Fix possible out of bounds memory reads when reading configuration.

This would happen with a corrupt/crafted configuration file. Unless your
configuration file is writable by untrusted users this is not a risk.

Closes #567213. Thanks to Roland Sako.

ChangeLog.txt

@@ -1,6 +1,11 @@
 2.0.12 - 2021-07-xx
 ===================
 
+Broker:
+- Fix possible out of bounds memory reads when reading a corrupt/crafted
+  configuration file. Unless your configuration file is writable by untrusted
+  users this is not a risk. Closes #567213.
+
 Clients:
 - mosquitto_sub and mosquitto_rr now open stdout in binary mode on Windows
   so binary payloads are not modified when printing.

lib/misc_mosq.c

@@ -156,6 +156,7 @@ char *fgets_extending(char **buf, int *buflen, FILE *stream)
 	char endchar;
 	int offset = 0;
 	char *newbuf;
+	size_t len;
 
 	if(stream == NULL || buf == NULL || buflen == NULL || *buflen < 1){
 		return NULL;
@@ -167,7 +168,11 @@ char *fgets_extending(char **buf, int *buflen, FILE *stream)
 			return rc;
 		}
 
-		endchar = (*buf)[strlen(*buf)-1];
+		len = strlen(*buf);
+		if(len == 0){
+			return rc;
+		}
+		endchar = (*buf)[len-1];
 		if(endchar == '\n'){
 			return rc;
 		}

src/conf.c

@@ -741,6 +741,7 @@ static int config__read_file_core(struct mosquitto__config *config, bool reload,
 	size_t prefix_len;
 	char **files;
 	int file_count;
+	size_t slen;
 #ifdef WITH_TLS
 	char *kpass_sha = NULL, *kpass_sha_bin = NULL;
 	char *keyform ;
@@ -751,8 +752,12 @@ static int config__read_file_core(struct mosquitto__config *config, bool reload,
 	while(fgets_extending(buf, buflen, fptr)){
 		(*lineno)++;
 		if((*buf)[0] != '#' && (*buf)[0] != 10 && (*buf)[0] != 13){
-			while((*buf)[strlen((*buf))-1] == 10 || (*buf)[strlen((*buf))-1] == 13){
-				(*buf)[strlen((*buf))-1] = 0;
+			slen = strlen(*buf);
+			if(slen == 0){
+				continue;
+			}
+			while((*buf)[slen-1] == 10 || (*buf)[slen-1] == 13){
+				(*buf)[slen-1] = 0;
 			}
 			token = strtok_r((*buf), " ", &saveptr);
 			if(token){