Merge pull request #473 from embhorn/fenrir_3.16

Fixes for various fenrir issues

Author: dgarske

src/mqtt_packet.c

@@ -2606,36 +2606,36 @@ int MqttDecode_Auth(byte *rx_buf, int rx_buf_len, MqttAuth *auth)
     }
     rx_payload = &rx_buf[header_len];
 
-    /* Decode variable header */
-    auth->reason_code = *rx_payload++;
-    if ((auth->reason_code == MQTT_REASON_SUCCESS) ||
-        (auth->reason_code == MQTT_REASON_CONT_AUTH))
-    {
-        auth->props = NULL;
-
-        /* Decode Length of Properties */
-        if (rx_buf_len < (rx_payload - rx_buf)) {
-            return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
-        }
-        tmp = MqttDecode_Vbi(rx_payload, &props_len,
-                (word32)(rx_buf_len - (rx_payload - rx_buf)));
-        if (tmp < 0)
-            return tmp;
-
-        if (props_len <= (word32)(rx_buf_len - (rx_payload - rx_buf))) {
-            rx_payload += tmp;
-            if ((rx_payload - rx_buf) > rx_buf_len) {
+    auth->props = NULL;
+    if (remain_len > 0) {
+        /* Decode variable header */
+        auth->reason_code = *rx_payload++;
+        if ((auth->reason_code == MQTT_REASON_SUCCESS) ||
+            (auth->reason_code == MQTT_REASON_CONT_AUTH))
+        {
+            /* Decode Length of Properties */
+            if (rx_buf_len < (rx_payload - rx_buf)) {
                 return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
             }
-            if (props_len > 0) {
-                /* Decode the Properties */
-                tmp = MqttDecode_Props(MQTT_PACKET_TYPE_AUTH,
-                        &auth->props, rx_payload,
-                        (word32)(rx_buf_len - (rx_payload - rx_buf)),
-                        props_len);
-                if (tmp < 0)
-                    return tmp;
+            tmp = MqttDecode_Vbi(rx_payload, &props_len,
+                    (word32)(rx_buf_len - (rx_payload - rx_buf)));
+            if (tmp < 0)
+                return tmp;
+
+            if (props_len <= (word32)(rx_buf_len - (rx_payload - rx_buf))) {
                 rx_payload += tmp;
+                if ((rx_payload - rx_buf) > rx_buf_len) {
+                    return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
+                }
+                if (props_len > 0) {
+                    /* Decode the Properties */
+                    tmp = MqttDecode_Props(MQTT_PACKET_TYPE_AUTH,
+                            &auth->props, rx_payload,
+                            (word32)(rx_buf_len - (rx_payload - rx_buf)),
+                            props_len);
+                    if (tmp < 0)
+                        return tmp;
+                    rx_payload += tmp;
             }
             else if (auth->reason_code != MQTT_REASON_SUCCESS) {
                 /* The Reason Code and Property Length can be omitted if the
@@ -2657,9 +2657,15 @@ int MqttDecode_Auth(byte *rx_buf, int rx_buf_len, MqttAuth *auth)
         else {
             return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
         }
+        }
+        else {
+            return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_MALFORMED_DATA);
+        }
     }
     else {
-        return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_MALFORMED_DATA);
+        /* Per MQTT 5.0 section 3.15.2: Remaining Length of 0 implies
+           Reason Code of 0x00 (Success) with no Properties */
+        auth->reason_code = MQTT_REASON_SUCCESS;
     }
 
     (void)rx_payload;
@@ -2668,6 +2674,8 @@ int MqttDecode_Auth(byte *rx_buf, int rx_buf_len, MqttAuth *auth)
     return header_len + remain_len;
 }
 
+/* Must be called once from a single thread before any concurrent access
+ * to MQTTv5 property functions. Not thread-safe if called concurrently. */
 int MqttProps_Init(void)
 {
     int ret = MQTT_CODE_SUCCESS;
@@ -2680,6 +2688,9 @@ int MqttProps_Init(void)
     return  ret;
 }
 
+/* Must be called once from a single thread after all concurrent access
+ * to MQTTv5 property functions has ceased. Not thread-safe if called
+ * concurrently. */
 int MqttProps_ShutDown(void)
 {
     int ret = MQTT_CODE_SUCCESS;

src/mqtt_sn_client.c

@@ -1235,6 +1235,7 @@ int SN_Client_WillTopicUpdate(MqttClient *client, SN_Will *will)
                 wm_SemUnlock(&client->lockClient);
             }
         #endif
+            return rc;
         }
     #ifdef WOLFMQTT_MULTITHREAD
         wm_SemUnlock(&client->lockSend);
@@ -1321,6 +1322,7 @@ int SN_Client_WillMsgUpdate(MqttClient *client, SN_Will *will)
                 wm_SemUnlock(&client->lockClient);
             }
         #endif
+            return rc;
         }
     #ifdef WOLFMQTT_MULTITHREAD
         wm_SemUnlock(&client->lockSend);
@@ -1663,6 +1665,7 @@ int SN_Client_Unsubscribe(MqttClient *client, SN_Unsubscribe *unsubscribe)
                 wm_SemUnlock(&client->lockClient);
             }
         #endif
+            return rc;
         }
     #ifdef WOLFMQTT_MULTITHREAD
         wm_SemUnlock(&client->lockSend);

src/mqtt_sn_packet.c

@@ -183,13 +183,16 @@ int SN_Decode_Advertise(byte *rx_buf, int rx_buf_len, SN_Advertise *gw_info)
 
     /* Decode fixed header */
     total_len = *rx_payload++;
-
-    /* Check message type */
-    type = *rx_payload++;
     if (total_len != 5) {
         return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_MALFORMED_DATA);
     }
 
+    if (total_len > rx_buf_len) {
+        return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
+    }
+
+    /* Check message type */
+    type = *rx_payload++;
     if (type != SN_MSG_TYPE_ADVERTISE) {
         return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_PACKET_TYPE);
     }
@@ -354,6 +357,10 @@ int SN_Decode_WillTopicReq(byte *rx_buf, int rx_buf_len)
         return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_MALFORMED_DATA);
     }
 
+    if (total_len > rx_buf_len) {
+        return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
+    }
+
     type = *rx_payload++;
     if (type != SN_MSG_TYPE_WILLTOPICREQ) {
         return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_PACKET_TYPE);
@@ -450,6 +457,10 @@ int SN_Decode_WillMsgReq(byte *rx_buf, int rx_buf_len)
         return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_MALFORMED_DATA);
     }
 
+    if (total_len > rx_buf_len) {
+        return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
+    }
+
     /* Message Type */
     type = *rx_payload++;
     if (type != SN_MSG_TYPE_WILLMSGREQ) {
@@ -582,7 +593,7 @@ int SN_Decode_WillTopicResponse(byte *rx_buf, int rx_buf_len, byte *ret_code)
     byte *rx_payload = rx_buf, type;
 
     /* Validate required arguments */
-    if (rx_buf == NULL || rx_buf_len <= 0) {
+    if (rx_buf == NULL || rx_buf_len <= 0 || ret_code == NULL) {
         return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_BAD_ARG);
     }
 
@@ -592,6 +603,10 @@ int SN_Decode_WillTopicResponse(byte *rx_buf, int rx_buf_len, byte *ret_code)
         return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_MALFORMED_DATA);
     }
 
+    if (total_len > rx_buf_len) {
+        return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
+    }
+
     type = *rx_payload++;
     if (type != SN_MSG_TYPE_WILLTOPICRESP) {
         return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_PACKET_TYPE);
@@ -659,7 +674,7 @@ int SN_Decode_WillMsgResponse(byte *rx_buf, int rx_buf_len, byte *ret_code)
     byte *rx_payload = rx_buf, type;
 
     /* Validate required arguments */
-    if (rx_buf == NULL || rx_buf_len <= 0) {
+    if (rx_buf == NULL || rx_buf_len <= 0 || ret_code == NULL) {
         return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_BAD_ARG);
     }
 
@@ -669,6 +684,10 @@ int SN_Decode_WillMsgResponse(byte *rx_buf, int rx_buf_len, byte *ret_code)
         return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_MALFORMED_DATA);
     }
 
+    if (total_len > rx_buf_len) {
+        return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
+    }
+
     type = *rx_payload++;
     if (type != SN_MSG_TYPE_WILLMSGRESP) {
         return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_PACKET_TYPE);
@@ -698,6 +717,10 @@ int SN_Decode_ConnectAck(byte *rx_buf, int rx_buf_len,
         return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_MALFORMED_DATA);
     }
 
+    if (total_len > rx_buf_len) {
+        return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
+    }
+
     type = *rx_payload++;
     if (type != SN_MSG_TYPE_CONNACK) {
         return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_PACKET_TYPE);
@@ -875,6 +898,10 @@ int SN_Decode_RegAck(byte *rx_buf, int rx_buf_len, SN_RegAck *regack)
         return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_MALFORMED_DATA);
     }
 
+    if (total_len > rx_buf_len) {
+        return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
+    }
+
     type = *rx_payload++;
     if (type != SN_MSG_TYPE_REGACK) {
         return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_PACKET_TYPE);
@@ -987,9 +1014,13 @@ int SN_Decode_SubscribeAck(byte* rx_buf, int rx_buf_len,
         return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_MALFORMED_DATA);
     }
 
+    if (total_len > rx_buf_len) {
+        return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
+    }
+
     type = *rx_payload++;
     if (type != SN_MSG_TYPE_SUBACK) {
-        return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
+        return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_PACKET_TYPE);
     }
 
     /* Decode SubAck fields */
@@ -1063,7 +1094,9 @@ int SN_Encode_Publish(byte *tx_buf, int tx_buf_len, SN_Publish *publish)
     }
     else {
         /* Topic ID */
-        tx_payload += MqttEncode_Num(tx_payload, *(word16*)publish->topic_name);
+        word16 topic_id;
+        XMEMCPY(&topic_id, publish->topic_name, sizeof(topic_id));
+        tx_payload += MqttEncode_Num(tx_payload, topic_id);
     }
 
     tx_payload += MqttEncode_Num(tx_payload, publish->packet_id);
@@ -1128,9 +1161,12 @@ int SN_Decode_Publish(byte *rx_buf, int rx_buf_len, SN_Publish *publish)
 
     publish->topic_type = flags & SN_PACKET_FLAG_TOPICIDTYPE_MASK;
 
-    /* Decode payload */
-
-    publish->total_len = total_len - 7;
+    /* Decode payload: use pointer difference to account for both short (7)
+     * and extended-length (9) header formats */
+    if (total_len < (word16)(rx_payload - rx_buf)) {
+        return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_MALFORMED_DATA);
+    }
+    publish->total_len = total_len - (word16)(rx_payload - rx_buf);
     publish->buffer = rx_payload;
     publish->buffer_pos = 0;
     publish->buffer_len = publish->total_len;
@@ -1310,6 +1346,10 @@ int SN_Decode_UnsubscribeAck(byte *rx_buf, int rx_buf_len,
         return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_MALFORMED_DATA);
     }
 
+    if (total_len > rx_buf_len) {
+        return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
+    }
+
     type = *rx_payload++;
     if (type != SN_MSG_TYPE_UNSUBACK) {
         return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_PACKET_TYPE);
@@ -1374,6 +1414,10 @@ int SN_Decode_Disconnect(byte *rx_buf, int rx_buf_len)
         return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_MALFORMED_DATA);
     }
 
+    if (total_len > rx_buf_len) {
+        return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
+    }
+
     type = *rx_payload++;
     if (type != SN_MSG_TYPE_DISCONNECT) {
         return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_PACKET_TYPE);
@@ -1434,6 +1478,10 @@ int SN_Decode_Ping(byte *rx_buf, int rx_buf_len)
         return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_MALFORMED_DATA);
     }
 
+    if (total_len > rx_buf_len) {
+        return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
+    }
+
     type = *rx_payload++;
     if ((type != SN_MSG_TYPE_PING_REQ) &&
         (type != SN_MSG_TYPE_PING_RESP)) {
@@ -1510,12 +1558,6 @@ int SN_Packet_Read(MqttClient *client, byte* rx_buf, int rx_buf_len,
         case MQTT_PK_READ_HEAD:
         {
             client->packet.stat = MQTT_PK_READ_HEAD;
-        }
-        FALL_THROUGH;
-
-        case MQTT_PK_READ:
-        {
-            client->packet.stat = MQTT_PK_READ;
 
             if (total_len > len) {
                 client->packet.remain_len = total_len - len;
@@ -1539,14 +1581,20 @@ int SN_Packet_Read(MqttClient *client, byte* rx_buf, int rx_buf_len,
                 client->packet.remain_len = rx_buf_len -
                                             client->packet.header_len;
             }
+        }
+        FALL_THROUGH;
+
+        case MQTT_PK_READ:
+        {
+            client->packet.stat = MQTT_PK_READ;
+
             if (MqttClient_Flags(client,0,0) & MQTT_CLIENT_FLAG_IS_DTLS) {
-                total_len -= client->packet.header_len;
                 idx = client->packet.header_len;
             }
             /* Read whole message */
             if (client->packet.remain_len > 0) {
                 rc = MqttSocket_Read(client, &rx_buf[idx],
-                        total_len, timeout_ms);
+                        client->packet.remain_len, timeout_ms);
                 if (rc <= 0) {
                     return MqttPacket_HandleNetError(client, rc);
                 }

wolfmqtt/mqtt_packet.h

@@ -708,7 +708,12 @@ WOLFMQTT_API int MqttEncode_Props(MqttPacketType packet, MqttProp* props,
     byte* buf);
 WOLFMQTT_API int MqttDecode_Props(MqttPacketType packet, MqttProp** props,
     byte* buf, word32 buf_len, word32 prop_len);
+/* Must be called once from a single thread before any concurrent access
+ * to MQTTv5 property functions. Not thread-safe if called concurrently. */
 WOLFMQTT_API int MqttProps_Init(void);
+/* Must be called once from a single thread after all concurrent access
+ * to MQTTv5 property functions has ceased. Not thread-safe if called
+ * concurrently. */
 WOLFMQTT_API int MqttProps_ShutDown(void);
 WOLFMQTT_API MqttProp* MqttProps_Add(MqttProp **head);
 WOLFMQTT_API int MqttProps_Free(MqttProp *head);