Skip to content

Commit

Permalink
Check for msgid data length in incoming packets #1084
Browse files Browse the repository at this point in the history
  • Loading branch information
@icraggs
icraggs committed Mar 22, 2021
1 parent b83aee4 commit a7f0e9a
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 11 deletions.
18 changes: 17 additions & 1 deletion src/MQTTPacket.c
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*******************************************************************************
* Copyright (c) 2009, 2020 IBM Corp.
* Copyright (c) 2009, 2021 IBM Corp. and Ian Craggs
*
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v2.0
Expand Down Expand Up @@ -569,7 +569,15 @@ void* MQTTPacket_publish(int MQTTVersion, unsigned char aHeader, char* data, siz
goto exit;
}
if (pack->header.bits.qos > 0) /* Msgid only exists for QoS 1 or 2 */
{
if (enddata - curdata < 2) /* Is there enough data for the msgid? */
{
free(pack);
pack = NULL;
goto exit;
}
pack->msgId = readInt(&curdata);
}
else
pack->msgId = 0;
if (MQTTVersion >= MQTTVERSION_5)
Expand Down Expand Up @@ -792,7 +800,15 @@ void* MQTTPacket_ack(int MQTTVersion, unsigned char aHeader, char* data, size_t
pack->MQTTVersion = MQTTVersion;
pack->header.byte = aHeader;
if (pack->header.bits.type != DISCONNECT)
{
if (enddata - curdata < 2) /* Is there enough data for the msgid? */
{
free(pack);
pack = NULL;
goto exit;
}
pack->msgId = readInt(&curdata);
}
if (MQTTVersion >= MQTTVERSION_5)
{
MQTTProperties props = MQTTProperties_initializer;
Expand Down
30 changes: 20 additions & 10 deletions src/MQTTPacketOut.c
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*******************************************************************************
* Copyright (c) 2009, 2020 IBM Corp.
* Copyright (c) 2009, 2021 IBM Corp. and Ian Craggs
*
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v2.0
Expand Down Expand Up @@ -150,17 +150,15 @@ void* MQTTPacket_connack(int MQTTVersion, unsigned char aHeader, char* data, siz
goto exit;
pack->MQTTVersion = MQTTVersion;
pack->header.byte = aHeader;
pack->flags.all = readChar(&curdata); /* connect flags */
pack->rc = readChar(&curdata); /* reason code */
if (MQTTVersion < MQTTVERSION_5)
if (datalen < 2) /* enough data for connect flags and reason code? */
{
if (datalen != 2)
{
free(pack);
pack = NULL;
}
free(pack);
pack = NULL;
goto exit;
}
else if (datalen > 2)
pack->flags.all = readChar(&curdata); /* connect flags */
pack->rc = readChar(&curdata); /* reason code */
if (MQTTVersion >= MQTTVERSION_5 && datalen > 2)
{
MQTTProperties props = MQTTProperties_initializer;
pack->properties = props;
Expand Down Expand Up @@ -300,6 +298,12 @@ void* MQTTPacket_suback(int MQTTVersion, unsigned char aHeader, char* data, size
goto exit;
pack->MQTTVersion = MQTTVersion;
pack->header.byte = aHeader;
if (enddata - curdata < 2) /* Is there enough data to read the msgid? */
{
free(pack);
pack = NULL;
goto exit;
}
pack->msgId = readInt(&curdata);
if (MQTTVersion >= MQTTVERSION_5)
{
Expand Down Expand Up @@ -416,6 +420,12 @@ void* MQTTPacket_unsuback(int MQTTVersion, unsigned char aHeader, char* data, si
goto exit;
pack->MQTTVersion = MQTTVersion;
pack->header.byte = aHeader;
if (enddata - curdata < 2) /* Is there enough data? */
{
free(pack);
pack = NULL;
goto exit;
}
pack->msgId = readInt(&curdata);
pack->reasonCodes = NULL;
if (MQTTVersion >= MQTTVERSION_5)
Expand Down

0 comments on commit a7f0e9a

Please sign in to comment.