From 16b53e11e2b6e8db07972fc72195eef1c940d3ec Mon Sep 17 00:00:00 2001 From: Rong Shen Date: Thu, 28 Jul 2016 14:38:03 -0700 Subject: [PATCH] Fixed a buffer overflow issue when receiving large MQTT packet. --- extras/paho_mqtt_c/MQTTClient.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/extras/paho_mqtt_c/MQTTClient.c b/extras/paho_mqtt_c/MQTTClient.c index 4df3d8e..9651ca7 100644 --- a/extras/paho_mqtt_c/MQTTClient.c +++ b/extras/paho_mqtt_c/MQTTClient.c @@ -94,8 +94,13 @@ int readPacket(MQTTClient* c, Timer* timer) goto exit; len = 1; /* 2. read the remaining length. This is variable in itself */ - decodePacket(c, &rem_len, left_ms(timer)); - len += MQTTPacket_encode(c->readbuf + 1, rem_len); /* put the original remaining length back into the buffer */ + len += decodePacket(c, &rem_len, left_ms(timer)); + if (len <= 1 || len + rem_len > c->readbuf_size) /* if packet is too big to fit in our readbuf, abort */ + { + rc = READ_ERROR; + goto exit; + } + MQTTPacket_encode(c->readbuf + 1, rem_len); /* put the original remaining length back into the buffer */ /* 3. read the rest of the buffer using a callback to supply the rest of the data */ if (rem_len > 0 && (c->ipstack->mqttread(c->ipstack, c->readbuf + len, rem_len, left_ms(timer)) != rem_len)) {