From 332bcb39a338b62303f921b3df298a6a4e50de19 Mon Sep 17 00:00:00 2001 From: Nathaniel Wesley Filardo Date: Wed, 19 Apr 2017 14:16:44 -0400 Subject: [PATCH] mqtt: fix several buffer length checks (#1906) Partially addresses nodemcu/nodemcu-firmware#1773. --- app/mqtt/mqtt_msg.c | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/app/mqtt/mqtt_msg.c b/app/mqtt/mqtt_msg.c index 8306fc65..0f206fcc 100644 --- a/app/mqtt/mqtt_msg.c +++ b/app/mqtt/mqtt_msg.c @@ -162,7 +162,7 @@ const char* mqtt_get_publish_topic(uint8_t* buffer, uint16_t* length) } totlen += i; - if(i + 2 >= *length) + if(i + 2 > *length) return NULL; topiclen = buffer[i++] << 8; topiclen |= buffer[i++]; @@ -191,12 +191,12 @@ const char* mqtt_get_publish_data(uint8_t* buffer, uint16_t* length) } totlen += i; - if(i + 2 >= *length) + if(i + 2 > *length) return NULL; topiclen = buffer[i++] << 8; topiclen |= buffer[i++]; - if(i + topiclen >= *length){ + if(i + topiclen > *length){ *length = 0; return NULL; } @@ -204,7 +204,7 @@ const char* mqtt_get_publish_data(uint8_t* buffer, uint16_t* length) if(mqtt_get_qos(buffer) > 0) { - if(i + 2 >= *length) + if(i + 2 > *length) return NULL; i += 2; } @@ -231,6 +231,9 @@ uint16_t mqtt_get_id(uint8_t* buffer, uint16_t length) int i; int topiclen; + if(mqtt_get_qos(buffer) <= 0) + return 0; + for(i = 1; i < length; ++i) { if((buffer[i] & 0x80) == 0) @@ -240,23 +243,17 @@ uint16_t mqtt_get_id(uint8_t* buffer, uint16_t length) } } - if(i + 2 >= length) + if(i + 2 > length) return 0; topiclen = buffer[i++] << 8; topiclen |= buffer[i++]; - if(i + topiclen >= length) + if(i + topiclen > length) return 0; i += topiclen; - if(mqtt_get_qos(buffer) > 0) - { - if(i + 2 >= length) - return 0; - //i += 2; - } else { - return 0; - } + if(i + 2 > length) + return 0; return (buffer[i] << 8) | buffer[i + 1]; }