Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net: mqtt: Several bugfixes #23821

Merged
merged 3 commits into from Mar 28, 2020
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
net: mqtt: Improve buffer bounds validation in mqtt_read_message_chunk
Verify more strictly that data read from the transport fits into RX
buffer. Switch to unsigned integers, where possible, to prevent
unnecessary signed/unsigned operations.

Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
  • Loading branch information
rlubos committed Mar 26, 2020
commit 0b39cbf3c01d7feec9d0dd7cc7e0e374b6113542
15 changes: 9 additions & 6 deletions subsys/net/lib/mqtt/mqtt_rx.c
Expand Up @@ -146,20 +146,23 @@ static int mqtt_handle_packet(struct mqtt_client *client,
static int mqtt_read_message_chunk(struct mqtt_client *client,
struct buf_ctx *buf, u32_t length)
{
int remaining;
u32_t remaining;
int len;

/* In case all data requested has already been buffered, return. */
if (length <= (buf->end - buf->cur)) {
return 0;
}

/* Calculate how much data we need to read from the transport,
* given the already buffered data.
*/
remaining = length - (buf->end - buf->cur);
if (remaining <= 0) {
return 0;
}

/* Check if read does not exceed the buffer. */
if (buf->end + remaining > client->rx_buf + client->rx_buf_size) {
MQTT_ERR("[CID %p]: Buffer too small to receive the message",
if ((buf->end + remaining > client->rx_buf + client->rx_buf_size) ||
(buf->end + remaining < client->rx_buf)) {
MQTT_ERR("[CID %p]: Read would exceed RX buffer bounds.",
client);
return -ENOMEM;
}
Expand Down