From 3b5369cf2a1851a062510e21261e0904704aebba Mon Sep 17 00:00:00 2001 From: Simon Duquennoy Date: Mon, 15 Oct 2018 14:11:59 +0200 Subject: [PATCH 1/2] MQTT parse_publish_vhdr: added missing initialization of topic_pos --- os/net/app-layer/mqtt/mqtt.c | 1 + 1 file changed, 1 insertion(+) diff --git a/os/net/app-layer/mqtt/mqtt.c b/os/net/app-layer/mqtt/mqtt.c index 46a542c3f..e73ddb425 100644 --- a/os/net/app-layer/mqtt/mqtt.c +++ b/os/net/app-layer/mqtt/mqtt.c @@ -872,6 +872,7 @@ parse_publish_vhdr(struct mqtt_connection *conn, /* Read out topic length */ if(conn->in_packet.topic_len_received == 0) { + conn->in_packet.topic_pos = 0; conn->in_packet.topic_len = (input_data_ptr[(*pos)++] << 8); conn->in_packet.byte_counter++; if(*pos >= input_data_len) { From bcebd3afcfbd472dfc76b5f2d4f599bbc42c97ba Mon Sep 17 00:00:00 2001 From: Simon Duquennoy Date: Mon, 15 Oct 2018 14:12:08 +0200 Subject: [PATCH 2/2] MQTT parse_publish_vhdr: added missing check of topic length --- os/net/app-layer/mqtt/mqtt.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/os/net/app-layer/mqtt/mqtt.c b/os/net/app-layer/mqtt/mqtt.c index e73ddb425..9571244d8 100644 --- a/os/net/app-layer/mqtt/mqtt.c +++ b/os/net/app-layer/mqtt/mqtt.c @@ -881,7 +881,11 @@ parse_publish_vhdr(struct mqtt_connection *conn, conn->in_packet.topic_len |= input_data_ptr[(*pos)++]; conn->in_packet.byte_counter++; conn->in_packet.topic_len_received = 1; - + /* Abort if topic is longer than our topic buffer */ + if(conn->in_packet.topic_len > MQTT_MAX_TOPIC_LENGTH) { + DBG("MQTT - topic too long %u/%u\n", conn->in_packet.topic_len, MQTT_MAX_TOPIC_LENGTH); + return; + } DBG("MQTT - Read PUBLISH topic len %i\n", conn->in_packet.topic_len); /* WARNING: Check here if TOPIC fits in payload area, otherwise error */ }