From 6e12a9b73cab79ca07dac648c0fcabc510924a18 Mon Sep 17 00:00:00 2001 From: dxbjavid Date: Thu, 21 May 2026 22:34:00 +0530 Subject: [PATCH] SN_Decode_Register: reject short total_len before NUL-terminator write Add a bounds check ensuring total_len covers at least the bytes the fixed header consumes (length + type + topicId + packet_id) before computing the topic-name length and writing the NUL terminator. A malformed REGISTER with extended-length encoding can declare a total_len smaller than the 8 bytes the extended header itself consumes (e.g. [0x01][0x00][0x07][type][topicId][packet_id]). With the prior code the index 'total_len - (rx_payload - rx_buf)' computes to a negative value, so the NUL terminator is written before regist->topicName instead of after, and regist->topicName ends up pointing past the parsed packet at non-NUL-terminated memory. When the SN client passes this topic name into the application register callback as a C string (e.g. printed via %s or measured with strlen()), the read walks past rx_buf into adjacent memory. ASAN flags this as a stack-buffer-overflow on the strlen() scan. --- src/mqtt_sn_packet.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/mqtt_sn_packet.c b/src/mqtt_sn_packet.c index 80e5a88e..2331e6f9 100644 --- a/src/mqtt_sn_packet.c +++ b/src/mqtt_sn_packet.c @@ -875,6 +875,15 @@ int SN_Decode_Register(byte *rx_buf, int rx_buf_len, SN_Register *regist) } rx_payload += rc; + /* total_len must cover at least the bytes consumed so far + * (length + type + topicId + packet_id); otherwise the topic-name + * length computation below underflows and the NUL terminator is + * written before regist->topicName, leaving the field pointing at + * non-terminated memory past the parsed packet. */ + if ((word32)total_len < (word32)(rx_payload - rx_buf)) { + return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_MALFORMED_DATA); + } + /* Decode Topic Name */ regist->topicName = (char*)rx_payload;