Skip to content

🐞 Bug Report: Subscription Identifier Allows Out-of-Range Values in MQTT 5.0 #672

New issue
New issue
Open
Open
🐞 Bug Report: Subscription Identifier Allows Out-of-Range Values in MQTT 5.0#672
Labels
bug
@amitjoy

Description

@amitjoy
amitjoy
opened on Feb 13, 2025

Description

The HiveMQ MQTT 5.0 client does not validate the Subscription Identifier before encoding, allowing values greater than 268,435,455, which violates the MQTT 5.0 specification. This can lead to malformed SUBSCRIBE packets, causing broker rejection or client disconnection.

Steps to Reproduce

  1. Create a subscription with an invalid Subscription Identifier (> 268,435,455).
  2. The client encodes the packet without validation.
  3. The broker rejects the packet or disconnects the client due to an MQTT protocol violation.

Expected Behavior

The client should validate the Subscription Identifier before encoding:
• It should be between 1 and 268,435,455.
• If out-of-range, the client should throw an IllegalArgumentException instead of encoding an invalid packet.

Affected Code

Class: Mqtt5SubscribeEncoder
Method: encodeProperties()

📌 Current implementation does not validate the range before encoding:

encodeVariableByteIntegerProperty(SUBSCRIPTION_IDENTIFIER, message.getSubscriptionIdentifier(),
            DEFAULT_NO_SUBSCRIPTION_IDENTIFIER, out);

Suggested Fix

Add a validation check before encoding inside Mqtt5SubscribeEncoder.encodeProperties():

int subscriptionId = message.getSubscriptionIdentifier();

// ✅ Ensure Subscription Identifier is within valid range (1 - 268,435,455)
if (subscriptionId < 1 || subscriptionId > 268435455) {
    throw new IllegalArgumentException("Invalid Subscription Identifier: " + subscriptionId);
}

encodeVariableByteIntegerProperty(SUBSCRIPTION_IDENTIFIER, subscriptionId,
            DEFAULT_NO_SUBSCRIPTION_IDENTIFIER, out);

Impact

• If an out-of-range Subscription Identifier is sent, brokers will reject the subscription.
• The client may receive an unexpected disconnection.
• The issue may affect QoS 1 & 2 message delivery if subscriptions are invalid.

Additional Context

MQTT 5.0 Specification: MQTT-5.0 Spec - Subscription Identifier
Similar issue not found in Eclipse Paho Java Client, which skips invalid Subscription Identifiers < 1 but does not check upper limits.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions