MQTTPacket_readPacket 这个接口会导致内存溢出

发布于 2020-02-04 17:08:49 浏览：2430 订阅该版

`MQTTPacket_readPacket`接口存在bug，如果接受的数据超过缓冲区的长度会出现内存溢出，没有判断缓冲区的长度。mqtt这个有点复杂，不知道怎么修复这个问题
```c
static int MQTTPacket_readPacket(MQTTClient *c)
{
    int rc = PAHO_FAILURE;
    MQTTHeader header = {0};
    int len = 0;
    int rem_len = 0;

/* 1. read the header byte. This has the packet type in it */
    if (net_read(c, c->readbuf, 1, 0) != 1)
        goto exit;

len = 1;
    /* 2. read the remaining length. This is variable in itself */

decodePacket(c, &rem_len, 50);

len += MQTTPacket_encode(c->readbuf + 1, rem_len); /* put the original remaining length back into the buffer */

/* 3. read the rest of the buffer using a callback to supply the rest of the data */

if (rem_len > 0 && (net_read(c, c->readbuf + len, rem_len, 300) != rem_len))

goto exit;

header.byte = c->readbuf[0];
    rc = header.bits.type;

exit:
    return rc;
}
```

rem_len 是网络的待接收的数据长度.
`c->readbuf`是接收数据的缓冲区，如果rem_len的值大于readbuf的大小就会出现溢出
    
```c
static int net_read(MQTTClient *c, unsigned char *buf, int len, int timeout)
{
    int bytes = 0;
    int rc;

while (bytes < len)
    {

#ifdef MQTT_USING_TLS
        if (c->tls_session)
        {
            rc = mbedtls_client_read(c->tls_session, &buf[bytes], (size_t)(len - bytes));
            if (rc <= 0)
            {
                bytes = -1;
                break;
            }
            else
            {
                bytes += rc;
            }
            goto _continue;
        }
#endif

rc = recv(c->sock, &buf[bytes], (size_t)(len - bytes), MSG_DONTWAIT);

if (rc == -1)
        {
            if (errno != ENOTCONN && errno != ECONNRESET)
            {
                bytes = -1;
                break;
            }
        }
        else
            bytes += rc;

#ifdef MQTT_USING_TLS
    _continue:
#endif
        if (bytes >= len)
        {
            break;
        }

if (timeout > 0)
        {
            fd_set readset;
            struct timeval interval;

LOG_D("net_read %d:%d, timeout:%d", bytes, len, timeout);

// modify by k999 ([email]hijxyz@163.com[/email])
            if (timeout >= 1000)
            {
                interval.tv_sec = timeout / 1000;
                interval.tv_usec = (timeout % 1000) * 1000;
            }
            else
            {
                interval.tv_sec = 0;
                interval.tv_usec = timeout * 1000;
            }

timeout = 0;

FD_ZERO(&readset);
            FD_SET(c->sock, &readset);

select(c->sock + 1, &readset, RT_NULL, RT_NULL, &interval);
        }
        else
        {
            LOG_D("net_read %d:%d, break!", bytes, len);
            break;
        }
    }

return bytes;
}
```