Skip to content

Commit

Permalink
Fix string prop OOB read
Browse files Browse the repository at this point in the history
  • Loading branch information
@embhorn
embhorn committed Feb 2, 2024
1 parent c6c93ce commit b57673e
Showing 1 changed file with 4 additions and 5 deletions.
9 changes: 4 additions & 5 deletions src/mqtt_packet.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -549,7 +549,7 @@ int MqttDecode_Props(MqttPacketType packet, MqttProp** props, byte* pbuf,
tmp = MqttDecode_String(buf,
(const char**)&cur_prop->data_str.str,
&cur_prop->data_str.len);
if (cur_prop->data_str.len <= (buf_len - (buf - pbuf))) {
if ((tmp >= 0) && ((word32)tmp <= (buf_len - (buf - pbuf)))) {
buf += tmp;
total += tmp;
prop_len -= (word32)tmp;
Expand Down Expand Up @@ -600,17 +600,16 @@ int MqttDecode_Props(MqttPacketType packet, MqttProp** props, byte* pbuf,
tmp = MqttDecode_String(buf,
(const char**)&cur_prop->data_str.str,
&cur_prop->data_str.len);
if (cur_prop->data_str.len <=
(buf_len - (buf - pbuf))) {
if ((tmp >= 0) && ((word32)tmp <= (buf_len - (buf - pbuf)))) {
buf += tmp;
total += tmp;
prop_len -= (word32)tmp;
if ((buf_len - (buf - pbuf)) > 0) {
tmp = MqttDecode_String(buf,
(const char**)&cur_prop->data_str2.str,
&cur_prop->data_str2.len);
if (cur_prop->data_str2.len <=
(buf_len - (buf - pbuf))) {
if ((tmp >= 0) && ((word32)tmp <=
(buf_len - (buf - pbuf)))) {
buf += tmp;
total += tmp;
prop_len -= (word32)tmp;
Expand Down

0 comments on commit b57673e

Please sign in to comment.