Fixes from fuzzer. 1) CONNECT decode failure treated as success (mqtt_broker.c:3367). 2) Memory leak in BrokerSubs_Remove (mqtt_broker.c:1584). 3) Memory leak in MqttBroker_Free (mqtt_broker.c:3777)

dgarske · dgarske · commit f1b2e91a28b0 · 2026-03-18T10:02:15.000-07:00
diff --git a/src/mqtt_broker.c b/src/mqtt_broker.c
@@ -1581,6 +1581,9 @@ static void BrokerSubs_Remove(MqttBroker* broker, BrokerClient* bc,
             WBLOG_INFO(broker, "broker: sub remove sock=%d filter=%s",
                 (int)bc->sock, cur->filter);
             WOLFMQTT_FREE(cur->filter);
+            if (cur->client_id) {
+                WOLFMQTT_FREE(cur->client_id);
+            }
             WOLFMQTT_FREE(cur);
             return;
         }
@@ -3364,8 +3367,8 @@ static int BrokerClient_Process(MqttBroker* broker, BrokerClient* bc)
             case MQTT_PACKET_TYPE_CONNECT:
             {
                 int c_rc = BrokerHandle_Connect(bc, rc, broker);
-                if (c_rc == 0) {
-                    /* Auth rejected, disconnect */
+                if (c_rc <= 0) {
+                    /* Decode failed or auth rejected, disconnect */
                     BrokerSubs_RemoveClient(broker, bc);
                     BrokerClient_Remove(broker, bc);
                     return 0;
@@ -3774,6 +3777,18 @@ int MqttBroker_Free(MqttBroker* broker)
         BrokerSubs_RemoveClient(broker, broker->clients);
         BrokerClient_Remove(broker, broker->clients);
     }
+    /* Free any orphaned subs (e.g. from clean_session=0 clients) */
+    while (broker->subs) {
+        BrokerSub* next = broker->subs->next;
+        if (broker->subs->filter) {
+            WOLFMQTT_FREE(broker->subs->filter);
+        }
+        if (broker->subs->client_id) {
+            WOLFMQTT_FREE(broker->subs->client_id);
+        }
+        WOLFMQTT_FREE(broker->subs);
+        broker->subs = next;
+    }
 #endif
 
     /* Clean up pending wills and retained messages */
