Home - Waterfall Grid T-Grid Console Builders Recent Builds Buildslaves Changesources - JSON API - About

Builder curl-ares-solaris11-sparc Build #5762

Results:

Build successful

SourceStamp:

Projectcurl
Repositoryhttps://github.com/curl/curl.git
Branchmaster
Revision2bb5c9b5552d37f08a439f2bec400009321d325c
Got Revision2bb5c9b5552d37f08a439f2bec400009321d325c
Changes1 change

BuildSlave:

unstable11s

Reason:

The SingleBranchScheduler scheduler named 'schedule-curl-ares-solaris11-sparc' triggered this build

Steps and Logfiles:

  1. git update ( 6 secs )
    1. stdio
  2. Runtest './tests/testcurl.pl --nogitpull ...' ( 2 mins, 37 secs )
    1. stdio
    2. resultlog
  3. Mail result 'cat resultlog ...' ( 0 secs )
    1. stdio

Build Properties:

NameValueSource
branch master Build
builddir /export/home/buildbot/slave/curl-ares-solaris11-sparc slave
buildername curl-ares-solaris11-sparc Builder
buildnumber 5762 Build
codebase Build
got_revision 2bb5c9b5552d37f08a439f2bec400009321d325c Git
osplatform SPARC SetPropertyFromCommand Step
osrelease 11 SetPropertyFromCommand Step
project curl Build
repository https://github.com/curl/curl.git Build
revision 2bb5c9b5552d37f08a439f2bec400009321d325c Build
scheduler schedule-curl-ares-solaris11-sparc Scheduler
slavename unstable11s BuildSlave
workdir /export/home/buildbot/slave/curl-ares-solaris11-sparc slave (deprecated)

Forced Build Properties:

NameLabelValue

Responsible Users:

  1. Raymond Steen

Timing:

StartThu Apr 30 14:22:58 2026
EndThu Apr 30 14:49:15 2026
Elapsed26 mins, 17 secs

All Changes:

:

  1. Change #265989

    Category curl
    Changed by Raymond Steen <raymondohnoyoudont@vortiqxconsilium.com>
    Changed at Thu 30 Apr 2026 14:14:44
    Repository https://github.com/curl/curl.git
    Project curl
    Branch master
    Revision 2bb5c9b5552d37f08a439f2bec400009321d325c

    Comments

    mqtt: validate PINGRESP and DISCONNECT have remaining_length == 0
Per MQTT 3.1.1 sections 3.13.1 and 3.14.1, PINGRESP and DISCONNECT fixed
headers must have remaining_length set to zero. The previous code
dispatched to mqtt->nextstate based on the queued state alone without
validating remaining_length for these no-payload packet types, allowing
a malicious broker to send a PINGRESP with non-zero remaining_length
whose trailing bytes would be interpreted as the payload of whatever
message type was queued (CONNACK, SUBACK, etc.).

The exploitation path turned out to be narrow — curl sends data to the
server the user chose to talk to — but the spec violation and the
resulting protocol-state error are real. Reject the malformed packets
with CURLE_WEIRD_SERVER_REPLY before state dispatch.

Reported-by: Raymond Steen <raymond@vortiqxconsilium.com>
Found by VORTIQ-X VXF Framework
Bug: https://hackerone.com/reports/3702718

Signed-off-by: Raymond Steen <raymond@vortiqxconsilium.com>
Closes #21465

    Changed files

    • lib/mqtt.c
    • tests/data/Makefile.am
    • tests/data/test2206
    • tests/data/test2207
    • tests/server/mqttd.c
BuildBot (0.8.14) working for the OpenCSW Buildbot project.
Page built: Thu 30 Apr 2026 16:31:58 (CEST)