Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle instantaneous and unsolicited PUBACKs #158

Merged
merged 1 commit into from May 19, 2024
Merged

Handle instantaneous and unsolicited PUBACKs #158

merged 1 commit into from May 19, 2024

Conversation

leoarnold
Copy link
Contributor

Prior to this commit, it was possible to crash the read thread by sending a PUBACK with an unexpected ID, e.g. an ID the client had not used before, or had already deleted the queue for. These packages will now simple be ignored.

Furthermore, with QoS 1 or 2, the PUBACK queue for a package was only created after the package had already been published. If the PUBACK arrived within this tiny gap, the read thread would crash. We fix this by creating the queue before starting to publish.

@leoarnold
[Security] Handle instantaneous and unsolicited PUBACKs
e38df42 
Prior to this commit, it was possible to crash the read thread
by sending a PUBACK with an unexpected ID, e.g. an ID the client
had not used before, or had already deleted the queue for.
These packages will now simple be ignored.

Furthermore, with QoS 1 or 2, the PUBACK queue for a package
was only created _after_ the package had already been published.
If the PUBACK arrived within this tiny gap, the read thread would crash.
We fix this by creating the queue before starting to publish.
@phlegx
Copy link

phlegx commented Sep 5, 2023
edited

@leoarnold nice work! @njh can you check this PR please and merge/release?

phlegx added a commit to phlegx/ruby-mqtt that referenced this pull request Sep 5, 2023
@phlegx
Add PR njh#158: [Security] Handle instantaneous and unsolicited PUBACKs.
5ac1f74
@njh
Copy link
Owner

njh commented Apr 2, 2024

Thank you for this PR. I am wondering if this is the correct behaviour - to ignore invalid PUBACK identifiers.
Under what situation would you expect this to occur? Due to a faulty server? Or due to a bad actor?
I think if you are connected to a server that is trying to do harm to its clients, you might have bigger problems.

I haven't read the specification in a long time.
But typically in the MQTT protocol, if something goes wrong, the action is to disconnect.
I did a quick scan and I don't think this scenario is documented in version 3.1.1. of the specification.

Interested in your thoughts.

@leoarnold
Copy link
Contributor Author

@njh Malicious actors aside, the current code will first send a package and then add it to the list of "awaiting PUBACK". This allows for a race condition: If the PUBACK is processed before you can register that you are actually waiting for it, then the code will break. This PR essentially suggests to first register your expectation for a PUBACK before publishing, thereby eliminating the race condition.

@jeltz
Copy link

jeltz commented May 8, 2024

Yeah, ran into this issue too. The race condition mentioned is very real and I hit it quite often when I use QoS 1. I am not a fan of ignoring unknown packets but the part of the patch which fixes the race condition is something which is useful.

@njh njh changed the title [Security] Handle instantaneous and unsolicited PUBACKs Handle instantaneous and unsolicited PUBACKs May 8, 2024
@njh njh merged commit b2e48d0 into njh:main May 19, 2024
@njh
Copy link
Owner

njh commented May 20, 2024

Build is now failing. Want to understand why / fix it before making a release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@leoarnold @phlegx @njh @jeltz