Fix heap overflow when reading corrupt config with "log_dest file".

ChangeLog.txt

@@ -31,6 +31,7 @@ Broker:
   not a string, when loading the dynsec config from file only.
 - Dynsec plugin will not allow duplicate clients/groups/roles when loading
   config from file, which matches the behaviour for when creating them.
+- Fix heap overflow when reading corrupt config with "log_dest file".
 
 Client library:
 - Use CLOCK_BOOTTIME when available, to keep track of time. This solves the

src/conf.c

@@ -1533,15 +1533,16 @@ static int config__read_file_core(struct mosquitto__config *config, bool reload,
 						}else if(!strcmp(token, "dlt")){
 							cr->log_dest |= MQTT3_LOG_DLT;
 						}else if(!strcmp(token, "file")){
-							cr->log_dest |= MQTT3_LOG_FILE;
 							if(config->log_fptr || config->log_file){
 								log__printf(NULL, MOSQ_LOG_ERR, "Error: Duplicate \"log_dest file\" value.");
 								return MOSQ_ERR_INVAL;
 							}
 							/* Get remaining string. */
-							token = &token[strlen(token)+1];
-							while(token[0] == ' ' || token[0] == '\t'){
-								token++;
+							token = saveptr;
+							if(token && token[0]){
+								while(token[0] == ' ' || token[0] == '\t'){
+									token++;
+								}
 							}
 							if(token[0]){
 								config->log_file = mosquitto__strdup(token);
@@ -1553,6 +1554,7 @@ static int config__read_file_core(struct mosquitto__config *config, bool reload,
 								log__printf(NULL, MOSQ_LOG_ERR, "Error: Empty \"log_dest file\" value in configuration.");
 								return MOSQ_ERR_INVAL;
 							}
+							cr->log_dest |= MQTT3_LOG_FILE;
 						}else{
 							log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid log_dest value (%s).", token);
 							return MOSQ_ERR_INVAL;

src/handle_connect.c

@@ -951,6 +951,7 @@ int handle__connect(struct mosquitto *context)
 
 
 handle_connect_error:
+	mosquitto_property_free_all(&properties);
 	mosquitto__free(auth_data);
 	mosquitto__free(client_id);
 	mosquitto__free(username);