An issue was discovered in the MQTT server in Contiki-NG before 4.2. The function parse_publish_vhdr() that parses MQTT PUBLISH messages with a variable length header uses memcpy to input data into a fixed size buffer. The allocated buffer can fit only MQTT_MAX_TOPIC_LENGTH (default 64) bytes, and a length check is missing. This could lead to Remote Code Execution via a stack-smashing attack (overwriting the function return address). Contiki-NG does not separate the MQTT server from other servers and the OS modules, so access to all memory regions is possible.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2024-08-05T11:37:10.864Z

Reserved: 2018-11-21T00:00:00

Link: CVE-2018-19417

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2018-11-21T20:29:00.307

Modified: 2024-11-21T03:57:53.160

Link: CVE-2018-19417

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.