Ensure valid read buffer when parsing the fixed header

Since the remaining length can be up to 4 bytes long make sure that there are enough bytes transmitted to parse the fix header correctly. Change-Id: I3830d3abb308c86048cac3a00a80067194caa482 Reviewed-by: Maurice Kalinowski <maurice.kalinowski@qt.io>
author: Lorenz Haas <lorenz.haas@histomatics.de> 2017-10-11 08:28:24 +0200
committer: Maurice Kalinowski <maurice.kalinowski@qt.io> 2017-10-16 08:34:24 +0000
commit: 460e466c3fff427687de299df05bf55422d71db4 (patch)
tree: e5598e9afa23fb586e6226c592ddea87ef7e78b2
parent: 7b41e6039fbf91d99915ffc8ea4238a144b49b99 (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/src/mqtt/qmqttconnection.cpp b/src/mqtt/qmqttconnection.cpp
index 82c6848..5c3f5be 100644
--- a/src/mqtt/qmqttconnection.cpp
+++ b/src/mqtt/qmqttconnection.cpp
@@ -735,8 +735,15 @@ void QMqttConnection::processData()
         m_missingData = 0;
     }
 
-    if (m_readBuffer.size() == 0)
+    // MQTT-2.2 A fixed header of a control packet must be at least 2 bytes. If the payload is
+    // longer than 127 bytes the header can be up to 5 bytes long.
+    const int readBufferSize = m_readBuffer.size();
+    if (readBufferSize < 2
+        || (readBufferSize == 2 && (m_readBuffer.at(1) & 128) != 0)
+        || (readBufferSize == 3 && (m_readBuffer.at(2) & 128) != 0)
+        || (readBufferSize == 4 && (m_readBuffer.at(3) & 128) != 0)) {
         return;
+    }
 
     readBuffer((char*)&m_currentPacket, 1);
author	Lorenz Haas <lorenz.haas@histomatics.de>	2017-10-11 08:28:24 +0200
committer	Maurice Kalinowski <maurice.kalinowski@qt.io>	2017-10-16 08:34:24 +0000
commit	460e466c3fff427687de299df05bf55422d71db4 (patch)
tree	e5598e9afa23fb586e6226c592ddea87ef7e78b2
parent	7b41e6039fbf91d99915ffc8ea4238a144b49b99 (diff)