[Bug 1815732] Re: mosquitto 1.4.15-2ubuntu0.18.04.1 "Socket error on client , disconnecting."

Wed, 27 Feb 2019 02:06:28 -0800 

I've re-built 1.4.15-2ubuntu0.18.04.1 from source locally and I get the
same connect issue.

The issue is caused by the patch "mosquitto-1.4.15-cve-2018-12546".
With that one removed and mosquitto-1.4.x-cve-2018-12550.patch and 
mosquitto-1.4.x-cve-2018-12551.patch re-added the binary works again.

With *all* patches fully applied again but only the lines I mentioned in
#7 commented out, mosquitto works again. So definitely that's the issue.

I didn't analyse the ACL system thoroughly but this has to do with the
ACL not being set explicitly for the user, which - according to my
understanding - is perfectly legal. See my /etc/mosquitto/users.acl from
post #5.


I've locally changed
    if(context->username && context->acl_list == NULL){
      return MOSQ_ERR_INVAL;
    }

to
    if(context->username && context->acl_list == NULL){
      _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL entry not found for 
client with username \"%s\"", context->username);
      return MOSQ_ERR_SUCCESS;
    }


The root cause might be a misunderstanding of the original code that
this patch moves into a new function. It seems that original code was
only meant to *load* the users's ACLs (if any) and not to *find* that
ACLs.

So basically the function acl__find_acls seems to be named wrong. The
name should be more like acl__load_acls and the function should return
success *even* if there's *NO* ACL found specific for that user.

Alternatively mosquitto_acl_check needs to be called in
read_handle_server.c when acl__find_acls returns MOSQ_ERR_INVAL so that
the %c and %u pattern matching will be performed, but probably the first
option above is the better one.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1815732

Title:
  mosquitto 1.4.15-2ubuntu0.18.04.1 "Socket error on client <unknown>,
  disconnecting."

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mosquitto/+bug/1815732/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to