MirrorSave
/
nodemcu-firmware
mirror of https://github.com/nodemcu/nodemcu-firmware.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

mqtt: fix several buffer length checks (#1906) 

Partially addresses nodemcu/nodemcu-firmware#1773.
This commit is contained in:
Nathaniel Wesley Filardo 2017-04-19 14:16:44 -04:00 committed by Arnim Läuger
parent d777fdc50a
commit 332bcb39a3
1 changed files with 11 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
app/mqtt/mqtt_msg.c
View File

@ -162,7 +162,7 @@ const char* mqtt_get_publish_topic(uint8_t* buffer, uint16_t* length)
}
totlen += i;
if(i + 2 >= *length)
if(i + 2 > *length)
return NULL;
topiclen = buffer[i++] << 8;
topiclen |= buffer[i++];
@ -191,12 +191,12 @@ const char* mqtt_get_publish_data(uint8_t* buffer, uint16_t* length)
}
totlen += i;
if(i + 2 >= *length)
if(i + 2 > *length)
return NULL;
topiclen = buffer[i++] << 8;
topiclen |= buffer[i++];
if(i + topiclen >= *length){
if(i + topiclen > *length){
*length = 0;
return NULL;
}
@ -204,7 +204,7 @@ const char* mqtt_get_publish_data(uint8_t* buffer, uint16_t* length)
if(mqtt_get_qos(buffer) > 0)
{
if(i + 2 >= *length)
if(i + 2 > *length)
return NULL;
i += 2;
}
@ -231,6 +231,9 @@ uint16_t mqtt_get_id(uint8_t* buffer, uint16_t length)
int i;
int topiclen;
if(mqtt_get_qos(buffer) <= 0)
return 0;
for(i = 1; i < length; ++i)
{
if((buffer[i] & 0x80) == 0)
@ -240,23 +243,17 @@ uint16_t mqtt_get_id(uint8_t* buffer, uint16_t length)
}
}
if(i + 2 >= length)
if(i + 2 > length)
return 0;
topiclen = buffer[i++] << 8;
topiclen |= buffer[i++];
if(i + topiclen >= length)
if(i + topiclen > length)
return 0;
i += topiclen;
if(mqtt_get_qos(buffer) > 0)
{
if(i + 2 >= length)
return 0;
//i += 2;
} else {
return 0;
}
if(i + 2 > length)
return 0;
return (buffer[i] << 8) | buffer[i + 1];
}