{“lastseen”:”2026-01-01T23:25:46″,”description”:”## Executive Summary\\n\\n**Vulnerability Type:** CWE-190\\n**Component:** lib\/mqtt.c \\n**Function:** mqtt_decode_len \\n\\n**Affected Architectures:**\\n- **All architectures:** Protocol non-compliance leading to stream desynchronization\\n- **32-bit architectures:** Deterministic integer overflow in length decoding\\n\\nlibcurl does not correctly enforce the MQTT v3.1.1 specification limit for the \u201cRemaining Length\u201d field when decoding incoming packets. This allows malformed MQTT packets to be parsed incorrectly, leading to protocol desynchronization and potential denial of service. On 32-bit systems, the decoding logic additionally allows a deterministic integer overflow.\\n\\n—\\n\\n## Root Cause: Inconsistent Length Handling\\n\\nThe issue is caused by an inconsistency within `lib\/mqtt.c`. \\nThe encoder correctly enforces the MQTT specification limit, while the decoder does not.\\n\\n### Correct Behavior (Encoding)\\n\\nIn `mqtt_encode_len`, the implementation explicitly limits the Remaining Length field to four bytes, as required by the specification:\\n\\n“`c\\nfor(i = 0; (len \\u003e 0) \\u0026\\u0026 (i \\u003c 4); i++) {\\n unsigned char encoded;\\n encoded = len % 0x80;\\n \/* … *\/\\n}\\n““\\n\\nThis ensures protocol compliance.\\n\\n### Incorrect Behavior (Decoding)\\n\\nIn contrast, `mqtt_decode_len` does not enforce the same limit:\\n\\n“`c\\nfor(i = 0; (i \\u003c buflen) \\u0026\\u0026 (encoded \\u0026 128); i++) {\\n encoded = buf[i];\\n len += (encoded \\u0026 127) * mult;\\n mult *= 128;\\n}\\n“`\\n\\nThe loop continues as long as the continuation bit is set and input is available, allowing more than four bytes to be consumed as part of the Remaining Length field.\\n\\n—\\n\\n## Specification Violation\\n\\nAccording to the MQTT v3.1.1 specification, Section 2.2.3 (Remaining Length):\\n\\n\\u003e \u201cThe number of bytes in the Remaining Length field MUST NOT exceed four bytes.\u201d\\n\\nBy accepting and processing length fields longer than four bytes, libcurl violates the MQTT specification and enters an undefined protocol state.\\n\\n—\\n\\n## Integer Overflow on 32-bit Systems\\n\\nOn 32-bit architectures, `size_t` is a 32-bit unsigned integer.\\nThe variable `mult` is repeatedly multiplied by 128 during decoding.\\n\\nExample progression on a 32-bit system:\\n\\n| Iteration | mult value | Operation | Result |\\n| ——–: | ———– | ——— | —————- |\\n| 0 | 1 | 1 \u00d7 128 | 128 |\\n| 1 | 128 | 128 \u00d7 128 | 16,384 |\\n| 2 | 16,384 | \u00d7 128 | 2,097,152 |\\n| 3 | 2,097,152 | \u00d7 128 | 268,435,456 |\\n| 4 | 268,435,456 | \u00d7 128 | **Overflow \u2192 0** |\\n\\nAfter the overflow, `mult` becomes zero, and any further bytes consumed contribute nothing to the decoded length. This allows a large or malformed Remaining Length field to be partially \u201chidden\u201d while still advancing the input pointer.\\n\\n—\\n\\n## Impact\\n\\n# Impact\\n\\n### Protocol Desynchronization (All Architectures)\\n\\nBy consuming more than four bytes for the Remaining Length field, libcurl can become desynchronized from the MQTT stream. Bytes intended to be part of the payload or subsequent packets may instead be interpreted as length data, causing incorrect parsing of later packets.\\n\\n### Denial of Service\\n\\nThis desynchronization can result in malformed packet handling, unexpected connection termination, or repeated protocol errors such as `CURLE_WEIRD_SERVER_REPLY`.\\n\\nNo memory corruption or code execution is claimed.\\n\\n—\\n\\n## Recommended Fix\\n\\nThe decoding logic should explicitly enforce the four-byte limit defined by the MQTT specification.\\n\\nExample fix:\\n\\n“`c\\nfor(i = 0; (i \\u003c buflen) \\u0026\\u0026 (encoded \\u0026 128); i++) {\\n if(i \\u003e= 4) {\\n \/* Malformed Remaining Length *\/\\n return 0; \/* or propagate an error to the caller *\/\\n }\\n encoded = buf[i];\\n len += (encoded \\u0026 127) * mult;\\n mult *= 128;\\n}\\n“`\\n\\nOptionally, the decoded length can also be checked against the implementation limit:\\n\\n“`c\\nif(len \\u003e MAX_MQTT_MESSAGE_SIZE)\\n return 0;\\n“`\\n\\n—\\n\\n## Verification Notes\\n\\nThe issue was verified through code inspection and logic simulation, confirming that `mqtt_decode_len` accepts more than four bytes for the Remaining Length field and allows arithmetic overflow on 32-bit systems. Runtime exploitation was not required to demonstrate the protocol violation.\\n\\n—\\n\\n## Conclusion\\n\\nThis is a protocol parsing bug caused by missing enforcement of a mandatory MQTT specification limit. While it does not directly result in memory corruption, it allows malformed MQTT packets to desynchronize the client\u2019s protocol state and cause denial of service. Aligning the decoder with the existing encoder logic resolves the issue cleanly.\\n\\n“`”,”published”:”2026-01-01T21:51:13″,”modified”:”2026-01-01T22:50:02″,”type”:”hackerone”,”title”:”curl: MQTT Protocol Violation \\u0026 Integer Overflow in libcurl”,”source”:””,”references”:””,”id”:”H1:3484319″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3484319″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-01T23:25:46″,”description”:”## Executive Summary\\n\\n**Vulnerability Type:** CWE-190\\n**Component:** lib\/mqtt.c \\n**Function:** mqtt_decode_len \\n\\n**Affected Architectures:**\\n- **All architectures:** Protocol non-compliance leading to stream desynchronization\\n- **32-bit architectures:** Deterministic integer overflow in length…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-33675","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n