[paho-dev] MQTTDeserialize_unsubscribe need to judge maxcount with *coun

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[paho-dev] MQTTDeserialize_unsubscribe need to judge maxcount with *count

From: bruce lin <guozai12@xxxxxxxxx>
Date: Sat, 2 Mar 2024 16:14:29 +0800
Delivered-to: paho-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/paho-dev/>
List-help: <mailto:paho-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/paho-dev>, <mailto:paho-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/paho-dev>, <mailto:paho-dev-request@eclipse.org?subject=unsubscribe>

Hi,

I got an invalid unsubscribe packet in base64 format "rS8BAAABAAAAAAAADGlvdC0wNDBhMDFrcARtcXR0BmlvdGh1YghhbGl5dW5jcwNjbw==",it may cause coredump.After review the code, I find that

https://github.com/eclipse/paho.mqtt.embedded-c/blob/32ad8d0d19ac982e32f5f4358adc00e5511ecff5/MQTTPacket/src/MQTTUnsubscribeServer.c#L34

MQTTDeserialize_unsubscribe didn't judge maxcount with *count,

if set maxcount to 1,and init topicFilters with size 1,*count will bigger than maxcount,topicFilters[*count] cause memory access violation.

https://github.com/eclipse/paho.mqtt.embedded-c/pull/259 anyone can review ?

Follow-Ups:
- Re: [paho-dev] [EXTERNAL] MQTTDeserialize_unsubscribe need to judge maxcount with *count
  - From: Cristian Pop

Prev by Date: Re: [paho-dev] How to help with Paho MQTT C review process?
Next by Date: Re: [paho-dev] [EXTERNAL] MQTTDeserialize_unsubscribe need to judge maxcount with *count
Previous by thread: [paho-dev] How to help with Paho MQTT C review process?
Next by thread: Re: [paho-dev] [EXTERNAL] MQTTDeserialize_unsubscribe need to judge maxcount with *count
Index(es):
- Date
- Thread

Breadcrumbs