Fix for GCC fuzz build and minor Fenrir reports

dgarske · dgarske · commit a5f58fb911dd · 2026-03-18T13:38:03.000-07:00
diff --git a/src/mqtt_broker.c b/src/mqtt_broker.c
@@ -224,7 +224,7 @@ static void BrokerStore_String(char** dst_ptr,
         BrokerStore_String(&(dst), src, len, 1)
 #endif
 
-#ifdef ENABLE_MQTT_TLS
+#if defined(ENABLE_MQTT_TLS) && !defined(WOLFMQTT_BROKER_CUSTOM_NET)
 static int BrokerTls_Init(MqttBroker* broker)
 {
     WOLFSSL_CTX* ctx = NULL;
@@ -347,7 +347,7 @@ static void BrokerTls_Free(MqttBroker* broker)
     }
     wolfSSL_Cleanup();
 }
-#endif /* ENABLE_MQTT_TLS */
+#endif /* ENABLE_MQTT_TLS && !WOLFMQTT_BROKER_CUSTOM_NET */
 
 /* -------------------------------------------------------------------------- */
 /* wolfIP network backend                                                      */
@@ -2657,6 +2657,10 @@ static int BrokerHandle_Connect(BrokerClient* bc, int rx_len,
     rc = MqttDecode_Connect(bc->rx_buf, rx_len, &mc);
     if (rc < 0) {
         WBLOG_ERR(broker, "broker: CONNECT decode failed rc=%d", rc);
+    #ifdef WOLFMQTT_V5
+        if (mc.props) { (void)MqttProps_Free(mc.props); }
+        if (lwt.props) { (void)MqttProps_Free(lwt.props); }
+    #endif
         return rc;
     }
 
@@ -3848,11 +3852,14 @@ int MqttBroker_Free(MqttBroker* broker)
 
 #ifdef ENABLE_MQTT_TLS
     if (broker->tls_ctx != NULL) {
+    #if !defined(WOLFMQTT_BROKER_CUSTOM_NET)
         if (broker->tls_ctx_owned) {
             /* Context was created by BrokerTls_Init: full cleanup */
             BrokerTls_Free(broker);
         }
-        else {
+        else
+    #endif
+        {
             /* Application-provided TLS context: free ctx but skip
              * wolfSSL_Cleanup() since wolfSSL may be shared */
             wolfSSL_CTX_free(broker->tls_ctx);
diff --git a/src/mqtt_packet.c b/src/mqtt_packet.c
@@ -646,7 +646,8 @@ int MqttDecode_Props(MqttPacketType packet, MqttProp** props, byte* pbuf,
                 tmp = MqttDecode_Vbi(buf, &cur_prop->data_int,
                         (word32)(buf_len - (buf - pbuf)));
                 if (tmp < 0) {
-                    return tmp;
+                    rc = tmp;
+                    break;
                 }
                 buf += tmp;
                 total += tmp;
diff --git a/src/mqtt_sn_packet.c b/src/mqtt_sn_packet.c
@@ -809,7 +809,7 @@ int SN_Decode_Register(byte *rx_buf, int rx_buf_len, SN_Register *regist)
         rx_payload += MqttDecode_Num(rx_payload, (word16*)&total_len, (word32)(rx_buf_len - (rx_payload - rx_buf)));
     }
 
-    if (total_len > rx_buf_len) {
+    if (total_len >= rx_buf_len) {
         return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
     }
     if (total_len < 7) {
@@ -1086,6 +1086,9 @@ int SN_Encode_Publish(byte *tx_buf, int tx_buf_len, SN_Publish *publish)
     *tx_payload++ = flags;
 
     /* Encode topic */
+    if (publish->topic_name == NULL) {
+        return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_BAD_ARG);
+    }
     if ((publish->topic_type == SN_TOPIC_ID_TYPE_SHORT) ||
         (publish->topic_type == SN_TOPIC_ID_TYPE_PREDEF)) {
         /* Short and predefined topic names are 2 chars */
@@ -1102,6 +1105,9 @@ int SN_Encode_Publish(byte *tx_buf, int tx_buf_len, SN_Publish *publish)
     tx_payload += MqttEncode_Num(tx_payload, publish->packet_id);
 
     /* Encode payload */
+    if (publish->total_len > 0 && publish->buffer == NULL) {
+        return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_BAD_ARG);
+    }
     XMEMCPY(tx_payload, publish->buffer, publish->total_len);
     tx_payload += publish->total_len;
 
