From 77e44c7c0e0538d7c85d7870dc3ffad0c4508ae4 Mon Sep 17 00:00:00 2001
From: Deomid Ryabkov <rojer@cesanta.com>
Date: Wed, 6 Sep 2017 14:37:33 +0300
Subject: [PATCH] Harden MQTT variable length parsing

PUBLISHED_FROM=e16ee57bc30277e5b5684e53da78e69baaf9f779
---
 mongoose.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/mongoose.c b/mongoose.c
index b1278dfe5..dbe21386f 100644
--- a/mongoose.c
+++ b/mongoose.c
@@ -9943,11 +9943,12 @@ MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
     lc = *((const unsigned char *) p++);
     len += (lc & 0x7f) << 7 * len_len;
     len_len++;
-    if (!(lc & 0x80) || (len_len > sizeof(len))) break;
+    if (!(lc & 0x80)) break;
+    if (len_len > 4) return -2;
   }
 
   end = p + len;
-  if (lc & 0x80 || end > io->buf + io->len) {
+  if (lc & 0x80 || len > (io->len - (p - io->buf))) {
     return -1;
   }
 
-- 
GitLab