There's some missing packet-length validation in the PUBLISH packet handler, mqtt_unpack_publish_response. This makes the library vulnerable to a bad PUBLISH packet with an overly-long topic name. The library could definitely be made to read garbage past the end of a buffer, and possibly crash.
The bug is that the remaining packet length (mqtt_response->fixed_header.remaining_length) is only checked once, to ensure it's 4 bytes long. There is no check that the packet is large enough to hold the topic name and packet ID.
There's some missing packet-length validation in the PUBLISH packet handler,
mqtt_unpack_publish_response
. This makes the library vulnerable to a bad PUBLISH packet with an overly-long topic name. The library could definitely be made to read garbage past the end of a buffer, and possibly crash.The bug is that the remaining packet length (
mqtt_response->fixed_header.remaining_length
) is only checked once, to ensure it's 4 bytes long. There is no check that the packet is large enough to hold the topic name and packet ID.