From 70d713ca07ba46ddfbebb4a569e342364844d6c2 Mon Sep 17 00:00:00 2001
From: "Roger A. Light" <roger@atchoo.org>
Date: Wed, 14 Jun 2023 15:50:10 +0100
Subject: [PATCH] Fix heap overflow when reading corrupt config with "log_dest
 file".

---
 ChangeLog.txt        |  1 +
 src/conf.c           | 10 ++++++----
 src/handle_connect.c |  1 +
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/ChangeLog.txt b/ChangeLog.txt
index 6ad030a9..eef61746 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -31,6 +31,7 @@ Broker:
   not a string, when loading the dynsec config from file only.
 - Dynsec plugin will not allow duplicate clients/groups/roles when loading
   config from file, which matches the behaviour for when creating them.
+- Fix heap overflow when reading corrupt config with "log_dest file".
 
 Client library:
 - Use CLOCK_BOOTTIME when available, to keep track of time. This solves the
diff --git a/src/conf.c b/src/conf.c
index a7b9b062..80c0cd82 100644
--- a/src/conf.c
+++ b/src/conf.c
@@ -1533,15 +1533,16 @@ static int config__read_file_core(struct mosquitto__config *config, bool reload,
 						}else if(!strcmp(token, "dlt")){
 							cr->log_dest |= MQTT3_LOG_DLT;
 						}else if(!strcmp(token, "file")){
-							cr->log_dest |= MQTT3_LOG_FILE;
 							if(config->log_fptr || config->log_file){
 								log__printf(NULL, MOSQ_LOG_ERR, "Error: Duplicate \"log_dest file\" value.");
 								return MOSQ_ERR_INVAL;
 							}
 							/* Get remaining string. */
-							token = &token[strlen(token)+1];
-							while(token[0] == ' ' || token[0] == '\t'){
-								token++;
+							token = saveptr;
+							if(token && token[0]){
+								while(token[0] == ' ' || token[0] == '\t'){
+									token++;
+								}
 							}
 							if(token[0]){
 								config->log_file = mosquitto__strdup(token);
@@ -1553,6 +1554,7 @@ static int config__read_file_core(struct mosquitto__config *config, bool reload,
 								log__printf(NULL, MOSQ_LOG_ERR, "Error: Empty \"log_dest file\" value in configuration.");
 								return MOSQ_ERR_INVAL;
 							}
+							cr->log_dest |= MQTT3_LOG_FILE;
 						}else{
 							log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid log_dest value (%s).", token);
 							return MOSQ_ERR_INVAL;
diff --git a/src/handle_connect.c b/src/handle_connect.c
index 58bea7b3..cb22e358 100644
--- a/src/handle_connect.c
+++ b/src/handle_connect.c
@@ -951,6 +951,7 @@ int handle__connect(struct mosquitto *context)
 
 
 handle_connect_error:
+	mosquitto_property_free_all(&properties);
 	mosquitto__free(auth_data);
 	mosquitto__free(client_id);
 	mosquitto__free(username);