NanoMQ MQTT Broker Null Pointer Dereference Vulnerability in QUIC Stream Reception

A null pointer dereference vulnerability has been identified in NanoMQ MQTT Broker versions through 0.24.8. The issue arises in the QUIC stream reception process, specifically within the 'quic_stream_recv' function. When a substream is in the 'reopen' state, the function can dereference a null substream pointer, leading to a crash. This vulnerability can be triggered remotely under certain timing conditions related to the stream's state, causing a denial-of-service situation by crashing the process.

Impact

Exploitation of this vulnerability leads to a process crash, causing a denial-of-service condition. The vulnerability is classified as a null pointer dereference, which can be remotely triggered by manipulating the state of QUIC multistream streams.

Reproduction

The vulnerability can be reproduced with a self-contained C program that simulates the vulnerable control flow. The program must be compiled with address sanitization enabled, using a C compiler. Once compiled, running the program will cause a null dereference crash, which can be observed under the AddressSanitizer (ASAN) tool.