From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 1 Jan 2026 22:07:53 +0000 (+0100)
Subject: mqtt: return error when a too large packet is decoded
X-Git-Tag: curl-8_18_0~45
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=84e43eefc856834a3a9060684a703fe0c2d2a126;p=thirdparty%2Fcurl.git

mqtt: return error when a too large packet is decoded

Closes #20148
---

diff --git a/lib/mqtt.c b/lib/mqtt.c
index 74ba90a4a7..2ba1ca73e9 100644
--- a/lib/mqtt.c
+++ b/lib/mqtt.c
@@ -634,8 +634,8 @@ fail:
   return result;
 }
 
-static size_t mqtt_decode_len(unsigned char *buf,
-                              size_t buflen, size_t *lenbytes)
+/* return 0 on success, non-zero on error */
+static int mqtt_decode_len(size_t *lenp, unsigned char *buf, size_t buflen)
 {
   size_t len = 0;
   size_t mult = 1;
@@ -643,15 +643,15 @@ static size_t mqtt_decode_len(unsigned char *buf,
   unsigned char encoded = 128;
 
   for(i = 0; (i < buflen) && (encoded & 128); i++) {
+    if(i == 4)
+      return 1; /* bad size */
     encoded = buf[i];
     len += (encoded & 127) * mult;
     mult *= 128;
   }
 
-  if(lenbytes)
-    *lenbytes = i;
-
-  return len;
+  *lenp = len;
+  return 0;
 }
 
 #ifdef DEBUGBUILD
@@ -915,7 +915,10 @@ static CURLcode mqtt_doing(struct Curl_easy *data, bool *done)
       result = CURLE_WEIRD_SERVER_REPLY;
     if(result)
       break;
-    mq->remaining_length = mqtt_decode_len(mq->pkt_hd, mq->npacket, NULL);
+    if(mqtt_decode_len(&mq->remaining_length, mq->pkt_hd, mq->npacket)) {
+      result = CURLE_WEIRD_SERVER_REPLY;
+      break;
+    }
     mq->npacket = 0;
     if(mq->remaining_length) {
       mqstate(data, mqtt->nextstate, MQTT_NOSTATE);