net: mqtt: Improve buffer bounds validation in mqtt_read_message_chunk
Verify more strictly that data read from the transport fits into RX buffer. Switch to unsigned integers, where possible, to prevent unnecessary signed/unsigned operations. Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
This commit is contained in:
parent
1ad165a62d
commit
6110a7cb63
1 changed files with 9 additions and 6 deletions
|
@ -146,20 +146,23 @@ static int mqtt_handle_packet(struct mqtt_client *client,
|
||||||
static int mqtt_read_message_chunk(struct mqtt_client *client,
|
static int mqtt_read_message_chunk(struct mqtt_client *client,
|
||||||
struct buf_ctx *buf, u32_t length)
|
struct buf_ctx *buf, u32_t length)
|
||||||
{
|
{
|
||||||
int remaining;
|
u32_t remaining;
|
||||||
int len;
|
int len;
|
||||||
|
|
||||||
|
/* In case all data requested has already been buffered, return. */
|
||||||
|
if (length <= (buf->end - buf->cur)) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
/* Calculate how much data we need to read from the transport,
|
/* Calculate how much data we need to read from the transport,
|
||||||
* given the already buffered data.
|
* given the already buffered data.
|
||||||
*/
|
*/
|
||||||
remaining = length - (buf->end - buf->cur);
|
remaining = length - (buf->end - buf->cur);
|
||||||
if (remaining <= 0) {
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Check if read does not exceed the buffer. */
|
/* Check if read does not exceed the buffer. */
|
||||||
if (buf->end + remaining > client->rx_buf + client->rx_buf_size) {
|
if ((buf->end + remaining > client->rx_buf + client->rx_buf_size) ||
|
||||||
MQTT_ERR("[CID %p]: Buffer too small to receive the message",
|
(buf->end + remaining < client->rx_buf)) {
|
||||||
|
MQTT_ERR("[CID %p]: Read would exceed RX buffer bounds.",
|
||||||
client);
|
client);
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue