Skip to content

Commit

Permalink
Fix heap-based overflow in parse_mqtt
Browse files Browse the repository at this point in the history 
PUBLISHED_FROM=3306592896298597fff5269634df0c1a1555113b
  • Loading branch information
@cpq @cesantabot
cpq authored and cesantabot committed Jun 13, 2019
1 parent 2bdbfc2 commit b3e0f78
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 10 deletions.
10 changes: 5 additions & 5 deletions mongoose.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10841,7 +10841,7 @@ static const char *scanto(const char *p, struct mg_str *s) {
MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
uint8_t header;
size_t len = 0, len_len = 0;
const char *p, *end;
const char *p, *end, *eop = &io->buf[io->len];
unsigned char lc = 0;
int cmd;

Expand All @@ -10852,7 +10852,7 @@ MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
/* decode mqtt variable length */
len = len_len = 0;
p = io->buf + 1;
while ((size_t)(p - io->buf) < io->len) {
while (p < eop) {
lc = *((const unsigned char *) p++);
len += (lc & 0x7f) << 7 * len_len;
len_len++;
Expand All @@ -10861,9 +10861,7 @@ MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
}

end = p + len;
if (lc & 0x80 || len > (io->len - (p - io->buf))) {
return MG_MQTT_ERROR_INCOMPLETE_MSG;
}
if (lc & 0x80 || end > eop) return MG_MQTT_ERROR_INCOMPLETE_MSG;

mm->cmd = cmd;
mm->qos = MG_MQTT_GET_QOS(header);
Expand Down Expand Up @@ -10917,7 +10915,9 @@ MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
case MG_MQTT_CMD_PUBREL:
case MG_MQTT_CMD_PUBCOMP:
case MG_MQTT_CMD_SUBACK:
if (end - p < 2) return MG_MQTT_ERROR_MALFORMED_MSG;
mm->message_id = getu16(p);
p += 2;
break;
case MG_MQTT_CMD_PUBLISH: {
p = scanto(p, &mm->topic);
Expand Down
10 changes: 5 additions & 5 deletions src/mg_mqtt.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ static const char *scanto(const char *p, struct mg_str *s) {
MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
uint8_t header;
size_t len = 0, len_len = 0;
const char *p, *end;
const char *p, *end, *eop = &io->buf[io->len];
unsigned char lc = 0;
int cmd;

Expand All @@ -35,7 +35,7 @@ MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
/* decode mqtt variable length */
len = len_len = 0;
p = io->buf + 1;
while ((size_t)(p - io->buf) < io->len) {
while (p < eop) {
lc = *((const unsigned char *) p++);
len += (lc & 0x7f) << 7 * len_len;
len_len++;
Expand All @@ -44,9 +44,7 @@ MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
}

end = p + len;
if (lc & 0x80 || len > (io->len - (p - io->buf))) {
return MG_MQTT_ERROR_INCOMPLETE_MSG;
}
if (lc & 0x80 || end > eop) return MG_MQTT_ERROR_INCOMPLETE_MSG;

mm->cmd = cmd;
mm->qos = MG_MQTT_GET_QOS(header);
Expand Down Expand Up @@ -100,7 +98,9 @@ MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
case MG_MQTT_CMD_PUBREL:
case MG_MQTT_CMD_PUBCOMP:
case MG_MQTT_CMD_SUBACK:
if (end - p < 2) return MG_MQTT_ERROR_MALFORMED_MSG;
mm->message_id = getu16(p);
p += 2;
break;
case MG_MQTT_CMD_PUBLISH: {
p = scanto(p, &mm->topic);
Expand Down

0 comments on commit b3e0f78

Please sign in to comment.