search

LiamBindle / MQTT-C

A portable MQTT C client for embedded systems and PCs alike.
https://liambindle.ca/MQTT-C
MIT License
766 stars 269 forks source link

Insufficient validation of PUBLISH message #144

Open snej opened 2 years ago

snej commented 2 years ago

There's some missing packet-length validation in the PUBLISH packet handler, mqtt_unpack_publish_response. This makes the library vulnerable to a bad PUBLISH packet with an overly-long topic name. The library could definitely be made to read garbage past the end of a buffer, and possibly crash.

The bug is that the remaining packet length (mqtt_response->fixed_header.remaining_length) is only checked once, to ensure it's 4 bytes long. There is no check that the packet is large enough to hold the topic name and packet ID.

LiamBindle commented 2 years ago

@snej Thanks for point this out. Would you be able to submit a PR?

snej commented 2 years ago

Sorry, I'm not actually using the library, I was reading through the code to see how it worked.