diff --git a/client.cpp b/client.cpp index c82a0b7..c3a47cf 100644 --- a/client.cpp +++ b/client.cpp @@ -310,13 +310,16 @@ bool Client::bufferToMqttPackets(std::vector &packetQueueIn, Client_ // Determine the packet length by decoding the variable length int remaining_length_i = 1; // index of 'remaining length' field is one after start. uint fixed_header_length = 1; - int multiplier = 1; - uint packet_length = 0; + size_t multiplier = 1; + size_t packet_length = 0; unsigned char encodedByte = 0; do { fixed_header_length++; + if (fixed_header_length > 5) + throw ProtocolError("Packet signifies more than 5 bytes in variable length header. Invalid."); + // This happens when you only don't have all the bytes that specify the remaining length. if (fixed_header_length > readbuf.usedBytes()) return false; @@ -335,6 +338,11 @@ bool Client::bufferToMqttPackets(std::vector &packetQueueIn, Client_ throw ProtocolError("An unauthenticated client sends a packet of 1 MB or bigger? Probably it's just random bytes."); } + if (packet_length > ABSOLUTE_MAX_PACKET_SIZE) + { + throw ProtocolError("A client sends a packet claiming to be bigger than the maximum MQTT allows."); + } + if (packet_length <= readbuf.usedBytes()) { MqttPacket packet(readbuf, packet_length, fixed_header_length, sender); diff --git a/mqttpacket.cpp b/mqttpacket.cpp index fa58114..93f7886 100644 --- a/mqttpacket.cpp +++ b/mqttpacket.cpp @@ -17,6 +17,7 @@ MqttPacket::MqttPacket(CirBuf &buf, size_t packet_len, size_t fixed_header_lengt fixed_header_length(fixed_header_length), sender(sender) { + assert(packet_len > 0); buf.read(bites.data(), packet_len); first_byte = bites[0]; @@ -116,6 +117,9 @@ MqttPacket::MqttPacket(const PubAck &pubAck) : void MqttPacket::handle() { + if (packetType == PacketType::Reserved) + throw ProtocolError("Packet type 0 specified, which is reserved and invalid."); + if (packetType != PacketType::CONNECT) { if (!sender->getAuthenticated())