riot-ci/RIOT
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

asymcute: check for minimum packet length early

Browse Source 
Without this patch _len_get reads one byte beyond the con->rxbuf
if the incoming packet consists only of the byte 0x01.
This commit is contained in:
Sören Tempel 2019-01-07 16:05:01 +01:00
parent f7e524d18e
commit 2a6354b07d
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
sys/net/application_layer/asymcute/asymcute.c
View File

@ -516,6 +516,10 @@ static void _on_unsuback(asymcute_con_t *con, const uint8_t *data, size_t len)
static void _on_data(asymcute_con_t *con, size_t pkt_len, sock_udp_ep_t *remote) static void _on_data(asymcute_con_t *con, size_t pkt_len, sock_udp_ep_t *remote)
{ {
if (pkt_len < 2) {
return;
}
size_t len; size_t len;
size_t pos = _len_get(con->rxbuf, &len); size_t pos = _len_get(con->rxbuf, &len);
@ -524,8 +528,7 @@ static void _on_data(asymcute_con_t *con, size_t pkt_len, sock_udp_ep_t *remote)
return; return;
} }
/* validate incoming data: verify message length */ /* validate incoming data: verify message length */
if ((pkt_len < 2) || if ((pkt_len <= pos) || (pkt_len < len)) {
(pkt_len <= pos) || (pkt_len < len)) {
/* length field of MQTT-SN packet seems to be invalid -> drop the pkt */ /* length field of MQTT-SN packet seems to be invalid -> drop the pkt */
return; return;
} }