net: mqtt: Improve buffer bounds validation in mqtt_read_message_chunk

Verify more strictly that data read from the transport fits into RX buffer. Switch to unsigned integers, where possible, to prevent unnecessary signed/unsigned operations. Signed-off-by: Robert Lubos <[email protected]>
zephyrproject-rtos · Aug 3, 2021 · c450130 · c450130
1 parent bb2f4a7
commit c450130
Showing 1 changed file with 9 additions and 6 deletions.
diff --git a/subsys/net/lib/mqtt/mqtt_rx.c b/subsys/net/lib/mqtt/mqtt_rx.c
@@ -140,20 +140,23 @@ static int mqtt_handle_packet(struct mqtt_client *client,
 static int mqtt_read_message_chunk(struct mqtt_client *client,
 				   struct buf_ctx *buf, u32_t length)
 {
-	int remaining;
+	u32_t remaining;
 	int len;
 
+	/* In case all data requested has already been buffered, return. */
+	if (length <= (buf->end - buf->cur)) {
+		return 0;
+	}
+
 	/* Calculate how much data we need to read from the transport,
 	 * given the already buffered data.
 	 */
 	remaining = length - (buf->end - buf->cur);
-	if (remaining <= 0) {
-		return 0;
-	}
 
 	/* Check if read does not exceed the buffer. */
-	if (buf->end + remaining > client->rx_buf + client->rx_buf_size) {
-		MQTT_ERR("[CID %p]: Buffer too small to receive the message",
+	if ((buf->end + remaining > client->rx_buf + client->rx_buf_size) ||
+	    (buf->end + remaining < client->rx_buf)) {
+		MQTT_ERR("[CID %p]: Read would exceed RX buffer bounds.",
 			 client);
 		return -ENOMEM;
 	}