espressif/esp-mqtt
1
0
Fork 0
mirror of https://github.com/espressif/esp-mqtt.git synced 2026-06-05 21:04:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: fix signed integer overflow in remaining length decoding

Browse Source 
The expression (buffer[i] & 0x7f) << (7 * (i - 1)) performs a left
shift on a signed int. When i >= 5, the shift amount reaches 28+ and
0x7f << 28 overflows INT_MAX, which is undefined behavior.

Per MQTT 3.1.1 section 2.2.3, the Remaining Length field uses at most
4 continuation bytes, so limit the decoding loop accordingly. Also
cast to size_t in mqtt_get_total_length() where totlen is already
size_t.

Affects mqtt_get_total_length() and mqtt_get_publish_data().

Found via coverage-guided fuzzing (libFuzzer + UBSan).
This commit is contained in:
Eun0us
2026-02-10 18:42:35 +01:00
committed by Euripedes Rocha
parent b4c1b9674a
commit ffd44fb424
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/mqtt_msg.c
+3 -3
View File
@@ -121,8 +121,8 @@ size_t mqtt_get_total_length(const uint8_t *buffer, size_t length, int *fixed_si
int i;
size_t totlen = 0;
for (i = 1; i < length; ++i) {
totlen += (buffer[i] & 0x7f) << (7 * (i - 1));
for (i = 1; i < length && i <= 4; ++i) {
totlen += (size_t)(buffer[i] & 0x7f) << (7 * (i - 1));
if ((buffer[i] & 0x80) == 0) {
++i;
@@ -208,7 +208,7 @@ char *mqtt_get_publish_data(uint8_t *buffer, size_t *length)
int blength = *length;
*length = 0;
for (i = 1; i < blength; ++i) {
for (i = 1; i < blength && i <= 4; ++i) {
totlen += (buffer[i] & 0x7f) << (7 * (i - 1));
if ((buffer[i] & 0x80) == 0) {