From 3c5777d706a3d0cff6dad364bce0b0b5c0740fd3 Mon Sep 17 00:00:00 2001
From: David Cermak <cermak@espressif.com>
Date: Tue, 30 Dec 2025 15:49:16 +0100
Subject: [PATCH] fix(mqtt5): Fix UB in variable len processing

---
 lib/mqtt5_msg.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/lib/mqtt5_msg.c b/lib/mqtt5_msg.c
index 628a9f8..48fce62 100644
--- a/lib/mqtt5_msg.c
+++ b/lib/mqtt5_msg.c
@@ -61,8 +61,10 @@ static size_t get_variable_len(uint8_t *buffer, size_t offset, size_t buffer_len
     *len_bytes = 0;
     size_t len = 0, i = 0;
 
-    for (i = offset; i < buffer_length; i ++) {
-        len += (buffer[i] & 0x7f) << (7 * (i - offset));
+    // MQTT Variable Byte Integer is max 4 bytes (MQTT v5 spec).
+    // Limit decoding to 4 bytes to avoid undefined shift behavior on malformed inputs.
+    for (i = offset; i < buffer_length && (i - offset) < 4; i ++) {
+        len += ((size_t)(buffer[i] & 0x7f)) << (7 * (i - offset));
 
         if ((buffer[i] & 0x80) == 0) {
             i ++;
@@ -70,6 +72,12 @@ static size_t get_variable_len(uint8_t *buffer, size_t offset, size_t buffer_len
         }
     }
 
+    // If the varint didn't terminate within 4 bytes, treat as invalid (0 bytes consumed).
+    if ((i - offset) == 4 && i <= buffer_length && (buffer[i - 1] & 0x80)) {
+        *len_bytes = 0;
+        return 0;
+    }
+
     *len_bytes = i - offset;
     return len;
 }