mirror of
https://github.com/cesanta/mongoose.git
synced 2025-01-01 19:17:48 +08:00
Fix int overflow in parse_mqtt()
PUBLISHED_FROM=f9106d2f746c67ae004aeab12685eaf9cd558cd8
This commit is contained in:
parent
464113c5ae
commit
cb602f178c
@ -10843,7 +10843,7 @@ static const char *scanto(const char *p, struct mg_str *s) {
|
|||||||
|
|
||||||
MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
|
MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
|
||||||
uint8_t header;
|
uint8_t header;
|
||||||
size_t len = 0, len_len = 0;
|
uint32_t len, len_len; /* must be 32-bit, see #1055 */
|
||||||
const char *p, *end, *eop = &io->buf[io->len];
|
const char *p, *end, *eop = &io->buf[io->len];
|
||||||
unsigned char lc = 0;
|
unsigned char lc = 0;
|
||||||
int cmd;
|
int cmd;
|
||||||
@ -10860,7 +10860,7 @@ MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
|
|||||||
len += (lc & 0x7f) << 7 * len_len;
|
len += (lc & 0x7f) << 7 * len_len;
|
||||||
len_len++;
|
len_len++;
|
||||||
if (!(lc & 0x80)) break;
|
if (!(lc & 0x80)) break;
|
||||||
if (len_len > 4) return MG_MQTT_ERROR_MALFORMED_MSG;
|
if (len_len > sizeof(len)) return MG_MQTT_ERROR_MALFORMED_MSG;
|
||||||
}
|
}
|
||||||
|
|
||||||
end = p + len;
|
end = p + len;
|
||||||
|
@ -23,7 +23,7 @@ static const char *scanto(const char *p, struct mg_str *s) {
|
|||||||
|
|
||||||
MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
|
MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
|
||||||
uint8_t header;
|
uint8_t header;
|
||||||
size_t len = 0, len_len = 0;
|
uint32_t len, len_len; /* must be 32-bit, see #1055 */
|
||||||
const char *p, *end, *eop = &io->buf[io->len];
|
const char *p, *end, *eop = &io->buf[io->len];
|
||||||
unsigned char lc = 0;
|
unsigned char lc = 0;
|
||||||
int cmd;
|
int cmd;
|
||||||
@ -40,7 +40,7 @@ MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
|
|||||||
len += (lc & 0x7f) << 7 * len_len;
|
len += (lc & 0x7f) << 7 * len_len;
|
||||||
len_len++;
|
len_len++;
|
||||||
if (!(lc & 0x80)) break;
|
if (!(lc & 0x80)) break;
|
||||||
if (len_len > 4) return MG_MQTT_ERROR_MALFORMED_MSG;
|
if (len_len > sizeof(len)) return MG_MQTT_ERROR_MALFORMED_MSG;
|
||||||
}
|
}
|
||||||
|
|
||||||
end = p + len;
|
end = p + len;
|
||||||
|
Loading…
x
Reference in New Issue
Block a user