Commit 7942803a authored by Deomid Ryabkov's avatar Deomid Ryabkov Committed by Cesanta Bot

Fix MQTT SUBSCRIBE parsing

Make sure topic is properly NUL-terminated.
Ignore SUBSCRIBE requests with no topic expressions.

PUBLISHED_FROM=a00f39dda44fe63299e971a91a98f8ee57dd2a64
parent a8b74a90
...@@ -21,6 +21,11 @@ ifeq ($(SSL_LIB),mbedtls) ...@@ -21,6 +21,11 @@ ifeq ($(SSL_LIB),mbedtls)
CFLAGS += -DMG_ENABLE_SSL -DMG_SSL_IF=MG_SSL_IF_MBEDTLS -DMG_SSL_MBED_DUMMY_RANDOM -lmbedcrypto -lmbedtls -lmbedx509 CFLAGS += -DMG_ENABLE_SSL -DMG_SSL_IF=MG_SSL_IF_MBEDTLS -DMG_SSL_MBED_DUMMY_RANDOM -lmbedcrypto -lmbedtls -lmbedx509
endif endif
ifdef ASAN
CC = clang
CFLAGS += -fsanitize=address
endif
$(PROG): $(SOURCES) $(PROG): $(SOURCES)
$(CC) $(SOURCES) -o $@ $(CFLAGS) $(CC) $(SOURCES) -o $@ $(CFLAGS)
......
...@@ -10741,6 +10741,7 @@ static void mg_mqtt_broker_handle_subscribe(struct mg_connection *nc, ...@@ -10741,6 +10741,7 @@ static void mg_mqtt_broker_handle_subscribe(struct mg_connection *nc,
qoss[num_subs++] = qos; qoss[num_subs++] = qos;
} }
if (num_subs > 0) {
te = (struct mg_mqtt_topic_expression *) MG_REALLOC( te = (struct mg_mqtt_topic_expression *) MG_REALLOC(
ss->subscriptions, ss->subscriptions,
sizeof(*ss->subscriptions) * (ss->num_subscriptions + num_subs)); sizeof(*ss->subscriptions) * (ss->num_subscriptions + num_subs));
...@@ -10750,15 +10751,23 @@ static void mg_mqtt_broker_handle_subscribe(struct mg_connection *nc, ...@@ -10750,15 +10751,23 @@ static void mg_mqtt_broker_handle_subscribe(struct mg_connection *nc,
} }
ss->subscriptions = te; ss->subscriptions = te;
for (pos = 0; for (pos = 0;
pos < (int) msg->payload.len &&
(pos = mg_mqtt_next_subscribe_topic(msg, &topic, &qos, pos)) != -1; (pos = mg_mqtt_next_subscribe_topic(msg, &topic, &qos, pos)) != -1;
ss->num_subscriptions++) { ss->num_subscriptions++) {
te = &ss->subscriptions[ss->num_subscriptions]; te = &ss->subscriptions[ss->num_subscriptions];
te->topic = (char *) MG_MALLOC(topic.len + 1); te->topic = (char *) MG_MALLOC(topic.len + 1);
te->qos = qos; te->qos = qos;
strncpy((char *) te->topic, topic.p, topic.len + 1); memcpy((char *) te->topic, topic.p, topic.len);
((char *) te->topic)[topic.len] = '\0';
}
} }
if (pos == (int) msg->payload.len) {
mg_mqtt_suback(nc, qoss, num_subs, msg->message_id); mg_mqtt_suback(nc, qoss, num_subs, msg->message_id);
} else {
/* We did not fully parse the payload, something must be wrong. */
nc->flags |= MG_F_CLOSE_IMMEDIATELY;
}
} }
static void mg_mqtt_broker_handle_publish(struct mg_mqtt_broker *brk, static void mg_mqtt_broker_handle_publish(struct mg_mqtt_broker *brk,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment