MQTTProtocol_emptyMessageList() crashes due to null pointer assignment

[clappingSeal14]

Describe the bug
Within the function MQTTProtocol_emptyMessageList() in MQTTProtocolClient.c when the function attempts to assign the variable Messages* m to current->content it is attempting to assign a null pointer and it crashes.

When the stack trace for the segmentation fault is viewed this call to MQTTProtocol_emptyMessageList() occurs due to a previous call handled in the system to MQTTClient_destroy(). It appears to be having trouble freeing the inbound message list for the client getting destroyed.

For our project we brought in the repository as a submodule and are using the source code of PAHO to handle our MQTT logic. All of our business logic is handled on one thread while all of the MQTT logic is handled on the second thread.

Additional Information

• The client that is being destroyed is not null and has valid fields
• After reading similar issues to this, increased the inflight messagetimeout being used to 10000ms but the system still crashed

To Reproduce
When performing network stress tests of the system that receives a message from the broker every 1000ms and responds to it, this behavior is seen when a device in our application has it's connection loss leading us to destroy the previously existing client. This failure does not occur for every call to MQTTClient_destroy() however it is more likely to appear the longer the stress test runs.

Expected behavior
Application behaves as normal without unexpected crashing

Screenshots
Stack trace of the segmentation fault:

Value of msgList within the function causing the segmentation fault (size appears unreasonable):

Log files
NewestGdbDump.txt

Environment:

• Host OS: Ubuntu
• Remote Debug Target: Linux beaglebone 4.19.94-ti-r42 #1buster SMP PREEMPT Tue Mar 31 19:38:29 UTC 2020 armv7l GNU/Linux (Debian IOT)
• PAHO MQTT Version: 1.3.13

[FunnyFossils]

Anyone else run into this issue I saw it the other day and was wondering if anyone else had encounter this before I'm trying to migrate over to the MQTTAsync client library in hopes to get around some memory freeing issues that seem to occur occasionally

[manojkotapati]

the similar issue i am also facing, where sometimes when performing connection stress testing like low signal strength or network on off at that time double free crash is happening in MQTTProtocol_removePublication() during reconnect.

below is backtrace for the same,

#5 0x0000007f7d94c000 in malloc_printerr (str=str@entry=0x7f7da0fe00 "double free or corruption (!prev)") at malloc.c:5659
No locals.
#6 0x0000007f7d94decc in _int_free (av=0x7f7da5aa30 <main_arena>, p=0x6530bf2290, have_lock=) at malloc.c:4586
size = 6128
fb =
nextchunk = 0x6530bf3a80
nextsize =
nextinuse =
prevsize =
bck =
fwd =
PRETTY_FUNCTION = "_int_free"
#7 0x0000007f7d950878 in __GI___libc_free (mem=) at malloc.c:3386
ar_ptr =
p = 0x6530bf2290
err =
#8 0x0000007f7de66958 in MQTTProtocol_removePublication (p=0x7f58006a00) at /usr/src/debug/paho-mqtt-c/1.3.13-r0/git/src/MQTTProtocolClient.c:302
No locals.
#9 0x0000007f7de67d4c in MQTTProtocol_emptyMessageList (msgList=0x6530b8db00) at /usr/src/debug/paho-mqtt-c/1.3.13-r0/git/src/MQTTProtocolClient.c:1016
m = 0x7f58006a30
current = 0x7f580069c0
#10 0x0000007f7de7ab6c in MQTTAsync_cleanSession (client=client@entry=0x6530b8d990) at /usr/src/debug/paho-mqtt-c/1.3.13-r0/git/src/MQTTAsyncUtils.c:2525
rc = 0
found = 0x0
#11 0x0000007f7de7ae2c in MQTTAsync_closeSession (props=0x7f58006b08, reasonCode=, client=) at /usr/src/debug/paho-mqtt-c/1.3.13-r0/git/src/MQTTAsyncUtils.c:2431
No locals.
#12 MQTTAsync_checkDisconnect (handle=0x6530b8d720, command=0x7f58006ac0) at /usr/src/debug/paho-mqtt-c/1.3.13-r0/git/src/MQTTAsyncUtils.c:947
was_connected =
m = 0x6530b8d720
#13 0x0000007f7de7d91c in MQTTAsync_processCommand () at /usr/src/debug/paho-mqtt-c/1.3.13-r0/git/src/MQTTAsyncUtils.c:1509
rc =
command =
cur_command = 0x7f580069e0
ignored_clients =
#14 0x0000007f7de7e118 in MQTTAsync_sendThread (n=) at /usr/src/debug/paho-mqtt-c/1.3.13-r0/git/src/MQTTAsyncUtils.c:1801
rc =
command_count =
timeout = 1000

MQTT PAHO Version is 1.3.13