The function MQTTTopicMatched() is used to check if packet topic is matched with subscribed one. It tries to check if the first character of the packet topic or the subscribed topic is '$' as shown in https://gitee.com/LiteOS/LiteOS/blob/master/components/connectivity/mqtt/MQTTClient-C/src/MQTTClient.c?_from=gitee_search#L165. The variable topic may be aligned a value to topic_name->lenstring.data as shown in https://gitee.com/LiteOS/LiteOS/blob/master/components/connectivity/mqtt/MQTTClient-C/src/MQTTClient.c?_from=gitee_search#L190. The pointer topic_name gets its value by the function readMQTTLenString() which is called by the function MQTTDeserialize_publish() as shown in https://gitee.com/LiteOS/LiteOS/blob/master/components/connectivity/mqtt/MQTTPacket/src/MQTTDeserializePublish.c?_from=gitee_search#L56. The pointer topic_name->lenstring.data gets value from the pointer pptr, which is the pointer to the output buffer. However, it do not check if the pptr is NULL or 0x0 as shown in https://gitee.com/LiteOS/LiteOS/blob/master/components/connectivity/mqtt/MQTTPacket/src/MQTTPacket.c?_from=gitee_search#L228. If so, the function MQTTTopicMatched() will access invalid memory.
This repo is forbidden to upload a file. Please leave an email and I will send you the packet to trigger this problem.
No crash errors, but the system will run into an abnormal status. The developer or tester needs to check this fault by debugging.
@SilentDawn
Firstly,the code is from IBM mqtt project, we supposed that it is safe.
Then, let us see the issue,as regarding the following function:
int readMQTTLenString(MQTTString *mqttstring, unsigned char **pptr, unsigned char *enddata)
{
The 2nd parameter is pptr, but the function do not check whether it is a null pointer. We checked the caller, and found that the caller can ensure that the parameter is not null.
curdata --> is suppoed not to be null pointer
unsigned char *curdata = buf;
curdata += (rc = MQTTPacket_decodeBuf(curdata, &mylen)); /* read remaining length */
enddata = curdata + mylen;
*packetid = readInt(&curdata);
*count = 0;
while (curdata < enddata)
{
if (!readMQTTLenString(&topicFilters[*count], &curdata, enddata))
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
登录 后才可以发表评论