Skip to content

🐞 Bug Report: Subscription Identifier Allows Out-of-Range Values in MQTT 5.0 #672

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
amitjoy opened this issue Feb 13, 2025 · 0 comments
Open

🐞 Bug Report: Subscription Identifier Allows Out-of-Range Values in MQTT 5.0 #672

amitjoy opened this issue Feb 13, 2025 · 0 comments
Labels
bug

Comments

@amitjoy
Copy link

amitjoy commented Feb 13, 2025
edited
Loading

Description

The HiveMQ MQTT 5.0 client does not validate the Subscription Identifier before encoding, allowing values greater than 268,435,455, which violates the MQTT 5.0 specification. This can lead to malformed SUBSCRIBE packets, causing broker rejection or client disconnection.

Steps to Reproduce

  1. Create a subscription with an invalid Subscription Identifier (> 268,435,455).
  2. The client encodes the packet without validation.
  3. The broker rejects the packet or disconnects the client due to an MQTT protocol violation.

Expected Behavior

The client should validate the Subscription Identifier before encoding:
• It should be between 1 and 268,435,455.
• If out-of-range, the client should throw an IllegalArgumentException instead of encoding an invalid packet.

Affected Code

Class: Mqtt5SubscribeEncoder
Method: encodeProperties()

📌 Current implementation does not validate the range before encoding:

encodeVariableByteIntegerProperty(SUBSCRIPTION_IDENTIFIER, message.getSubscriptionIdentifier(),
            DEFAULT_NO_SUBSCRIPTION_IDENTIFIER, out);

Suggested Fix

Add a validation check before encoding inside Mqtt5SubscribeEncoder.encodeProperties():

int subscriptionId = message.getSubscriptionIdentifier();

// ✅ Ensure Subscription Identifier is within valid range (1 - 268,435,455)
if (subscriptionId < 1 || subscriptionId > 268435455) {
    throw new IllegalArgumentException("Invalid Subscription Identifier: " + subscriptionId);
}

encodeVariableByteIntegerProperty(SUBSCRIPTION_IDENTIFIER, subscriptionId,
            DEFAULT_NO_SUBSCRIPTION_IDENTIFIER, out);

Impact

• If an out-of-range Subscription Identifier is sent, brokers will reject the subscription.
• The client may receive an unexpected disconnection.
• The issue may affect QoS 1 & 2 message delivery if subscriptions are invalid.

Additional Context

MQTT 5.0 Specification: MQTT-5.0 Spec - Subscription Identifier
Similar issue not found in Eclipse Paho Java Client, which skips invalid Subscription Identifiers < 1 but does not check upper limits.
@amitjoy amitjoy added the bug label Feb 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@amitjoy