From: Willy Tarreau <w@1wt.eu>
Date: Mon, 11 May 2026 13:38:58 +0000 (+0200)
Subject: BUG/MINOR: mqtt: fix PUBLISH flags validation that want all bits to be set
X-Git-Url: http://www.kaiwu.me/postgresql/commit/static/gitweb.js?a=commitdiff_plain;h=be2851f304d3a147808108b53725718451944fd9;p=haproxy.git

BUG/MINOR: mqtt: fix PUBLISH flags validation that want all bits to be set

The definition of the PUBLISH message type indicates that the LSB are
independent, but uses a value of 0xF that clearly shows an attempt to
use a mask instead, but it results in all messages not having all flags
set to be rejected. A sane approach would have been to check for a mask
and an expected value. Let's just add a special case for it in function
mqtt_read_fixed_hdr() since that's for a single message type.

This can be backported anywhere.
---

diff --git a/src/mqtt.c b/src/mqtt.c
index 97839eed7..340e1295a 100644
--- a/src/mqtt.c
+++ b/src/mqtt.c
@@ -19,7 +19,7 @@ uint8_t mqtt_cpt_flags[MQTT_CPT_ENTRIES] = {
 	[MQTT_CPT_CONNACK]     = 0x00,
 
 	/* MQTT_CPT_PUBLISH flags can have different values (DUP, QoS, RETAIN), must be
-	 * check more carefully
+	 * check more carefully (any combination of the 4 bits is valid).
 	 */
 	[MQTT_CPT_PUBLISH]     = 0x0F,
 
@@ -162,7 +162,8 @@ static inline struct ist mqtt_read_fixed_hdr(struct ist parser, struct mqtt_pkt
 	uint8_t ptype = (type & 0xF0) >> 4;
 	uint8_t flags = type & 0x0F;
 
-	if (ptype == MQTT_CPT_INVALID || ptype >= MQTT_CPT_ENTRIES || flags != mqtt_cpt_flags[ptype])
+	if (ptype == MQTT_CPT_INVALID || ptype >= MQTT_CPT_ENTRIES ||
+	    (ptype != MQTT_CPT_PUBLISH && flags != mqtt_cpt_flags[ptype]))
 		return IST_NULL;
 
 	pkt->fixed_hdr.type = ptype;