From 8d24e8db60e2c34aa633ba2514b2ff6192fe2ba9 Mon Sep 17 00:00:00 2001
From: Leena Miettinen <riitta-leena.miettinen@qt.io>
Date: Wed, 17 Apr 2019 14:27:00 +0200
Subject: Doc: Make "Qt for Automation" the home page for Qt MQTT docs

When users click the Qt version number on the bread crumb bar in
the Qt Qt MQTT docs, they are directed to the Qt for Automation
docs at doc.qt.io.

Change-Id: Ib59b3497dacb96049ddaaa440f596f2ea67822e1
Reviewed-by: Maurice Kalinowski <maurice.kalinowski@qt.io>
---
 src/mqtt/doc/qtmqtt.qdocconf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/mqtt/doc/qtmqtt.qdocconf b/src/mqtt/doc/qtmqtt.qdocconf
index 6fc50b4..aa72234 100644
--- a/src/mqtt/doc/qtmqtt.qdocconf
+++ b/src/mqtt/doc/qtmqtt.qdocconf
@@ -46,3 +46,4 @@ manifestmeta.thumbnail.names  += "QtMqtt/WebSockets MQTT Subscription*"
 
 navigation.landingpage = "Qt MQTT"
 navigation.cppclassespage = "Qt MQTT C++ Classes"
+navigation.homepage = "Qt for Automation"
-- 
cgit v1.2.3


From af08406cd3eff4105d59acc073af3bc9f539084b Mon Sep 17 00:00:00 2001
From: Maurice Kalinowski <maurice.kalinowski@qt.io>
Date: Wed, 17 Apr 2019 12:35:30 +0200
Subject: Verify input buffer

So far, the implementation relied on the datagrams received to be
correct. This can cause buffer overwrites, including crashes or worse.
While unlikely, verify that requested read size matches the existing
buffer.

Change-Id: I695318142348e58b3b9568135896c52da75109e7
Reviewed-by: Alex Blasche <alexander.blasche@qt.io>
---
 src/mqtt/qmqttconnection.cpp | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/src/mqtt/qmqttconnection.cpp b/src/mqtt/qmqttconnection.cpp
index 150bbf4..61a6ef0 100644
--- a/src/mqtt/qmqttconnection.cpp
+++ b/src/mqtt/qmqttconnection.cpp
@@ -79,7 +79,8 @@ QString QMqttConnection::readBufferTyped(qint64 *dataSize)
     const quint16 size = readBufferTyped<quint16>(dataSize);
     if (dataSize)
         *dataSize -= size;
-    return QString::fromUtf8(reinterpret_cast<const char *>(readBuffer(size).constData()), size);
+    const QByteArray ba = readBuffer(size);
+    return QString::fromUtf8(reinterpret_cast<const char *>(ba.constData()), ba.size());
 }
 
 template<>
@@ -88,7 +89,7 @@ QByteArray QMqttConnection::readBufferTyped(qint64 *dataSize)
     const quint16 size = readBufferTyped<quint16>(dataSize);
     if (dataSize)
         *dataSize -= size;
-    return QByteArray(reinterpret_cast<const char *>(readBuffer(size).constData()), size);
+    return readBuffer(size);
 }
 
 QMqttConnection::QMqttConnection(QObject *parent) : QObject(parent)
@@ -303,13 +304,13 @@ bool QMqttConnection::sendControlConnect()
     if (m_clientPrivate->m_password.size())
         packet.append(m_clientPrivate->m_password.toUtf8());
 
+    m_internalState = BrokerWaitForConnectAck;
+    m_missingData = 0;
+
     if (!writePacketToTransport(packet)) {
         qCDebug(lcMqttConnection) << "Could not write CONNECT frame to transport.";
         return false;
     }
-
-    m_internalState = BrokerWaitForConnectAck;
-    m_missingData = 0;
     return true;
 }
 
@@ -695,6 +696,10 @@ void QMqttConnection::transportError(QAbstractSocket::SocketError e)
 
 void QMqttConnection::readBuffer(char *data, quint64 size)
 {
+    if (Q_UNLIKELY(quint64(m_readBuffer.size() - m_readPosition) < size)) {
+        qCDebug(lcMqttConnection) << "Reaching out of buffer, protocol violation";
+        closeConnection(QMqttClient::ProtocolViolation);
+    }
     memcpy(data, m_readBuffer.constData() + m_readPosition, size);
     m_readPosition += size;
 }
@@ -737,6 +742,11 @@ void QMqttConnection::closeConnection(QMqttClient::ClientError error)
 
 QByteArray QMqttConnection::readBuffer(quint64 size)
 {
+    if (Q_UNLIKELY(quint64(m_readBuffer.size() - m_readPosition) < size)) {
+        qCDebug(lcMqttConnection) << "Reaching out of buffer, protocol violation";
+        closeConnection(QMqttClient::ProtocolViolation);
+        return QByteArray();
+    }
     QByteArray res(m_readBuffer.constData() + m_readPosition, int(size));
     m_readPosition += size;
     return res;
-- 
cgit v1.2.3


From acff2f2611e271b83c9190b060d42c88bb292fa5 Mon Sep 17 00:00:00 2001
From: Maurice Kalinowski <maurice.kalinowski@qt.io>
Date: Wed, 17 Apr 2019 13:14:34 +0200
Subject: Fix server test code

For MQTT 5 the fake server did not send any property information. Hence,
the client (potentially) read among the buffer.

Change-Id: I58c7d1b4a1f15a0803c04495c82537f648c8a642
Reviewed-by: Alex Blasche <alexander.blasche@qt.io>
---
 tests/auto/qmqttclient/tst_qmqttclient.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/tests/auto/qmqttclient/tst_qmqttclient.cpp b/tests/auto/qmqttclient/tst_qmqttclient.cpp
index 8aec3d5..c4da40d 100644
--- a/tests/auto/qmqttclient/tst_qmqttclient.cpp
+++ b/tests/auto/qmqttclient/tst_qmqttclient.cpp
@@ -486,6 +486,8 @@ public slots:
         } else {
             response += char(0); // ackFlags
             response += char(0); // result
+            if (version == QMqttClient::MQTT_5_0)
+                response += char(0); // No properties
         }
         qDebug() << "Fake server response:" << connectionSuccess;
         socket->write(response);
@@ -493,6 +495,7 @@ public slots:
 public:
     QTcpServer *server;
     QTcpSocket *socket;
+    QMqttClient::ProtocolVersion version{QMqttClient::MQTT_3_1_1};
     bool connectionSuccess{false};
 };
 
@@ -509,6 +512,8 @@ void Tst_QMqttClient::reconnect_QTBUG65726()
     client.setHostname(QLatin1String("localhost"));
     client.setPort(5726);
 
+    server.version = client.protocolVersion();
+
     client.connectToHost();
     QTRY_COMPARE(client.state(), QMqttClient::Disconnected);
     QTRY_COMPARE(client.error(), QMqttClient::ProtocolViolation);
-- 
cgit v1.2.3