Closed pherna06 closed 1 year ago
Hi @pherna06, you are correct that this usage could be problematic, but it's a common pattern in C code to have NULL terminated char *
.
In this particular case, it's expected that the topic data is transmitted over a secure connection to a known broker in the user system, therefore some data exposure wouldn't be a great problem.
Please feel free to reopen
Been looking the repository code for a project and realized that, when publishing,
topic
is passed as aconst char*
toesp_mqtt_client_publish
, buttopic
string length is not passed.Eventually, that pointer gets to
mqtt_msg_publish
inmqtt_msg.c
where this is done:My question is whether that use of 'strlen' is safe, as a pointer to an unsafe string (non null-terminated) could expose memory data in the topic of the publication.