Fix int overflow in parse_mqtt()

PUBLISHED_FROM=f9106d2f746c67ae004aeab12685eaf9cd558cd8

Fix int overflow in parse_mqtt()
PUBLISHED_FROM=f9106d2f746c67ae004aeab12685eaf9cd558cd8
cb602f17 · Sergey Lyubka · 464113c5 · cb602f17 · cb602f17
Commit cb602f17 authored Dec 23, 2019 by Sergey Lyubka
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 4 deletions

mongoose.c mongoose.c +2 -2

mg_mqtt.c src/mg_mqtt.c +2 -2

No files found.
--- a/mongoose.c
+++ b/mongoose.c
@@ -10843,7 +10843,7 @@ static const char *scanto(const char *p, struct mg_str *s) {

 MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
  uint8_t header;
-  size_t len = 0, len_len = 0;
+  uint32_t len, len_len; /* must be 32-bit, see #1055 */
  const char *p, *end, *eop = &io->buf[io->len];
  unsigned char lc = 0;
  int cmd;
@@ -10860,7 +10860,7 @@ MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
    len += (lc & 0x7f) << 7 * len_len;
    len_len++;
    if (!(lc & 0x80)) break;
-    if (len_len > 4) return MG_MQTT_ERROR_MALFORMED_MSG;
+    if (len_len > sizeof(len)) return MG_MQTT_ERROR_MALFORMED_MSG;
  }

  end = p + len;

--- a/src/mg_mqtt.c
+++ b/src/mg_mqtt.c
@@ -23,7 +23,7 @@ static const char *scanto(const char *p, struct mg_str *s) {

 MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
  uint8_t header;
-  size_t len = 0, len_len = 0;
+  uint32_t len, len_len; /* must be 32-bit, see #1055 */
  const char *p, *end, *eop = &io->buf[io->len];
  unsigned char lc = 0;
  int cmd;
@@ -40,7 +40,7 @@ MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
    len += (lc & 0x7f) << 7 * len_len;
    len_len++;
    if (!(lc & 0x80)) break;
-    if (len_len > 4) return MG_MQTT_ERROR_MALFORMED_MSG;
+    if (len_len > sizeof(len)) return MG_MQTT_ERROR_MALFORMED_MSG;
  }

  end = p + len;