From dc8d8371cfdc64793e7828450ec874782b334cfd Mon Sep 17 00:00:00 2001 From: Ian Craggs Date: Tue, 6 Jun 2023 15:12:54 +0100 Subject: [PATCH] Fix potential overwrites #242 --- MQTTPacket/src/MQTTSubscribeServer.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/MQTTPacket/src/MQTTSubscribeServer.c b/MQTTPacket/src/MQTTSubscribeServer.c index 5579645f..3cb05c94 100644 --- a/MQTTPacket/src/MQTTSubscribeServer.c +++ b/MQTTPacket/src/MQTTSubscribeServer.c @@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright (c) 2014 IBM Corp. + * Copyright (c) 2014, 2023 IBM Corp., Ian Craggs * * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License v1.0 @@ -38,7 +38,7 @@ int MQTTDeserialize_subscribe(unsigned char* dup, unsigned short* packetid, int MQTTHeader header = {0}; unsigned char* curdata = buf; unsigned char* enddata = NULL; - int rc = -1; + int rc = MQTTPACKET_READ_ERROR; int mylen = 0; FUNC_ENTRY; @@ -47,7 +47,11 @@ int MQTTDeserialize_subscribe(unsigned char* dup, unsigned short* packetid, int goto exit; *dup = header.bits.dup; - curdata += (rc = MQTTPacket_decodeBuf(curdata, &mylen)); /* read remaining length */ + rc = MQTTPacket_decodeBuf(curdata, &mylen); /* read remaining length */ + if (rc <= 0) + goto exit; + curdata += rc; + rc = MQTTPACKET_READ_ERROR; enddata = curdata + mylen; *packetid = readInt(&curdata); @@ -55,6 +59,8 @@ int MQTTDeserialize_subscribe(unsigned char* dup, unsigned short* packetid, int *count = 0; while (curdata < enddata) { + if (*count == maxcount) + goto exit; if (!readMQTTLenString(&topicFilters[*count], &curdata, enddata)) goto exit; if (curdata >= enddata) /* do we have enough data to read the req_qos version byte? */