Skip to content

Integer Underflow in MQTT Packet Parsing leading to Heap Buffer Overflow

High
jvde-github published GHSA-93mj-c8q3-69rg Nov 28, 2025

Package

AIS-catcher (C++)

Affected versions

v 0.63 <

Patched versions

None

Description

Summary

A critical Integer Underflow vulnerability exists in the MQTT parsing logic of AIS-catcher. This vulnerability allows an attacker to trigger a massive Heap Buffer Overflow (Wild Memcpy) by sending a malformed MQTT packet with a manipulated Topic Length field. This results in an immediate and unrecoverable Denial of Service (DoS) due to memory access violations.

Technical Details

The vulnerability is located in Source/IO/Protocol.h within the Protocol::MQTT::read function.
When processing a PUBLISH packet with QoS 0, the application calculates the payload size (data_returned) by subtracting the Topic Length (2 bytes) and the header size from the total Remaining Length.

// Source/IO/Protocol.h
int topic_len = (buffer[i] << 8) + buffer[i + 1]; // User-controlled input
// ...
if (q == 0) {
    // VULNERABILITY: No check if (2 + topic_len) <= length
    // Root Cause: Unvalidated subtraction
    data_returned = length - 2 - topic_len;

    // If topic_len is large, data_returned becomes negative (e.g., -12).
    // memcpy expects 'size_t' (unsigned).
    // -12 is implicitly converted to a massive positive integer (approx 18 EB).
    // RESULT: 'Wild Memcpy' occurs, leading to inevitable crash.
    memcpy(data, buffer.data() + i + 2 + topic_len, data_returned);
}

The root cause is the lack of validation before the subtraction. If an attacker provides a Topic Length larger than the Remaining Length, the result is a negative integer. When passed to memcpy, this negative value is implicitly converted to a huge unsigned integer. This triggers a write operation that inevitably attempts to access invalid memory regions, causing the operating system to terminate the process.

Impact

  • Denial of Service (DoS): This is the primary and immediate impact. The memcpy attempts to copy an excessively large amount of data (close to $2^{64}$ bytes on 64-bit systems). This operation will quickly hit unmapped or protected memory pages, triggering a Segmentation Fault (SIGSEGV). This crashes the AIS-catcher process or the host application using it as a library, rendering the service unavailable.
  • Memory Corruption: While the heap is technically corrupted as the copy begins, the uncontrollable nature of the "wild copy" size prevents the attacker from precisely overwriting control structures (like function pointers) needed for Remote Code Execution (RCE) before the crash occurs.

Remediation

The MQTT::read function must validate that the Topic Length plus the header size does not exceed the total Remaining Length of the packet.

Recommended Patch:
In Source/IO/Protocol.h:

// Inside Protocol::MQTT::read
int topic_len = (buffer[i] << 8) + buffer[i + 1];
int q = (buffer[0] >> 1) & 0x03;

// [FIX] Add bounds check to prevent Integer Underflow
if (length < 2 + topic_len) {
    // Invalid packet: Topic length exceeds remaining length
    return 0; // Effectively drops the malformed packet
}

if (q == 0) {
    data_returned = length - 2 - topic_len;
    // Safe memcpy
    memcpy(data, buffer.data() + i + 2 + topic_len, data_returned);
}

Severity

High

CVE ID

CVE-2025-66217

Weaknesses

Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). Learn more on MITRE.

Integer Underflow (Wrap or Wraparound)

The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. Learn more on MITRE.

Credits