michaelh/zephyr
1
0
Fork 0
Code Releases Activity

iot/mqtt: Fix rlen_decode size check.

Browse source 
If receiving a malformed MQTT packet with less than 5 bytes it's
possible to get a read one byte behind buf.

Change-Id: I34425add57c937c8fd9df5bf7b72af092d6f5f32
Signed-off-by: Stig Bjørlykke <stig@bjorlykke.org>
This commit is contained in:
Stig Bjørlykke 2016-12-14 22:00:48 +01:00
commit 4ca8ca9b1c
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
lib/iot/mqtt/mqtt_pkt.c
View file

@ -162,7 +162,7 @@ static int rlen_decode(uint16_t *rlen, uint16_t *rlen_size,
uint8_t encoded;
do {
if (i >= ENCLENBUF_MAX_SIZE || i > size) {
if (i >= ENCLENBUF_MAX_SIZE || i >= size) {
return -ENOMEM;
}