该问题是怎么引起的？

The function MQTTTopicMatched() is used to check if packet topic is matched with subscribed one. It tries to check if the first character of the packet topic or the subscribed topic is '$' as shown in https://gitee.com/LiteOS/LiteOS/blob/master/components/connectivity/mqtt/MQTTClient-C/src/MQTTClient.c?_from=gitee_search#L165. The variable topic may be aligned a value to topic_name->lenstring.data as shown in https://gitee.com/LiteOS/LiteOS/blob/master/components/connectivity/mqtt/MQTTClient-C/src/MQTTClient.c?_from=gitee_search#L190. The pointer topic_name gets its value by the function readMQTTLenString() which is called by the function MQTTDeserialize_publish() as shown in https://gitee.com/LiteOS/LiteOS/blob/master/components/connectivity/mqtt/MQTTPacket/src/MQTTDeserializePublish.c?_from=gitee_search#L56. The pointer topic_name->lenstring.data gets value from the pointer pptr, which is the pointer to the output buffer. However, it do not check if the pptr is NULL or 0x0 as shown in https://gitee.com/LiteOS/LiteOS/blob/master/components/connectivity/mqtt/MQTTPacket/src/MQTTPacket.c?_from=gitee_search#L228. If so, the function MQTTTopicMatched() will access invalid memory.

重现步骤

This repo is forbidden to upload a file. Please leave an email and I will send you the packet to trigger this problem.

报错信息

No crash errors, but the system will run into an abnormal status. The developer or tester needs to check this fault by debugging.