samples/mqtt/multi_thread_mqtt_sample.c, multi_client_shadow_sample.c, ota_mqtt_sample.c存在内存DF和UAF问题。 #37
Description
samples/mqtt/multi_thread_mqtt_sample.c,ota_mqtt_sample.c存在内存UAF (memory Use-After-Free) 安全问题(即使用了一个已经释放的内存)。
multi_client_shadow_sample.c, ota_mqtt_sample.c存在DF(memory Double Free)安全问题(即对内存进行双重释放)。
- samples/mqtt/multi_thread_mqtt_sample.c
https://github.com/tencentyun/qcloud-iot-sdk-embedded-c/blob/master/samples/mqtt/multi_thread_mqtt_sample.c
UAF问题:在第201行已经释放了action_value内存,然而在202行又调用了action_value内存,此时释放后的action_value内存值是不确定的,会出现非预期行为。
static void _mqtt_message_handler(void *pClient, MQTTMessage *message, void *userData)
{
if (message == NULL) {
return;
}
if (MAX_SIZE_OF_TOPIC_CONTENT >= message->payload_len) {
...
if (action_value != NULL) {
temp = strstr(action_value, "-");
if (NULL != temp) {
tempRow = atoi(temp + 1);
HAL_Free(action_value);
} else {
HAL_Free(action_value); //!!! action_value memory is released
Log_e("invalid action value: %s", action_value); //!!! Use of memory action_value after it is freed
sg_rx_unexpected_count++;
return;
}
} else {
...
}
...
} else {
sg_rx_msg_buf_too_big_count++;
}
}
- samples/multi_client/multi_client_shadow_sample.c
https://github.com/tencentyun/qcloud-iot-sdk-embedded-c/blob/master/samples/multi_client/multi_client_shadow_sample.c
DF问题:在180行已经通过IOT_Shadow_Destroy释放了shadow_client内存,但在226行再次通过IOT_Shadow_Destroy释放shadow_client内存,造成Memory Double Free安全问题。
static void _shadow_client_thread_runner(void *ptr)
{
int rc = QCLOUD_ERR_FAILURE;
void *shadow_client = NULL;
...
shadow_client = IOT_Shadow_Construct(&init_params);
if (shadow_client == NULL) {
Log_e("shadow client constructed failed.");
goto thread_exit;
}
// register delta property
shadow_property.key = thread_data->property_key;
shadow_property.data = ¤t_update_count;
shadow_property.type = JINT32;
rc = IOT_Shadow_Register_Property(shadow_client, &shadow_property, OnDeltaCallback);
if (rc != QCLOUD_RET_SUCCESS) {
rc = IOT_Shadow_Destroy(shadow_client); //!!! shadow_client memory was freed via IOT_Shadow_Destroy
Log_e("register device shadow property failed, err: %d", rc);
goto thread_exit;
}
...
thread_exit:
if (shadow_client != NULL) {
IOT_Shadow_Destroy(shadow_client); //!!! shadow_client memory was freed via IOT_Shadow_Destroy again since it was freed before.
shadow_client = NULL;
}
sg_thread_status[thread_id] = 1;
}
- samples/ota/ota_mqtt_sample.c
https://github.com/tencentyun/qcloud-iot-sdk-embedded-c/blob/master/samples/ota/ota_mqtt_sample.c
UAF问题:在第285行已经释放了version内存,但在第289行又再次调用version,此时释放后的version内存值是不确定的,会出现非预期行为,造成UAF问题。
DF问题:在第285行已经释放了version内存,但在第290行又再次释放version,造成double free安全问题。
static int _get_local_fw_info(char *file_name, char *local_version)
{
...
char *version = LITE_json_value_of(KEY_VER, json_doc);
char *size = LITE_json_value_of(KEY_SIZE, json_doc);
if ((NULL == version) || (NULL == size)) {
if (version)
HAL_Free(version);
if (size)
HAL_Free(size);
fclose(fp);
return 0;
}
int local_size = atoi(size);
HAL_Free(size);
if (local_size <= 0) {
Log_w("local info offset invalid: %d", local_size);
HAL_Free(version); //!!! version memory is released
local_size = 0;
}
strncpy(local_version, version, FW_VERSION_MAX_LEN); //!!! Use of memory version after it is freed
HAL_Free(version); //!!! Double Free issues.
fclose(fp);
return local_size;
}