Skip to content

Commit d9f6be8

Browse files
embhornembhorn
committed
Check all variable byte decodes for valid length
1 parent b57673e commit d9f6be8

File tree

1 file changed

+32
-0
lines changed

1 file changed

+32
-0
lines changed

src/mqtt_packet.c

+32
Original file line numberDiff line numberDiff line change
@@ -500,6 +500,10 @@ int MqttDecode_Props(MqttPacketType packet, MqttProp** props, byte* pbuf,
500500
}
501501

502502
/* Decode the Identifier */
503+
if (buf_len < (word32)(buf - pbuf)) {
504+
rc = MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
505+
break;
506+
}
503507
rc = MqttDecode_Vbi(buf, (word32*)&cur_prop->type,
504508
(word32)(buf_len - (buf - pbuf)));
505509
if (rc < 0) {
@@ -562,6 +566,10 @@ int MqttDecode_Props(MqttPacketType packet, MqttProp** props, byte* pbuf,
562566
}
563567
case MQTT_DATA_TYPE_VAR_INT:
564568
{
569+
if (buf_len < (word32)(buf - pbuf)) {
570+
rc = MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
571+
break;
572+
}
565573
tmp = MqttDecode_Vbi(buf, &cur_prop->data_int,
566574
(word32)(buf_len - (buf - pbuf)));
567575
if (tmp < 0) {
@@ -829,6 +837,9 @@ int MqttDecode_ConnectAck(byte *rx_buf, int rx_buf_len,
829837
word32 props_len = 0;
830838
int tmp;
831839
/* Decode Length of Properties */
840+
if (rx_buf_len < (rx_payload - rx_buf)) {
841+
return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
842+
}
832843
tmp = MqttDecode_Vbi(rx_payload, &props_len,
833844
(word32)(rx_buf_len - (rx_payload - rx_buf)));
834845
if (tmp < 0) {
@@ -1011,6 +1022,9 @@ int MqttDecode_Publish(byte *rx_buf, int rx_buf_len, MqttPublish *publish)
10111022
int tmp;
10121023

10131024
/* Decode Length of Properties */
1025+
if (rx_buf_len < (rx_payload - rx_buf)) {
1026+
return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
1027+
}
10141028
tmp = MqttDecode_Vbi(rx_payload, &props_len,
10151029
(word32)(rx_buf_len - (rx_payload - rx_buf)));
10161030
if (tmp < 0)
@@ -1169,6 +1183,9 @@ int MqttDecode_PublishResp(byte* rx_buf, int rx_buf_len, byte type,
11691183
int tmp;
11701184

11711185
/* Decode Length of Properties */
1186+
if (rx_buf_len < (rx_payload - rx_buf)) {
1187+
return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
1188+
}
11721189
tmp = MqttDecode_Vbi(rx_payload, &props_len,
11731190
(word32)(rx_buf_len - (rx_payload - rx_buf)));
11741191
if (tmp < 0)
@@ -1313,6 +1330,9 @@ int MqttDecode_SubscribeAck(byte* rx_buf, int rx_buf_len,
13131330
int tmp;
13141331

13151332
/* Decode Length of Properties */
1333+
if (rx_buf_len < (rx_payload - rx_buf)) {
1334+
return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
1335+
}
13161336
tmp = MqttDecode_Vbi(rx_payload, &props_len,
13171337
(word32)(rx_buf_len - (rx_payload - rx_buf)));
13181338
if (tmp < 0)
@@ -1452,6 +1472,9 @@ int MqttDecode_UnsubscribeAck(byte *rx_buf, int rx_buf_len,
14521472
int tmp;
14531473

14541474
/* Decode Length of Properties */
1475+
if (rx_buf_len < (rx_payload - rx_buf)) {
1476+
return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
1477+
}
14551478
tmp = MqttDecode_Vbi(rx_payload, &props_len,
14561479
(word32)(rx_buf_len - (rx_payload - rx_buf)));
14571480
if (tmp < 0)
@@ -1635,6 +1658,9 @@ int MqttDecode_Disconnect(byte *rx_buf, int rx_buf_len, MqttDisconnect *disc)
16351658

16361659
if (remain_len > 1) {
16371660
/* Decode Length of Properties */
1661+
if (rx_buf_len < (rx_payload - rx_buf)) {
1662+
return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
1663+
}
16381664
tmp = MqttDecode_Vbi(rx_payload, &props_len,
16391665
(word32)(rx_buf_len - (rx_payload - rx_buf)));
16401666
if (tmp < 0)
@@ -1750,6 +1776,9 @@ int MqttDecode_Auth(byte *rx_buf, int rx_buf_len, MqttAuth *auth)
17501776
auth->props = NULL;
17511777

17521778
/* Decode Length of Properties */
1779+
if (rx_buf_len < (rx_payload - rx_buf)) {
1780+
return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
1781+
}
17531782
tmp = MqttDecode_Vbi(rx_payload, &props_len,
17541783
(word32)(rx_buf_len - (rx_payload - rx_buf)));
17551784
if (tmp < 0)
@@ -2018,6 +2047,9 @@ int MqttPacket_Read(MqttClient *client, byte* rx_buf, int rx_buf_len,
20182047
}
20192048

20202049
/* Try and decode remaining length */
2050+
if (rx_buf_len < (client->packet.header_len - (i + 1))) {
2051+
return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
2052+
}
20212053
rc = MqttDecode_Vbi(header->len,
20222054
(word32*)&client->packet.remain_len,
20232055
rx_buf_len - (client->packet.header_len - (i + 1)));

0 commit comments

Comments
 (0)