mirror of
https://github.com/arendst/Tasmota.git
synced 2025-07-22 10:16:30 +00:00
Fix possible heap corruption due to PubSubClient memmove
Fix possible heap corruption due to invalid PubSubClient memmove parameters (#13700)
This commit is contained in:
parent
00c937953b
commit
41d958020e
@ -439,6 +439,17 @@ boolean PubSubClient::loop() {
|
||||
if (type == MQTTPUBLISH) {
|
||||
if (callback) {
|
||||
uint16_t tl = (this->buffer[llen+1]<<8)+this->buffer[llen+2]; /* topic length in bytes */
|
||||
|
||||
// Start Tasmota patch
|
||||
// Observed heap corruption in some cases since v10.0.0
|
||||
// Also see https://github.com/knolleary/pubsubclient/pull/843
|
||||
if (llen+3+tl>this->bufferSize) {
|
||||
_state = MQTT_DISCONNECTED;
|
||||
_client->stop();
|
||||
return false;
|
||||
}
|
||||
// End Tasmota patch
|
||||
|
||||
memmove(this->buffer+llen+2,this->buffer+llen+3,tl); /* move topic inside buffer 1 byte to front */
|
||||
this->buffer[llen+2+tl] = 0; /* end the topic as a 'C' string with \x00 */
|
||||
char *topic = (char*) this->buffer+llen+2;
|
Loading…
x
Reference in New Issue
Block a user