From 333d193a863025ac88afdd2e3b2eeca288d6fc10 Mon Sep 17 00:00:00 2001
From: jmestwa-coder <jmestwa@gmail.com>
Date: Sat, 23 May 2026 16:33:34 +0530
Subject: [PATCH] bound VBI by rx_buf_len - 1 in MqttDecode_FixedHeader

---
 src/mqtt_packet.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/mqtt_packet.c b/src/mqtt_packet.c
index 4b387d9c..3504447a 100644
--- a/src/mqtt_packet.c
+++ b/src/mqtt_packet.c
@@ -369,8 +369,18 @@ static int MqttDecode_FixedHeader(byte *rx_buf, int rx_buf_len, int *remain_len,
     int header_len;
     MqttPacket* header = (MqttPacket*)rx_buf;
 
+    /* header->len starts one byte into rx_buf (after type_flags), so the
+     * Remaining-Length VBI has at most rx_buf_len - 1 bytes available.
+     * Without this guard MqttDecode_Vbi was passed rx_buf_len and could
+     * read one byte past the caller-supplied buffer when the only length
+     * byte present has the continuation bit set. */
+    if (rx_buf_len < MQTT_PACKET_HEADER_MIN_SIZE) {
+        return MQTT_TRACE_ERROR(MQTT_CODE_ERROR_OUT_OF_BUFFER);
+    }
+
     /* Decode the length remaining */
-    header_len = MqttDecode_Vbi(header->len, (word32*)remain_len, rx_buf_len);
+    header_len = MqttDecode_Vbi(header->len, (word32*)remain_len,
+        (word32)(rx_buf_len - sizeof(header->type_flags)));
     if (header_len < 0) {
         return header_len;
     }