Fix int overflow in parse_mqtt()

PUBLISHED_FROM=f9106d2f746c67ae004aeab12685eaf9cd558cd8
This commit is contained in:
Sergey Lyubka 2019-12-23 11:13:41 +00:00
parent 464113c5ae
commit cb602f178c
2 changed files with 4 additions and 4 deletions

View File

@ -10843,7 +10843,7 @@ static const char *scanto(const char *p, struct mg_str *s) {
MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) { MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
uint8_t header; uint8_t header;
size_t len = 0, len_len = 0; uint32_t len, len_len; /* must be 32-bit, see #1055 */
const char *p, *end, *eop = &io->buf[io->len]; const char *p, *end, *eop = &io->buf[io->len];
unsigned char lc = 0; unsigned char lc = 0;
int cmd; int cmd;
@ -10860,7 +10860,7 @@ MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
len += (lc & 0x7f) << 7 * len_len; len += (lc & 0x7f) << 7 * len_len;
len_len++; len_len++;
if (!(lc & 0x80)) break; if (!(lc & 0x80)) break;
if (len_len > 4) return MG_MQTT_ERROR_MALFORMED_MSG; if (len_len > sizeof(len)) return MG_MQTT_ERROR_MALFORMED_MSG;
} }
end = p + len; end = p + len;

View File

@ -23,7 +23,7 @@ static const char *scanto(const char *p, struct mg_str *s) {
MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) { MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
uint8_t header; uint8_t header;
size_t len = 0, len_len = 0; uint32_t len, len_len; /* must be 32-bit, see #1055 */
const char *p, *end, *eop = &io->buf[io->len]; const char *p, *end, *eop = &io->buf[io->len];
unsigned char lc = 0; unsigned char lc = 0;
int cmd; int cmd;
@ -40,7 +40,7 @@ MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
len += (lc & 0x7f) << 7 * len_len; len += (lc & 0x7f) << 7 * len_len;
len_len++; len_len++;
if (!(lc & 0x80)) break; if (!(lc & 0x80)) break;
if (len_len > 4) return MG_MQTT_ERROR_MALFORMED_MSG; if (len_len > sizeof(len)) return MG_MQTT_ERROR_MALFORMED_MSG;
} }
end = p + len; end = p + len;