Merge pull request #166 from flavio-fernandes/protect.buffer
Adafruit_MQTT::publishPacket: Protect against memory corruption.
This commit is contained in:
commit
ca12d21eb2
@ -323,7 +323,8 @@ bool Adafruit_MQTT::publish(const char *topic, const char *data, uint8_t qos) {
|
|||||||
bool Adafruit_MQTT::publish(const char *topic, uint8_t *data, uint16_t bLen,
|
bool Adafruit_MQTT::publish(const char *topic, uint8_t *data, uint16_t bLen,
|
||||||
uint8_t qos) {
|
uint8_t qos) {
|
||||||
// Construct and send publish packet.
|
// Construct and send publish packet.
|
||||||
uint16_t len = publishPacket(buffer, topic, data, bLen, qos);
|
uint16_t len =
|
||||||
|
publishPacket(buffer, topic, data, bLen, qos, (uint16_t)sizeof(buffer));
|
||||||
if (!sendPacket(buffer, len))
|
if (!sendPacket(buffer, len))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
@ -668,11 +669,26 @@ uint8_t Adafruit_MQTT::connectPacket(uint8_t *packet) {
|
|||||||
return len;
|
return len;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// packetAdditionalLen is a helper function used to figure out
|
||||||
|
// how bigger the payload needs to be in order to account for
|
||||||
|
// its variable length field. As per
|
||||||
|
// http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html#_Table_2.4_Size
|
||||||
|
static uint16_t packetAdditionalLen(uint16_t currLen) {
|
||||||
|
/* Increase length field based on current length */
|
||||||
|
if (currLen < 128)
|
||||||
|
return 0;
|
||||||
|
if (currLen < 16384)
|
||||||
|
return 1;
|
||||||
|
if (currLen < 2097151)
|
||||||
|
return 2;
|
||||||
|
return 3;
|
||||||
|
}
|
||||||
|
|
||||||
// as per
|
// as per
|
||||||
// http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html#_Toc398718040
|
// http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html#_Toc398718040
|
||||||
uint16_t Adafruit_MQTT::publishPacket(uint8_t *packet, const char *topic,
|
uint16_t Adafruit_MQTT::publishPacket(uint8_t *packet, const char *topic,
|
||||||
uint8_t *data, uint16_t bLen,
|
uint8_t *data, uint16_t bLen, uint8_t qos,
|
||||||
uint8_t qos) {
|
uint16_t maxPacketLen) {
|
||||||
uint8_t *p = packet;
|
uint8_t *p = packet;
|
||||||
uint16_t len = 0;
|
uint16_t len = 0;
|
||||||
|
|
||||||
@ -682,7 +698,22 @@ uint16_t Adafruit_MQTT::publishPacket(uint8_t *packet, const char *topic,
|
|||||||
if (qos > 0) {
|
if (qos > 0) {
|
||||||
len += 2; // qos packet id
|
len += 2; // qos packet id
|
||||||
}
|
}
|
||||||
len += bLen; // payload length
|
// Calculate additional bytes for length field (if any)
|
||||||
|
uint16_t additionalLen = packetAdditionalLen(len + bLen);
|
||||||
|
|
||||||
|
// Payload length. When maxPacketLen provided is 0, let's
|
||||||
|
// assume buffer is big enough. Fingers crossed.
|
||||||
|
if (maxPacketLen == 0 || (len + bLen + 2 + additionalLen <= maxPacketLen)) {
|
||||||
|
len += bLen + additionalLen;
|
||||||
|
} else {
|
||||||
|
// If we make it here, we got a pickle: the payload is not going
|
||||||
|
// to fit in the packet buffer. Instead of corrupting memory, let's
|
||||||
|
// do something less damaging by reducing the bLen to what we are
|
||||||
|
// able to accomodate. Alternatively, consider using a bigger
|
||||||
|
// maxPacketLen.
|
||||||
|
bLen = maxPacketLen - (len + 2 + packetAdditionalLen(maxPacketLen));
|
||||||
|
len = maxPacketLen - 4;
|
||||||
|
}
|
||||||
|
|
||||||
// Now you can start generating the packet!
|
// Now you can start generating the packet!
|
||||||
p[0] = MQTT_CTRL_PUBLISH << 4 | qos << 1;
|
p[0] = MQTT_CTRL_PUBLISH << 4 | qos << 1;
|
||||||
|
@ -262,7 +262,7 @@ private:
|
|||||||
uint8_t connectPacket(uint8_t *packet);
|
uint8_t connectPacket(uint8_t *packet);
|
||||||
uint8_t disconnectPacket(uint8_t *packet);
|
uint8_t disconnectPacket(uint8_t *packet);
|
||||||
uint16_t publishPacket(uint8_t *packet, const char *topic, uint8_t *payload,
|
uint16_t publishPacket(uint8_t *packet, const char *topic, uint8_t *payload,
|
||||||
uint16_t bLen, uint8_t qos);
|
uint16_t bLen, uint8_t qos, uint16_t maxPacketLen = 0);
|
||||||
uint8_t subscribePacket(uint8_t *packet, const char *topic, uint8_t qos);
|
uint8_t subscribePacket(uint8_t *packet, const char *topic, uint8_t qos);
|
||||||
uint8_t unsubscribePacket(uint8_t *packet, const char *topic);
|
uint8_t unsubscribePacket(uint8_t *packet, const char *topic);
|
||||||
uint8_t pingPacket(uint8_t *packet);
|
uint8_t pingPacket(uint8_t *packet);
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
name=Adafruit MQTT Library
|
name=Adafruit MQTT Library
|
||||||
version=2.1.1
|
version=2.2.0
|
||||||
author=Adafruit
|
author=Adafruit
|
||||||
maintainer=Adafruit <info@adafruit.com>
|
maintainer=Adafruit <info@adafruit.com>
|
||||||
sentence=MQTT library that supports the FONA, ESP8266, Yun, and generic Arduino Client hardware.
|
sentence=MQTT library that supports the FONA, ESP8266, Yun, and generic Arduino Client hardware.
|
||||||
|
Loading…
Reference in New Issue
Block a user