Fix potential overwrites eclipse-paho#242

pearmaster · Oct 25, 2024 · 86e71a7 · 86e71a7
1 parent 5904933
commit 86e71a7
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/MQTTPacket/src/MQTTSubscribeServer.c b/MQTTPacket/src/MQTTSubscribeServer.c
@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2014, 2017 IBM Corp.
+ * Copyright (c) 2014, 2023 IBM Corp., Ian Craggs
  *
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
@@ -57,7 +57,7 @@ int MQTTDeserialize_subscribe(unsigned char* dup, unsigned short* packetid, int
 	MQTTHeader header = {0};
 	unsigned char* curdata = buf;
 	unsigned char* enddata = NULL;
-	int32_t rc = -1;
+	int rc = MQTTPACKET_READ_ERROR;
 	int mylen = 0;
 
 	FUNC_ENTRY;
@@ -66,7 +66,11 @@ int MQTTDeserialize_subscribe(unsigned char* dup, unsigned short* packetid, int
 		goto exit;
 	*dup = header.bits.dup;
 
-	curdata += (rc = MQTTPacket_decodeBuf(curdata, &mylen)); /* read remaining length */
+	rc = MQTTPacket_decodeBuf(curdata, &mylen); /* read remaining length */
+	if (rc <= 0)
+		goto exit;
+	curdata += rc;
+	rc = MQTTPACKET_READ_ERROR;
 	enddata = curdata + mylen;
 
 	*packetid = readInt(&curdata);
@@ -79,6 +83,8 @@ int MQTTDeserialize_subscribe(unsigned char* dup, unsigned short* packetid, int
 	*count = 0;
 	while (curdata < enddata)
 	{
+		if (*count == maxcount)
+			goto exit;
 		if (!readMQTTLenString(&topicFilters[*count], &curdata, enddata))
 			goto exit;
 		if (curdata >= enddata) /* do we have enough data to read the req_qos version byte? */