15bd4f97be2d196352e64dd10937c1962. The issue arises in the MQTT broker's handling of CONNECT packets. When a CONNECT packet is received with a zero-length Client ID and CleanSession set to 0, the broker correctly responds with a CONNACK return code of 0x02 (Identifier Rejected) but fails to close the TCP connection. This oversight allows the connection to remain open, creating 'half-open' sessions that consume server resources. Repeated invalid CONNECT attempts can lead to an accumulation of open sockets, file descriptors, and increased memory usage, causing a denial-of-service condition on the server.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition on the server, where available resources are exhausted, causing the broker to become unresponsive or to be terminated by the operating system.

Reproduction

The vulnerability can be reproduced by sending CONNECT packets with a zero-length Client ID and CleanSession set to 0. The broker will respond with a CONNACK(0x02) but will not close the TCP connection, leaving it open and consuming resources. This can be automated with a script that sends repeated invalid CONNECT packets, simulating an attack that exhausts server resources.