From b57673ecd9fe79ae3d18b486692d8936b18502c2 Mon Sep 17 00:00:00 2001 From: Eric Blankenhorn Date: Fri, 2 Feb 2024 11:49:37 -0600 Subject: [PATCH] Fix string prop OOB read --- src/mqtt_packet.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/mqtt_packet.c b/src/mqtt_packet.c index 16e6d45d..96bd1106 100644 --- a/src/mqtt_packet.c +++ b/src/mqtt_packet.c @@ -549,7 +549,7 @@ int MqttDecode_Props(MqttPacketType packet, MqttProp** props, byte* pbuf, tmp = MqttDecode_String(buf, (const char**)&cur_prop->data_str.str, &cur_prop->data_str.len); - if (cur_prop->data_str.len <= (buf_len - (buf - pbuf))) { + if ((tmp >= 0) && ((word32)tmp <= (buf_len - (buf - pbuf)))) { buf += tmp; total += tmp; prop_len -= (word32)tmp; @@ -600,8 +600,7 @@ int MqttDecode_Props(MqttPacketType packet, MqttProp** props, byte* pbuf, tmp = MqttDecode_String(buf, (const char**)&cur_prop->data_str.str, &cur_prop->data_str.len); - if (cur_prop->data_str.len <= - (buf_len - (buf - pbuf))) { + if ((tmp >= 0) && ((word32)tmp <= (buf_len - (buf - pbuf)))) { buf += tmp; total += tmp; prop_len -= (word32)tmp; @@ -609,8 +608,8 @@ int MqttDecode_Props(MqttPacketType packet, MqttProp** props, byte* pbuf, tmp = MqttDecode_String(buf, (const char**)&cur_prop->data_str2.str, &cur_prop->data_str2.len); - if (cur_prop->data_str2.len <= - (buf_len - (buf - pbuf))) { + if ((tmp >= 0) && ((word32)tmp <= + (buf_len - (buf - pbuf)))) { buf += tmp; total += tmp; prop_len -= (word32)tmp;