Skip to content

Fenrir fixes#559

Merged
aidangarske merged 5 commits into
wolfSSL:masterfrom
embhorn:fenrir_fixes
Jul 10, 2026
Merged

Fenrir fixes#559
aidangarske merged 5 commits into
wolfSSL:masterfrom
embhorn:fenrir_fixes

Conversation

@embhorn

@embhorn embhorn commented Jul 6, 2026

Copy link
Copy Markdown
Member
  • Fix f-3627: test BrokerBufCompare length-fold auth backstop
  • Fix f-2359: preserve v5 SUBSCRIBE options through encode/decode
  • Fix f-3394: scrub CONNECT credentials from broker rx_buf after auth
  • Fix f-6656: scrub v5 CONNACK auth data from client rx_buf

@embhorn embhorn self-assigned this Jul 6, 2026
Copilot AI review requested due to automatic review settings July 6, 2026 15:06

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the broker CONNECT authentication test suite to better cover a constant-time credential comparison edge case and to align comments with the broker’s actual CONNACK return code for bad credentials.

Changes:

  • Corrects auth-failure CONNACK code references in existing tests/comments to 0x04 (Bad user name or password).
  • Adds a new mutation-guard test that fails if the length-fold backstop in BrokerBufCompare is removed (repeating-byte, different-length username case).
  • Registers the new test in the broker auth test runner.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@embhorn embhorn marked this pull request as ready for review July 10, 2026 21:40

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated no new comments.

Comment thread tests/test_broker_connect.c Outdated
Comment thread tests/test_mqtt_client.c Outdated
Comment thread tests/test_mqtt_packet.c Outdated
Comment thread tests/test_mqtt_packet.c Outdated
Comment thread tests/test_broker_connect.c Outdated

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #559

Scan targets checked: wolfmqtt-bugs, wolfmqtt-src

Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

Comment thread src/mqtt_client.c

@aidangarske aidangarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skoll Multi-Scan ReviewOverall recommendation: COMMENT

Findings: 3 total — 3 posted, 0 skipped
2 finding(s) posted as inline comments (see file-level comments below)
1 finding(s) not tied to a diff line (full detail below)

Posted findings

  • [Medium] [review+review-security+bugs] v5 SUBSCRIBE encoder folds uninitialized/unvalidated MqttTopic.sub_options into the options byte, emitting reserved or garbage option bits on the wiresrc/mqtt_packet.c:2417-2436
  • [Low] [review] Broker decodes v5 sub_options but never honors No Local / Retain As Published / Retain Handlingsrc/mqtt_packet.c:2575-2581

Findings not tied to a diff line

Credential/CONNACK scrub changes reviewed clean (informational)

File: src/mqtt_broker.c:4939-4957, src/mqtt_client.c:1970-1990
Function: BrokerHandle_Connect / MqttClient_Connect
Severity: Info
Category: Zeroization

The two new zeroization sites were audited for common failure modes and independently verified against the code as correct. Broker: BROKER_FORCE_ZERO(bc->rx_buf, rx_len) is in-bounds because rx_len is the MqttPacket_Read return, bounded by the rx buffer size; the dynamic-mode password scrub uses password_len + 1, matching the WOLFMQTT_MALLOC(src_len + 1) allocation and NULL-guarded; static-mode scrubs the full BROKER_MAX_PASSWORD_LEN array; password_len = 0 and the password scrub are correctly gated on WOLFMQTT_BROKER_AUTH. No double-free/UAF: the pointer is unchanged so the later BrokerClient_Free scrub+free path still works. Client: the whole-rx_buf scrub is safe because v5 CONNACK properties are consumed synchronously (MqttClient_WaitType delivers and frees the property list before the scrub) and no live pointer into rx_buf remains; ack.return_code is a scalar and survives; the multithread path takes lockRecv non-nested (no deadlock) and mirrors the existing MqttClient_Auth hardening. No defect found; recorded for traceability.

Recommendation: No action required.

Referenced code: src/mqtt_broker.c:4939-4957, src/mqtt_client.c:1970-1980 (11 lines)


Review generated by Skoll

Comment thread src/mqtt_packet.c
Comment thread src/mqtt_packet.c
@embhorn embhorn requested a review from aidangarske July 10, 2026 22:24
@aidangarske aidangarske merged commit e15476a into wolfSSL:master Jul 10, 2026
47 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants