From 794a28bb35440caffcf9a202e12926caa4323d87 Mon Sep 17 00:00:00 2001
From: Wiebe Cazemier <wiebe@halfgaar.net>
Date: Tue, 12 Apr 2022 22:07:30 +0200
Subject: [PATCH] Deal with username and/or password presence for various MQTT versions

---
 mqttpacket.cpp | 8 ++++++++
 1 file changed, 8 insertions(+), 0 deletions(-)

diff --git a/mqttpacket.cpp b/mqttpacket.cpp
index 05c5453..cc1f77a 100644
--- a/mqttpacket.cpp
+++ b/mqttpacket.cpp
@@ -510,8 +510,16 @@ void MqttPacket::handleConnect()
         }
         if (password_flag)
         {
+            if (this->protocolVersion <= ProtocolVersion::Mqtt311 && !user_name_flag)
+            {
+                throw ProtocolError("MQTT 3.1.1: If the User Name Flag is set to 0, the Password Flag MUST be set to 0.");
+            }
+
             uint16_t password_length = readTwoBytesToUInt16();
             password = std::string(readBytes(password_length), password_length);
+
+            if (password.empty())
+                throw ProtocolError("Password flagged as present, but it's 0 bytes.", ReasonCodes::MalformedPacket);
         }
 
         // The specs don't really say what to do when client id not UTF8, so including here.
--
libgit2 0.21.4