From 4e146b7b532164d72eb5531005875f54b1ab5c17 Mon Sep 17 00:00:00 2001
From: "Roger A. Light" <roger@atchoo.org>
Date: Thu, 22 Jul 2021 16:43:06 +0100
Subject: [PATCH] Fix possible out of bounds memory reads when reading
 configuration.

This would happen with a corrupt/crafted configuration file. Unless your
configuration file is writable by untrusted users this is not a risk.

Closes #567213. Thanks to Roland Sako.
---
 ChangeLog.txt   | 5 +++++
 lib/misc_mosq.c | 7 ++++++-
 src/conf.c      | 9 +++++++--
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/ChangeLog.txt b/ChangeLog.txt
index 0dfdcdb2..f81dd4c7 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -1,6 +1,11 @@
 2.0.12 - 2021-07-xx
 ===================
 
+Broker:
+- Fix possible out of bounds memory reads when reading a corrupt/crafted
+  configuration file. Unless your configuration file is writable by untrusted
+  users this is not a risk. Closes #567213.
+
 Clients:
 - mosquitto_sub and mosquitto_rr now open stdout in binary mode on Windows
   so binary payloads are not modified when printing.
diff --git a/lib/misc_mosq.c b/lib/misc_mosq.c
index b2118c46..7f18bd50 100644
--- a/lib/misc_mosq.c
+++ b/lib/misc_mosq.c
@@ -156,6 +156,7 @@ char *fgets_extending(char **buf, int *buflen, FILE *stream)
 	char endchar;
 	int offset = 0;
 	char *newbuf;
+	size_t len;
 
 	if(stream == NULL || buf == NULL || buflen == NULL || *buflen < 1){
 		return NULL;
@@ -167,7 +168,11 @@ char *fgets_extending(char **buf, int *buflen, FILE *stream)
 			return rc;
 		}
 
-		endchar = (*buf)[strlen(*buf)-1];
+		len = strlen(*buf);
+		if(len == 0){
+			return rc;
+		}
+		endchar = (*buf)[len-1];
 		if(endchar == '\n'){
 			return rc;
 		}
diff --git a/src/conf.c b/src/conf.c
index 592ea979..ee99296b 100644
--- a/src/conf.c
+++ b/src/conf.c
@@ -741,6 +741,7 @@ static int config__read_file_core(struct mosquitto__config *config, bool reload,
 	size_t prefix_len;
 	char **files;
 	int file_count;
+	size_t slen;
 #ifdef WITH_TLS
 	char *kpass_sha = NULL, *kpass_sha_bin = NULL;
 	char *keyform ;
@@ -751,8 +752,12 @@ static int config__read_file_core(struct mosquitto__config *config, bool reload,
 	while(fgets_extending(buf, buflen, fptr)){
 		(*lineno)++;
 		if((*buf)[0] != '#' && (*buf)[0] != 10 && (*buf)[0] != 13){
-			while((*buf)[strlen((*buf))-1] == 10 || (*buf)[strlen((*buf))-1] == 13){
-				(*buf)[strlen((*buf))-1] = 0;
+			slen = strlen(*buf);
+			if(slen == 0){
+				continue;
+			}
+			while((*buf)[slen-1] == 10 || (*buf)[slen-1] == 13){
+				(*buf)[slen-1] = 0;
 			}
 			token = strtok_r((*buf), " ", &saveptr);
 			if(token){