Denial of Service vulnerability in curl when parsing MQTT server response

## Summary: Curl remains in infinite loop with suitable MQTT server response. ## Steps To Reproduce: ###Step 1: Run the following on linux with the attached file "poc" : ``` $ socat -u FILE:poc TCP-LISTEN:12345,reuseaddr,fork ``` ###Step 2: Use curl: ``` $ curl mqtt://localhost:12345 ``` ###Step 3: Observe output of "top". ## Supporting Material/References: [list any additional material (e.g. screenshots, logs, etc.)] * F1667277 (poc file to host for curl to access) * F1667276 (screen capture of top) ## Debugging Notes: Debug trace output before going to the loop: ``` => Send header, 26 bytes (0x1a) 0000: 10 18 00 04 4d 51 54 54 04 02 00 3c 00 0c 63 75 ....MQTT...<..cu 0010: 72 6c 36 30 64 33 32 37 66 39 rl60d327f9 == Info: MQTT_FIRST (from MQTT_FIRST) (next is MQTT_CONNACK) == Info: STATE: DO => DOING handle 0x5555555dc0d8; line 2132 (connection #0) == Info: mqtt_doing: state [0] == Info: mqtt_doing: state [0] == Info: mqtt_doing: state [0] == Info: mqtt_doing: state [0] == Info: mqtt_doing: state [0] == Info: mqtt_doing: state [0] == Info: mqtt_doing: state [0] ... ``` This section of lib/multi.c looks suspicious (line 2132 points here before entering the loop): ``` 2130 /* DO was not completed in one function call, we must continue 2131 DOING... */ 2132 multistate(data, MSTATE_DOING); 2133 rc = CURLM_OK; 2134 } ``` ## Credits Jenny Heino and Antti Levomäki from Forcepoint ## Impact Attacker can cause a Denial of Service by delivering malicious content behind a MQTT URL. For example internet crawlers could be affected, or any other implementations automatically fetching provided URLs using curl.