diff options
author | Lorenz Haas <lorenz.haas@histomatics.de> | 2017-10-11 08:28:24 +0200 |
---|---|---|
committer | Maurice Kalinowski <maurice.kalinowski@qt.io> | 2017-10-16 08:34:24 +0000 |
commit | 460e466c3fff427687de299df05bf55422d71db4 (patch) | |
tree | e5598e9afa23fb586e6226c592ddea87ef7e78b2 | |
parent | 7b41e6039fbf91d99915ffc8ea4238a144b49b99 (diff) |
Ensure valid read buffer when parsing the fixed header
Since the remaining length can be up to 4 bytes long make sure that
there are enough bytes transmitted to parse the fix header correctly.
Change-Id: I3830d3abb308c86048cac3a00a80067194caa482
Reviewed-by: Maurice Kalinowski <maurice.kalinowski@qt.io>
-rw-r--r-- | src/mqtt/qmqttconnection.cpp | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/mqtt/qmqttconnection.cpp b/src/mqtt/qmqttconnection.cpp index 82c6848..5c3f5be 100644 --- a/src/mqtt/qmqttconnection.cpp +++ b/src/mqtt/qmqttconnection.cpp @@ -735,8 +735,15 @@ void QMqttConnection::processData() m_missingData = 0; } - if (m_readBuffer.size() == 0) + // MQTT-2.2 A fixed header of a control packet must be at least 2 bytes. If the payload is + // longer than 127 bytes the header can be up to 5 bytes long. + const int readBufferSize = m_readBuffer.size(); + if (readBufferSize < 2 + || (readBufferSize == 2 && (m_readBuffer.at(1) & 128) != 0) + || (readBufferSize == 3 && (m_readBuffer.at(2) & 128) != 0) + || (readBufferSize == 4 && (m_readBuffer.at(3) & 128) != 0)) { return; + } readBuffer((char*)&m_currentPacket, 1); |