net: mqtt: Improve buffer bounds validation in mqtt_read_message_chunk

Verify more strictly that data read from the transport fits into RX
buffer. Switch to unsigned integers, where possible, to prevent
unnecessary signed/unsigned operations.

Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
This commit is contained in:
Robert Lubos 2020-03-26 13:36:39 +01:00 committed by Jukka Rissanen
commit 6110a7cb63

View file

@ -146,20 +146,23 @@ static int mqtt_handle_packet(struct mqtt_client *client,
static int mqtt_read_message_chunk(struct mqtt_client *client,
struct buf_ctx *buf, u32_t length)
{
int remaining;
u32_t remaining;
int len;
/* In case all data requested has already been buffered, return. */
if (length <= (buf->end - buf->cur)) {
return 0;
}
/* Calculate how much data we need to read from the transport,
* given the already buffered data.
*/
remaining = length - (buf->end - buf->cur);
if (remaining <= 0) {
return 0;
}
/* Check if read does not exceed the buffer. */
if (buf->end + remaining > client->rx_buf + client->rx_buf_size) {
MQTT_ERR("[CID %p]: Buffer too small to receive the message",
if ((buf->end + remaining > client->rx_buf + client->rx_buf_size) ||
(buf->end + remaining < client->rx_buf)) {
MQTT_ERR("[CID %p]: Read would exceed RX buffer bounds.",
client);
return -ENOMEM;
}