3party/mongoose
0
0
Fork 0
mirror of https://github.com/cesanta/mongoose.git synced 2024-12-28 23:49:44 +08:00
Code Issues Projects Releases Wiki Activity

Fix int overflow in parse_mqtt()

Browse Source 
PUBLISHED_FROM=f9106d2f746c67ae004aeab12685eaf9cd558cd8
This commit is contained in:
Sergey Lyubka 2019-12-23 11:13:41 +00:00
parent 464113c5ae
commit cb602f178c
2 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
mongoose.c
View File

@ -10843,7 +10843,7 @@ static const char *scanto(const char *p, struct mg_str *s) {
MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
uint8_t header;
size_t len = 0, len_len = 0;
uint32_t len, len_len; /* must be 32-bit, see #1055 */
const char *p, *end, *eop = &io->buf[io->len];
unsigned char lc = 0;
int cmd;
@ -10860,7 +10860,7 @@ MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
len += (lc & 0x7f) << 7 * len_len;
len_len++;
if (!(lc & 0x80)) break;
if (len_len > 4) return MG_MQTT_ERROR_MALFORMED_MSG;
if (len_len > sizeof(len)) return MG_MQTT_ERROR_MALFORMED_MSG;
}
end = p + len;

4
src/mg_mqtt.c
View File

@ -23,7 +23,7 @@ static const char *scanto(const char *p, struct mg_str *s) {
MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
uint8_t header;
size_t len = 0, len_len = 0;
uint32_t len, len_len; /* must be 32-bit, see #1055 */
const char *p, *end, *eop = &io->buf[io->len];
unsigned char lc = 0;
int cmd;
@ -40,7 +40,7 @@ MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
len += (lc & 0x7f) << 7 * len_len;
len_len++;
if (!(lc & 0x80)) break;
if (len_len > 4) return MG_MQTT_ERROR_MALFORMED_MSG;
if (len_len > sizeof(len)) return MG_MQTT_ERROR_MALFORMED_MSG;
}
end = p + len;