From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 13 Jan 2026 07:20:12 +0000 (+0100)
Subject: mqtt: better too-big-message-check
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dac98ccfa27a392edd946227483bfac8f466219a;p=thirdparty%2Fcurl.git

mqtt: better too-big-message-check

Reported-by: gudyuu on hackerone
Reviewed-by: Daniel Gustafsson
Bug: https://hackerone.com/reports/3508500
Closes #20281
---

diff --git a/lib/mqtt.c b/lib/mqtt.c
index 5f5c91a49a..fc3389e7f5 100644
--- a/lib/mqtt.c
+++ b/lib/mqtt.c
@@ -562,7 +562,7 @@ static CURLcode mqtt_publish(struct Curl_easy *data)
 
   remaininglength = payloadlen + 2 + topiclen;
   encodelen = mqtt_encode_len(encodedbytes, remaininglength);
-  if(MAX_MQTT_MESSAGE_SIZE - remaininglength - 1 < encodelen) {
+  if(remaininglength > (MAX_MQTT_MESSAGE_SIZE - encodelen - 1)) {
     result = CURLE_TOO_LARGE;
     goto fail;
   }