From d216e3385ad073f7a7d943bd18311951d28946f1 Mon Sep 17 00:00:00 2001 From: Hugo Lefeuvre Date: Tue, 22 Oct 2024 14:49:22 -0700 Subject: [PATCH] mqtt: de-permission publish callback capabilities. The `topic` and `payload` capabilities of the publish callback are only valid within the context of the callback. They should thus passed as a read-only, non-capturable capabilities. Currently we pass them as capturable and writable capabilities, which may allow API users to compromise the MQTT compartment. This addresses issue #43. Signed-off-by: Hugo Lefeuvre --- include/mqtt.h | 4 +++- lib/mqtt/mqtt.cc | 12 ++++++++++-- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/include/mqtt.h b/include/mqtt.h index b60f885..496da68 100644 --- a/include/mqtt.h +++ b/include/mqtt.h @@ -11,7 +11,9 @@ * will be called on all PUBLISH notifications from the broker. * * `topicName` and `payload` (and their respective size arguments) indicate the - * topic of the PUBLISH, and the corresponding payload. + * topic of the PUBLISH, and the corresponding payload. Both are only valid + * within the context of the callback and thus passed as a read-only, + * non-capturable capabilities. */ typedef void __cheri_callback (*MQTTPublishCallback)(const char *topicName, size_t topicNameLength, diff --git a/lib/mqtt/mqtt.cc b/lib/mqtt/mqtt.cc index 5738f92..6392680 100644 --- a/lib/mqtt/mqtt.cc +++ b/lib/mqtt/mqtt.cc @@ -468,9 +468,17 @@ namespace "The packet is of type PUBLISH, but topic or payload " "are not set."); - publishCallback(publishInfo->pTopicName, + // The payload and topic are only valid within the + // context of the callback: make them read-only and + // non-capturable. + Capability topic{publishInfo->pTopicName}; + Capability payload{publishInfo->pPayload}; + topic.permissions() &= CHERI::Permission::Load; + payload.permissions() &= CHERI::Permission::Load; + + publishCallback(topic, publishInfo->topicNameLength, - publishInfo->pPayload, + payload, publishInfo->payloadLength); } else if (ackCallback)