Fix from review

Author: embhorn

src/mqtt_broker.c

@@ -135,7 +135,9 @@
  * Iterates exactly cmp_len times so loop duration is independent of
  * either input's length; cmp_len is a caller-supplied fixed bound
  * (the credential buffer size). Length mismatch is folded in via the
- * final XOR. Returns 0 if equal, non-zero if different. */
+ * final XOR. Inputs with length >= cmp_len force a mismatch to prevent
+ * bypass when both strings match in the first cmp_len bytes but differ
+ * beyond. Returns 0 if equal, non-zero if different. */
 static int BrokerStrCompare(const char* a, const char* b, int cmp_len)
 {
     int result = 0;
@@ -152,6 +154,10 @@ static int BrokerStrCompare(const char* a, const char* b, int cmp_len)
         result |= (a[ia] ^ b[ib]);
     }
     result |= (len_a ^ len_b);
+    /* Force mismatch if either input meets or exceeds cmp_len, since the
+     * loop cannot observe bytes beyond that bound. */
+    result |= (len_a >= cmp_len);
+    result |= (len_b >= cmp_len);
     return result;
 }
 #endif /* WOLFMQTT_BROKER_AUTH */

src/mqtt_client.c

@@ -1739,9 +1739,11 @@ int MqttClient_Connect(MqttClient *client, MqttConnect *mc_connect)
             wm_SemUnlock(&client->lockClient);
         }
         if (rc != 0) {
+            /* Save write.len before MqttWriteStop zeroes client->write */
+            int xfer = client->write.len;
             MqttWriteStop(client, &mc_connect->stat);
             /* Clear tx_buf to remove plaintext credentials before returning */
-            CLIENT_FORCE_ZERO(client->tx_buf, client->write.len);
+            CLIENT_FORCE_ZERO(client->tx_buf, xfer);
             return rc; /* Error locking client */
         }
     #endif