Skip to content

mqtt5 issue reproduce#995

Draft
david-cermak wants to merge 4 commits intoespressif:masterfrom
david-cermak:test/mqtt5_issue
Draft

mqtt5 issue reproduce#995
david-cermak wants to merge 4 commits intoespressif:masterfrom
david-cermak:test/mqtt5_issue

Conversation

@david-cermak
Copy link
Collaborator

@david-cermak david-cermak commented Jan 22, 2026

Note

Introduces an MQTT v5-focused example and tooling to reproduce an issue scenario.

  • Replace app_main.cpp with app_main.c implementing an MQTT v5 client: subscribes to sensor/data, logs MQTT v5 user/message properties, and connects to mqtt://192.168.33.99:1884
  • Add mqtt5_broker_stub.py minimal broker: replies to CONNECT/SUBSCRIBE and sends a crafted PUBLISH to trigger/reproduce behavior
  • Update CMakeLists.txt to build app_main.c (with optional commented ASan flags)
  • Add sdkconfig.defaults enabling CONFIG_MQTT_PROTOCOL_5

Written by Cursor Bugbot for commit 055bc40. This will update automatically on new commits. Configure here.

@david-cermak david-cermak self-assigned this Jan 22, 2026
@david-cermak david-cermak marked this pull request as draft January 22, 2026 18:31
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 4 potential issues.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

This is the final PR Bugbot will review for you during this billing cycle

Your free Bugbot reviews will reset on February 20

Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

};
const esp_mqtt_client_config_t mqtt5_cfg = {
.broker = {
.address.uri = "mqtt://192.168.33.99:1884",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hardcoded private IP address in broker configuration

Medium Severity

The broker URI is hardcoded to a private IP address "mqtt://192.168.33.99:1884" which only works on the developer's local network. This example code won't function for anyone else and appears to be accidentally committed test configuration rather than using a configurable option like CONFIG_BROKER_URL.

Fix in Cursor Fix in Web

uint8_t count = esp_mqtt5_client_get_user_property_count(user_property);
if (count) {
esp_mqtt5_user_property_item_t *item = malloc(count * sizeof(esp_mqtt5_user_property_item_t));
if (esp_mqtt5_client_get_user_property(user_property, item, &count) == ESP_OK) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing NULL check after malloc allocation

Medium Severity

The malloc call in print_user_property() doesn't check if the allocation succeeded before using the returned pointer. If malloc returns NULL due to memory exhaustion, passing it to esp_mqtt5_client_get_user_property() will cause undefined behavior or a crash.

Fix in Cursor Fix in Web

break;

case MQTT_EVENT_SUBSCRIBED:
ESP_LOGI(TAG, "MQTT_EVENT_SUBSCRIBED, msg_id=%d, reason code=0x%02x ", event->msg_id, (uint8_t)*event->data);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unsafe dereference of event->data without validation

Medium Severity

The MQTT_EVENT_SUBSCRIBED handler dereferences event->data to read the reason code without first verifying that event->data is non-NULL and event->data_len is greater than zero. If the event lacks data, this causes a null pointer dereference or reads invalid memory.

Fix in Cursor Fix in Web

},
};

esp_mqtt_client_handle_t client = esp_mqtt_client_init(&mqtt5_cfg);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing NULL check after MQTT client initialization

Medium Severity

The return value of esp_mqtt_client_init() is not checked for NULL before being used. If initialization fails (due to memory exhaustion or invalid configuration), the NULL handle is passed to esp_mqtt5_client_set_connect_property(), esp_mqtt_client_register_event(), and esp_mqtt_client_start(), causing crashes or undefined behavior.

Additional Locations (2)

Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant